From 56439abde7a3464783dc75888780e5bfc746f786 Mon Sep 17 00:00:00 2001
From: Alex Burdusel <alex@metacell.us>
Date: Fri, 6 Mar 2026 14:35:26 +0200
Subject: [PATCH] Add configurable gatekeeper secret key secret. If no secret
 key value is given, the secret is randomly generated.

---
 .../helm/templates/auto-gatekeepers.yaml                     | 5 +++--
 deployment-configuration/value-template.yaml                 | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/deployment-configuration/helm/templates/auto-gatekeepers.yaml b/deployment-configuration/helm/templates/auto-gatekeepers.yaml
index 2e1e6197..8a195f7e 100644
--- a/deployment-configuration/helm/templates/auto-gatekeepers.yaml
+++ b/deployment-configuration/helm/templates/auto-gatekeepers.yaml
@@ -27,6 +27,8 @@ data:
     forbidden-page: /templates/access-denied.html.tmpl
     enable-default-deny: {{ $noWildcards }}
     listen: 0.0.0.0:8080
+    enable-encrypted-token: false
+    encryption-key: {{ .app.harness.secrets.gatekeeper | default (randAlphaNum 20) | quote }}
     enable-refresh-tokens: true
     server-write-timeout: {{ .app.harness.proxy.timeout.send | default .root.Values.proxy.timeout.send | default 180 }}s
     upstream-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
@@ -38,7 +40,6 @@ data:
     tls-cert:
     tls-private-key:
     redirection-url: {{ ternary "https" "http" $tls }}://{{ .subdomain }}.{{ .root.Values.domain }}
-    encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
     upstream-url: http://{{ .app.harness.service.name }}.{{ .app.namespace | default .root.Release.Namespace }}:{{ .app.harness.service.port | default 80}}
     {{ if .app.harness.secured }}
       {{ with .app.harness.uri_role_mapping }}
@@ -135,7 +136,7 @@ spec:
 {{ include "deploy_utils.etcHosts" .root | indent 6 }}
       containers:
       - name: {{ .app.harness.service.name | quote }}
-        image: {{ .app.harness.proxy.gatekeeper.image | default .root.Values.proxy.gatekeeper.image | default "quay.io/gogatekeeper/gatekeeper:2.14.3" }}
+        image: {{ .app.harness.proxy.gatekeeper.image | default .root.Values.proxy.gatekeeper.image | default "quay.io/gogatekeeper/gatekeeper:4.6.0" }}
         imagePullPolicy: IfNotPresent
         {{ if .root.Values.local }}
         securityContext:
diff --git a/deployment-configuration/value-template.yaml b/deployment-configuration/value-template.yaml
index f02e03e5..03e2f5cb 100644
--- a/deployment-configuration/value-template.yaml
+++ b/deployment-configuration/value-template.yaml
@@ -55,7 +55,8 @@ harness:
     # -- Service port.
     port: 80
   # -- Auto generated secrets key-value pairs. If no value is provided, a random hash is generated
-  secrets: {}
+  secrets:
+    gatekeeper:
   # -- Specify which services this application uses in the frontend to create proxy ingresses. e.g. - name: mnp-checkout
   use_services: []
   # -- enabled sentry for automated error report