Skip to content

CH-224: Gatekeeper update #839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alxbrd wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

CH-224: Gatekeeper update #839

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
56439ab
Add configurable gatekeeper secret key secret. If no
Mar 6, 2026
1932760
Merge branch 'develop' into feature/CH-224
Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions deployment-configuration/helm/templates/auto-gatekeepers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ data:
forbidden-page: /templates/access-denied.html.tmpl
enable-default-deny: {{ $noWildcards }}
listen: 0.0.0.0:8080
enable-encrypted-token: false
encryption-key: {{ .app.harness.secrets.gatekeeper | default (randAlphaNum 20) | quote }}
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

encryption-key is rendered into a ConfigMap (proxy.yml), which means the key is stored in plaintext and readable to anyone with ConfigMap access. If this key is meant to be secret (as implied by “encryption key”), it should come from a Kubernetes Secret (e.g., via env var secretKeyRef or mounting a Secret file) rather than being embedded in a ConfigMap.

Suggested change
encryption-key: {{ .app.harness.secrets.gatekeeper | default (randAlphaNum 20) | quote }}
encryption-key: ${GATEKEEPER_ENCRYPTION_KEY}

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Defaulting encryption-key with randAlphaNum 20 makes the rendered manifest non-deterministic across helm upgrade / re-renders. If encrypted tokens are enabled in any environment, this will rotate the key unexpectedly and can invalidate tokens (and may lead to inconsistent behavior across replicas). Prefer a stable source (e.g., require an explicit value, or derive it from an existing Secret via lookup).

Suggested change
encryption-key: {{ .app.harness.secrets.gatekeeper | default (randAlphaNum 20) | quote }}
encryption-key: {{ required "app.harness.secrets.gatekeeper (encryption-key) must be set" .app.harness.secrets.gatekeeper | quote }}

Copilot uses AI. Check for mistakes.
enable-refresh-tokens: true
server-write-timeout: {{ .app.harness.proxy.timeout.send | default .root.Values.proxy.timeout.send | default 180 }}s
upstream-timeout: {{ .app.harness.proxy.timeout.read | default .root.Values.proxy.timeout.read | default 180 }}s
Expand All @@ -38,7 +40,6 @@ data:
tls-cert:
tls-private-key:
redirection-url: {{ ternary "https" "http" $tls }}://{{ .subdomain }}.{{ .root.Values.domain }}
encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
upstream-url: http://{{ .app.harness.service.name }}.{{ .app.namespace | default .root.Release.Namespace }}:{{ .app.harness.service.port | default 80}}
{{ if .app.harness.secured }}
{{ with .app.harness.uri_role_mapping }}
Expand Down Expand Up @@ -135,7 +136,7 @@ spec:
{{ include "deploy_utils.etcHosts" .root | indent 6 }}
containers:
- name: {{ .app.harness.service.name | quote }}
image: {{ .app.harness.proxy.gatekeeper.image | default .root.Values.proxy.gatekeeper.image | default "quay.io/gogatekeeper/gatekeeper:2.14.3" }}
image: {{ .app.harness.proxy.gatekeeper.image | default .root.Values.proxy.gatekeeper.image | default "quay.io/gogatekeeper/gatekeeper:4.6.0" }}
imagePullPolicy: IfNotPresent
{{ if .root.Values.local }}
securityContext:
Expand Down
3 changes: 2 additions & 1 deletion deployment-configuration/value-template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,8 @@ harness:
# -- Service port.
port: 80
# -- Auto generated secrets key-value pairs. If no value is provided, a random hash is generated
secrets: {}
secrets:
gatekeeper:
Comment on lines +58 to +59
Copy link

Copilot AI Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding harness.secrets.gatekeeper to the base value-template.yaml means every generated app config will have a non-empty harness.secrets map by default. In Helm, this will cause helm/templates/auto-secrets.yaml to start creating a Kubernetes Secret for all apps (even when harness.secured: false), which is a behavior change and adds unnecessary resources. Consider keeping secrets: {} as the default and only adding the gatekeeper secret key when an app is actually secured (or generate/attach it conditionally in the gatekeeper template).

Suggested change
secrets:
gatekeeper:
secrets: {}

Copilot uses AI. Check for mistakes.
# -- Specify which services this application uses in the frontend to create proxy ingresses. e.g. - name: mnp-checkout
use_services: []
# -- enabled sentry for automated error report
Expand Down
Loading