Skip to content

feat: restructure config/secret handling, harden chart, and add CI (v6.0.0)#78

Merged
secana merged 5 commits into
mainfrom
feat/imporve-helm-chart
Jun 4, 2026
Merged

feat: restructure config/secret handling, harden chart, and add CI (v6.0.0)#78
secana merged 5 commits into
mainfrom
feat/imporve-helm-chart

Conversation

@secana

@secana secana commented Jun 4, 2026

Copy link
Copy Markdown
Member

Summary

Restructures how the chart handles configuration and secrets, hardens the defaults, and adds real CI. This is a breaking change (chart v6.0.0).

Closes #67, closes #68, closes #61.

The cookie-signing-key work builds on the idea from @vmoudy's #67 (originally #55). The env var is kept as KELLNR_REGISTRY__COOKIE_SIGNING_KEY — the rename to …COOKIE_SECRET in #67 would have made Kellnr ignore the value and generate a random key per pod (confirmed against crates/settings/src/registry.rs).

Config / secret restructure (breaking)

Previously secret.enabled flipped the entire config between a ConfigMap or a Secret. The chart now always renders both and mounts them together — non-sensitive values in a ConfigMap, sensitive ones in a Secret — so secrets are never stored in a plaintext ConfigMap.

Sensitive vars routed to the Secret: ADMIN_PWD, ADMIN_TOKEN, COOKIE_SIGNING_KEY, S3__ACCESS_KEY/SECRET_KEY, OAUTH2__CLIENT_SECRET (Postgres pwd keeps its existing secretKeyRef).

Hardening & additions

  • Health probes (startup/liveness/readiness) against /api/v1/health, enabled by default and tunable.
  • ServiceAccount token no longer auto-mounted (automountServiceAccountToken: false).
  • New settings: registry.downloadTimeoutSeconds / downloadMaxConcurrent / downloadCounterFlushSeconds, s3.connectTimeoutSeconds / requestTimeoutSeconds.
  • values.schema.json validates values (e.g. requires kellnr.origin.hostname).
  • helm test connection hook that curls the health endpoint through the Service.

CI

  • New lint-test workflow on PRs: ct lint + a kind-based ct install that runs the new helm test hook (previously nothing ran on PRs).
  • Release workflow: triggers scoped to main, least-privilege per-job permissions, a concurrency group, and updated action versions (chart-releaser v1.2.1→v1.7.0, create-pull-request v6→v8, setup-helm v4→v5, checkout v4→v6).

Upgrade notes

See the Chart version 6.0.0 section added to the README. Most inline users need no change; secret.useExisting users move to secret.existingSecret.

Testing

helm lint passes (schema included); rendered and verified all modes — both sources mounted, sensitive routing, cookie inline vs. secretKeyRef, existingSecret, probes (render + disable), SA token off, new env vars, schema rejection of bad input, and the helm test pod. All three workflow YAMLs parse and the version increment satisfies ct.

secana added 5 commits June 4, 2026 11:31
@secana
feat(chart)!: split config into ConfigMap + Secret and harden defaults
154bbad 
BREAKING CHANGE: `secret.enabled` and `secret.useExisting` are removed.
Non-sensitive settings now always render into a ConfigMap and sensitive ones
(admin password/token, cookie signing key, S3 keys, OAuth2 client secret) into
a Secret, both mounted into the pod. Use `secret.existingSecret` to bring your
own Secret (e.g. SOPS-encrypted).

- Move the cookie signing key into the Secret; allow sourcing it from an
  existing Secret via kellnr.registry.cookieSigningKeySecretRef (#67)
- Mount ConfigMap and Secret simultaneously; add extraEnvVars / extraEnvVarsCM
  / extraEnvVarsSecret escape hatches (#68, #61)
- Add startup/liveness/readiness probes against /api/v1/health
- Disable ServiceAccount token automount by default
- Expose registry download* and s3 *Timeout settings
- Add values.schema.json and a `helm test` connection hook
- Bump chart to 6.0.0 and document the upgrade
@secana
ci: validate charts on PRs and modernize the release workflow
6db91e3 
- Add lint-test workflow running chart-testing lint plus a kind-based
  install that exercises the new `helm test` hook on pull requests
- Add .github/ct.yaml (target-branch, chart-dirs, skip maintainer check)
- Scope release triggers to main, apply least-privilege per-job permissions,
  and add a concurrency group
- Bump chart-releaser-action v1.2.1->v1.7.0, create-pull-request v6->v8,
  setup-helm v4->v5, checkout v4->v6
@secana
ci: add yamllint config matching the chart comment style
d081c5f 
ct lint runs yamllint, whose comments rule requires two spaces before inline
comments; the chart uses the `value # default` one-space style throughout.
Add a yamllint config (relaxed comments rule) and point ct at it via lint-conf.
@secana
docs: document the v6.0.0 ConfigMap/Secret split in the README
5cb5640 
Add a "Configuration storage (ConfigMap and Secret)" section covering
secret.existingSecret and pointing to the extra-env settings.
@secana
docs: link the v6.0.0 blog post from the upgrade notes
9754ba1
@secana secana merged commit 1beac7b into main Jun 4, 2026
1 check passed
@secana secana deleted the feat/imporve-helm-chart branch June 4, 2026 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow use configmap and secret simultaneously Allow arbitrary env vars to be added to the Kellnr pod

1 participant

@secana