Summary
Follow up on the remaining private key handling work for the ASDLC API Helm chart so private key contents are not sourced from Helm values during template rendering.
Background
PR #59 moved several secrets to Kubernetes Secrets and ESO/OpenBao-backed flows, but the ASDLC API deployment template can still render private key material from Helm values when these are provided:
.Values.taskSigning.privateKeyPem
.Values.github.appPrivateKeyPem
This should be handled separately from the current PR, as discussed in the review thread.
Required changes
Update the ASDLC API chart to stop rendering private key contents from Helm values in:
deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yaml
Instead, the chart should rely on one of the following patterns for private keys:
- generated Kubernetes Secrets created outside the main manifest rendering path, or
- pre-existing Secrets managed externally and referenced by name
Keep the current secret consumers compatible with the existing secret names where practical.
Affected areas
deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yaml
- related chart values and documentation for task-signing key and GitHub App private key handling
Acceptance criteria
- The chart no longer renders private key contents from Helm values into Secret manifests.
- The ASDLC API still mounts/uses the expected Kubernetes Secrets for:
- task signing key
- GitHub App private key
- Local/dev setup remains documented and workable.
- Chart documentation explains how these private keys must be provided.
Backlinks
Summary
Follow up on the remaining private key handling work for the ASDLC API Helm chart so private key contents are not sourced from Helm values during template rendering.
Background
PR #59 moved several secrets to Kubernetes Secrets and ESO/OpenBao-backed flows, but the ASDLC API deployment template can still render private key material from Helm values when these are provided:
.Values.taskSigning.privateKeyPem.Values.github.appPrivateKeyPemThis should be handled separately from the current PR, as discussed in the review thread.
Required changes
Update the ASDLC API chart to stop rendering private key contents from Helm values in:
deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yamlInstead, the chart should rely on one of the following patterns for private keys:
Keep the current secret consumers compatible with the existing secret names where practical.
Affected areas
deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yamlAcceptance criteria
Backlinks