Skip to content

make task signing key generation automatic if not provided#53

Merged
kaje94 merged 2 commits into
wso2:mainfrom
senithkay:automatic-task-signing-key-gen
Jun 19, 2026
Merged

make task signing key generation automatic if not provided#53
kaje94 merged 2 commits into
wso2:mainfrom
senithkay:automatic-task-signing-key-gen

Conversation

@senithkay

Copy link
Copy Markdown
Contributor

Purpose

Auto-generate the BFF task JWT signing key instead of hardcoding it in git.

Problem: Hardcoded dev key in values.yaml is a security risk and requires manual setup.

Goals

  • Remove hardcoded key from git
  • Auto-generate key on first helm install
  • Reuse same key on helm upgrade (preserve task JWTs)
  • Allow production override via --set-file taskSigning.privateKeyPem=...

Changes

  1. New file: wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml

    • Helm pre-install hook Job that generates 2048-bit RSA key
    • Stores in ConfigMap asdlc-api-task-signing-key
    • Idempotent: reuses existing key on subsequent installs
  2. Updated: wso2-ae-platform/values.yaml

    • taskSigning.privateKeyPem: "" (was hardcoded 2048-bit key)
  3. Updated: wso2-ae-platform/templates/asdlc-api/deployment.yaml

    • ConfigMap now only created if custom key provided
    • Otherwise hook Job creates it

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5c951ffd-01b1-4637-a7c0-8cfa4da1cf39

📥 Commits

Reviewing files that changed from the base of the PR and between 324b7d4 and ddf8b24.

📒 Files selected for processing (1)
  • deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml

📝 Walkthrough

Summary

This pull request automates provisioning of the BFF task JWT signing key via Helm, removing reliance on a hardcoded private key in the chart values and ensuring the same key is reused across upgrades.

Changes

New Helm hook job

  • Added deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml.
  • Defines a pre-install/pre-upgrade hook Job that:
    • Checks whether a ConfigMap named asdlc-api-task-signing-key already exists.
    • If missing, generates a 2048-bit RSA private key and stores it in that ConfigMap.
    • Reuses the existing ConfigMap on subsequent installs/upgrades (idempotent behavior).
  • Includes the required Helm hook RBAC (ServiceAccount, ClusterRole, ClusterRoleBinding).

Values update

  • Updated deployments/helm-charts/wso2-ae-platform/values.yaml:
    • Sets taskSigning.privateKeyPem default to an empty string so the hook job can generate the ConfigMap on first install.
    • Supports providing a custom key via --set-file taskSigning.privateKeyPem=....

Deployment template update

  • Updated deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yaml:
    • Renders the asdlc-api-task-signing-key ConfigMap only when taskSigning.privateKeyPem is explicitly provided.
    • Otherwise, relies on the pre-install hook job to create it.

Impact

Helm installs now auto-generate the signing key when no custom key is provided, reuse it across upgrades, and still allow production deployments to supply a custom key via Helm CLI.

Walkthrough

The PR removes the hard-coded RSA-2048 private key from values.yaml, replacing it with an empty default string and updated documentation. A conditional block is added to the asdlc-api deployment template so the task-signing ConfigMap is only rendered when a custom key is explicitly provided. A new Helm hook template in the bundle chart introduces a ServiceAccount, ClusterRole (permitting get/create/patch on ConfigMaps), and ClusterRoleBinding, along with a pre-install/pre-upgrade Job that checks for the asdlc-api-task-signing-key ConfigMap idempotently and, if absent, generates a 2048-bit RSA key via openssl and stores it as a ConfigMap using a dry-run-to-apply pattern.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely summarizes the main change: making task signing key generation automatic when not explicitly provided.
Description check ✅ Passed The description covers purpose, goals, and implementation details with clear explanations of the three file changes. However, several template sections are missing or incomplete (documentation, release notes, testing details, security checks).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

kaje94
kaje94 previously approved these changes Jun 19, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml (2)

16-31: 💤 Low value

Consider using a namespace-scoped Role instead of ClusterRole.

The Job only operates within the release namespace. A Role would limit ConfigMap permissions to that namespace rather than granting cluster-wide access. The current permissions (get/create/patch) are minimal, so this is a defense-in-depth consideration.

Proposed change to namespace-scoped Role
-# ClusterRole for the key generator — minimal permissions
+# Role for the key generator — minimal permissions (namespace-scoped)
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: wso2-ae-key-generator
+  namespace: {{ .Release.Namespace }}
   labels:

And update the binding:

-# ClusterRoleBinding for the key generator
+# RoleBinding for the key generator
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: wso2-ae-key-generator
+  namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/part-of: wso2-agentic-engineer
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "-10"
     "helm.sh/hook-delete-policy": before-hook-creation
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: wso2-ae-key-generator
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`
around lines 16 - 31, Change the kind from ClusterRole to Role in the
wso2-ae-key-generator resource definition since the Job only needs ConfigMap
permissions within its release namespace rather than cluster-wide permissions.
Additionally, ensure that any corresponding RoleBinding resource is updated to
reference Role instead of ClusterRole in its roleRef section to maintain the
proper RBAC binding relationship.

83-83: ⚡ Quick win

Pin the container image version for reproducibility.

Using alpine:latest can lead to inconsistent behavior across deployments if the upstream image changes. Pin to a specific version for reproducible builds.

-          image: alpine:latest
+          image: alpine:3.20
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`
at line 83, The container image specification in the task-signing-key-job.yaml
file uses `alpine:latest` which causes inconsistent deployments when the
upstream image is updated. Replace the `image: alpine:latest` directive with a
pinned version tag such as `alpine:3.18` or another specific stable version to
ensure reproducible builds and consistent behavior across all deployments.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`:
- Around line 83-116: The script uses kubectl commands (kubectl get configmap,
kubectl create configmap, kubectl apply) but the alpine:latest image does not
include kubectl by default. To fix this, either replace the image specification
from alpine:latest with an image that includes kubectl such as bitnami/kubectl,
or add kubectl installation to the shell script before the first kubectl command
is executed. If staying with alpine, add a command to install kubectl using apk
add before any kubectl operations occur in the script.

---

Nitpick comments:
In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`:
- Around line 16-31: Change the kind from ClusterRole to Role in the
wso2-ae-key-generator resource definition since the Job only needs ConfigMap
permissions within its release namespace rather than cluster-wide permissions.
Additionally, ensure that any corresponding RoleBinding resource is updated to
reference Role instead of ClusterRole in its roleRef section to maintain the
proper RBAC binding relationship.
- Line 83: The container image specification in the task-signing-key-job.yaml
file uses `alpine:latest` which causes inconsistent deployments when the
upstream image is updated. Replace the `image: alpine:latest` directive with a
pinned version tag such as `alpine:3.18` or another specific stable version to
ensure reproducible builds and consistent behavior across all deployments.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c199949-4b19-4f8f-b5de-d93923faae04

📥 Commits

Reviewing files that changed from the base of the PR and between 421ebfa and 324b7d4.

📒 Files selected for processing (3)
  • deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yaml
  • deployments/helm-charts/wso2-ae-platform/values.yaml
  • deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml

@kaje94 kaje94 merged commit 1bbfc3c into wso2:main Jun 19, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants