make task signing key generation automatic if not provided#53
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughSummaryThis pull request automates provisioning of the BFF task JWT signing key via Helm, removing reliance on a hardcoded private key in the chart values and ensuring the same key is reused across upgrades. ChangesNew Helm hook job
Values update
Deployment template update
ImpactHelm installs now auto-generate the signing key when no custom key is provided, reuse it across upgrades, and still allow production deployments to supply a custom key via Helm CLI. WalkthroughThe PR removes the hard-coded RSA-2048 private key from 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml (2)
16-31: 💤 Low valueConsider using a namespace-scoped Role instead of ClusterRole.
The Job only operates within the release namespace. A
Rolewould limit ConfigMap permissions to that namespace rather than granting cluster-wide access. The current permissions (get/create/patch) are minimal, so this is a defense-in-depth consideration.Proposed change to namespace-scoped Role
-# ClusterRole for the key generator — minimal permissions +# Role for the key generator — minimal permissions (namespace-scoped) apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: wso2-ae-key-generator + namespace: {{ .Release.Namespace }} labels:And update the binding:
-# ClusterRoleBinding for the key generator +# RoleBinding for the key generator apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: name: wso2-ae-key-generator + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/part-of: wso2-agentic-engineer annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-weight": "-10" "helm.sh/hook-delete-policy": before-hook-creation roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role name: wso2-ae-key-generator🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml` around lines 16 - 31, Change the kind from ClusterRole to Role in the wso2-ae-key-generator resource definition since the Job only needs ConfigMap permissions within its release namespace rather than cluster-wide permissions. Additionally, ensure that any corresponding RoleBinding resource is updated to reference Role instead of ClusterRole in its roleRef section to maintain the proper RBAC binding relationship.
83-83: ⚡ Quick winPin the container image version for reproducibility.
Using
alpine:latestcan lead to inconsistent behavior across deployments if the upstream image changes. Pin to a specific version for reproducible builds.- image: alpine:latest + image: alpine:3.20🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml` at line 83, The container image specification in the task-signing-key-job.yaml file uses `alpine:latest` which causes inconsistent deployments when the upstream image is updated. Replace the `image: alpine:latest` directive with a pinned version tag such as `alpine:3.18` or another specific stable version to ensure reproducible builds and consistent behavior across all deployments.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`:
- Around line 83-116: The script uses kubectl commands (kubectl get configmap,
kubectl create configmap, kubectl apply) but the alpine:latest image does not
include kubectl by default. To fix this, either replace the image specification
from alpine:latest with an image that includes kubectl such as bitnami/kubectl,
or add kubectl installation to the shell script before the first kubectl command
is executed. If staying with alpine, add a command to install kubectl using apk
add before any kubectl operations occur in the script.
---
Nitpick comments:
In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`:
- Around line 16-31: Change the kind from ClusterRole to Role in the
wso2-ae-key-generator resource definition since the Job only needs ConfigMap
permissions within its release namespace rather than cluster-wide permissions.
Additionally, ensure that any corresponding RoleBinding resource is updated to
reference Role instead of ClusterRole in its roleRef section to maintain the
proper RBAC binding relationship.
- Line 83: The container image specification in the task-signing-key-job.yaml
file uses `alpine:latest` which causes inconsistent deployments when the
upstream image is updated. Replace the `image: alpine:latest` directive with a
pinned version tag such as `alpine:3.18` or another specific stable version to
ensure reproducible builds and consistent behavior across all deployments.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2c199949-4b19-4f8f-b5de-d93923faae04
📒 Files selected for processing (3)
deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yamldeployments/helm-charts/wso2-ae-platform/values.yamldeployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml
Purpose
Auto-generate the BFF task JWT signing key instead of hardcoding it in git.
Problem: Hardcoded dev key in values.yaml is a security risk and requires manual setup.
Goals
helm installhelm upgrade(preserve task JWTs)--set-file taskSigning.privateKeyPem=...Changes
New file:
wso2-agentic-engineer-bundle/templates/task-signing-key-job.yamlasdlc-api-task-signing-keyUpdated:
wso2-ae-platform/values.yamltaskSigning.privateKeyPem: ""(was hardcoded 2048-bit key)Updated:
wso2-ae-platform/templates/asdlc-api/deployment.yaml