Skip to content

Fix unsafe secrets#59

Draft
senithkay wants to merge 2 commits into
wso2:mainfrom
senithkay:fix-unsafe-secrets
Draft

Fix unsafe secrets#59
senithkay wants to merge 2 commits into
wso2:mainfrom
senithkay:fix-unsafe-secrets

Conversation

@senithkay

Copy link
Copy Markdown
Contributor

Purpose

Helm chart secrets were being passed as plaintext value: fields in pod specs and embedded in Helm release history, violating basic secret hygiene.

Resolves #56

Goals

  • Ensure no secret value appears as a plaintext value: in any pod spec or Helm release manifest
  • Provide a clear dev vs. production workflow for secret management
  • Allow per-secret control over whether Helm seeds, forces, or skips pushing to the secret store

Approach

Introduces an ESO-based secret management pipeline using OpenBao as the secret backend:

values.yaml (secrets.*.value)
→ K8s Secret "asdlc-api-seed" (staging area)
→ PushSecret → OpenBao (ESO pushes values in)
→ ExternalSecret (ESO reads back every 15s)
→ K8s Secret "asdlc-api-secrets"
→ pod env vars via secretKeyRef

Per-secret forceDefaultOverride policy — each secret in wso2-ae-platform.secrets now takes an object with value and forceDefaultOverride:

forceDefaultOverride Behaviour
"" (default) Push to OpenBao only if the key is absent (IfNotExists) — seeds on first install, never overwrites on upgrade
"true" Always overwrite OpenBao with the values.yaml value on every helm install/upgrade
"false" Do not push at all — rely on a value pre-seeded in OpenBao. Use for production.

Dev pattern: leave forceDefaultOverride: "" — values are seeded into OpenBao on first install and never touched on upgrade. Values appear in Helm release history, which is acceptable for non-production
use.

Production pattern: pre-seed each secret path in OpenBao before helm install, then set forceDefaultOverride: "false" so the chart never writes to the store and values never appear in release history.

Additional fixes:

  • OPENBAO_TOKEN removed from deployment.yaml — dead code (BFF never reads it)
  • POSTGRES_PASSWORD for the bundled dev StatefulSet now uses secretKeyRef via a dedicated asdlc-db-credentials K8s Secret
  • Task signing key auto-generation via a Helm hook Job (no longer requires manual --set-file)
  • ClusterSecretStore creation skipped if one already exists in the cluster (idempotent installs)

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Overview

This PR refactors secret handling in the Helm charts for wso2-labs-agentic-engineer by introducing a secrets management flow that removes plaintext secret values from Helm deployments and release history. The changes implement integration with External Secrets Operator (ESO) and OpenBao as the backend secrets store.

Architecture Changes

The PR introduces a multi-stage secret flow:

  • Seed values flow from values.yaml into a Kubernetes seed secret
  • Seed secrets are pushed to OpenBao via PushSecret resources
  • OpenBao-backed secrets are synced back to Kubernetes via ExternalSecret resources
  • Pod deployments consume secrets through Kubernetes secretKeyRef references

New Components

  • ClusterSecretStore: A new idempotent ClusterSecretStore resource for OpenBao authentication using Kubernetes ServiceAccount credentials, with logic to skip creation if one already exists
  • ExternalSecret: Template for syncing runtime secrets from OpenBao KV v2 into Kubernetes secrets with configurable refresh intervals
  • PushSecret: Template supporting per-secret forceDefaultOverride control with two update modes:
    • Replace mode (when forceDefaultOverride: "true") overwrites keys on every Helm upgrade
    • IfNotExists mode (default) seeds only missing keys, enabling production use where values should not override existing secrets
  • Seed Secret: Kubernetes secret containing initial secret values derived from values.yaml, with conditional rendering based on secret presence

Deployment Changes

  • Sensitive environment variables (DATABASE_URL, OAuth secrets, GitHub integration secrets, etc.) now use valueFrom.secretKeyRef instead of direct Helm values
  • Task signing and GitHub App private keys are migrated from ConfigMaps to Kubernetes Secrets
  • OPENBAO_TOKEN environment variable removed from deployment

Configuration Changes

  • values.yaml no longer contains plaintext secret values (webhook secrets, OAuth secrets, API client secrets)
  • Removed direct openbao.token from dev configuration in favor of Kubernetes ServiceAccount auth
  • Added externalSecret configuration block with key mappings for all runtime secrets
  • Observer OAuth and GitHub client secrets moved to secret store management

PostgreSQL Secret Management

The bundled development PostgreSQL password is now stored in a dedicated Kubernetes secret (asdlc-db-credentials) rather than as a plaintext Helm value. The StatefulSet sources the password via secretKeyRef.

Helm Chart Changes

The wso2-agentic-engineer-bundle includes an updated task signing key pre-install/pre-upgrade Job that now provisions an RSA private key into a Kubernetes Secret (instead of ConfigMap) with idempotent behavior—reusing existing keys and only generating new ones when absent.

Development vs. Production Flexibility

The changes support multiple deployment modes:

  • Local development: Seed values can be applied inline with ESO managing the flow
  • Production: Empty production values can be enforced, with all secrets managed through the secret store without repo-public defaults

Walkthrough

The platform chart now provisions an OpenBao-backed secret store, syncs asdlc-api credentials into Kubernetes Secrets, seeds and pushes OpenBao values from chart inputs, and changes the application, GitHub key mounts, and PostgreSQL password handling to use Secret-backed sources. The agentic engineer bundle removes inline GitHub and Thunder secrets, adds OpenBao seed defaults, and changes the task-signing key job to create and reuse a Secret.

Sequence Diagram(s)

sequenceDiagram
  participant Helm as Helm chart
  participant ESO as External Secrets Operator
  participant OpenBao as OpenBao
  participant K8s as Kubernetes
  participant API as asdlc-api Deployment

  Helm->>K8s: apply ClusterSecretStore and ExternalSecret
  ESO->>OpenBao: read KV v2 keys
  ESO->>K8s: write asdlc-api-secrets
  API->>K8s: read secretKeyRef values and key mounts
Loading
sequenceDiagram
  participant Job as task-signing-key Job script
  participant Kubectl as kubectl
  participant K8s as Kubernetes

  Job->>K8s: check for the task-signing key Secret
  Job->>Job: generate RSA 2048 private key when missing
  Job->>Kubectl: create Secret manifest
  Kubectl->>K8s: apply the Secret
Loading

Suggested reviewers

  • axewilledge
  • kaje94
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers purpose, goals, and approach, but omits many required template sections such as release note, documentation, tests, and related links. Add the missing template sections, especially user stories, release note, documentation, automation tests, security checks, migrations, and related PRs.
Linked Issues check ⚠️ Warning The PR improves secret storage, but it does not implement the requested backend modes or the required empty/required production-secret behavior for #56. Add the inline/existing/externalSecret backend switch, enforce empty required production secrets, and document the local k3d and mitigation flows for #56.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main theme of the PR: hardening secret handling.
Out of Scope Changes check ✅ Passed The changes stay focused on secret handling, key storage, and secret-store plumbing for the Helm charts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml (1)

16-31: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Use namespace-scoped RBAC for the key generator.

The job only manages a Secret in {{ .Release.Namespace }}, so a Role/RoleBinding is sufficient and keeps the permission scope aligned with the job.

Proposed RBAC scope reduction
-kind: ClusterRole
+kind: Role
 metadata:
   name: wso2-ae-key-generator
+  namespace: {{ .Release.Namespace }}
@@
-kind: ClusterRoleBinding
+kind: RoleBinding
@@
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: wso2-ae-key-generator

Also applies to: 33-52

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`
around lines 16 - 31, The RBAC for the key generator is overly broad because it
uses a ClusterRole for a Secret that lives only in the release namespace. Update
the task-signing-key-job template to use namespace-scoped RBAC by replacing the
ClusterRole/ClusterRoleBinding with a Role/RoleBinding tied to {{
.Release.Namespace }}, and keep the secret permissions limited to the existing
key generator job objects. Use the existing task-signing-key-job resource names
and annotations to locate the related RBAC sections that need to be changed
together.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/cluster-secret-store.yaml`:
- Around line 14-17: The rendered store type is inconsistent between this
template and the consumers in external-secret.yaml and push-secret.yaml. Update
the cluster-secret-store template to either always use ClusterSecretStore by
pinning the kind in .Values.externalSecret.secretStoreRef.kind across the chart,
or branch the lookup/create logic in this template based on the configured kind
so it only provisions the matching SecretStore or ClusterSecretStore. Reference
the cluster-secret-store.yaml template and the secretStoreRef.kind usage in the
external-secret and push-secret templates while making the change.

In
`@deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yaml`:
- Around line 223-252: The Secret templates for asdlc-api are still sourcing
private key contents from Helm values, which should not be rendered into
manifests or release metadata. Update the Secret handling in the deployment
template to stop using .Values.taskSigning.privateKeyPem and
.Values.github.appPrivateKeyPem in the Secret definitions, and instead rely on
generated secrets or references to pre-existing secrets managed outside Helm.
Keep the existing Secret names and surrounding conditional structure in
deployment.yaml, but remove any values-based private key material from the
rendered output.
- Around line 213-238: The asdlc-api Deployment always mounts
asdlc-api-task-signing-key, but wso2-ae-platform only creates that Secret when
.Values.taskSigning.privateKeyPem is set, so direct installs can fail. Add a
pre-install Helm hook Job in the wso2-ae-platform chart, alongside the existing
taskSigning secret logic, that generates and creates asdlc-api-task-signing-key
when .Values.taskSigning.privateKeyPem is absent, matching the standalone safety
already handled in the bundle chart.

In
`@deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/seed-secret.yaml`:
- Around line 11-18: The seed Secret is incorrectly skipped when .Values.secrets
is empty, which breaks the databaseURL secret flow. Update the seed-secret.yaml
gating logic around the secret rendering so the asdlc-api-seed resource is
always created when databaseURL is part of the chain, even with the default
secrets: {} value. Keep the existing secret iteration logic in sync with the
resource template and make sure the databaseURL entry can still be published by
push-secret.yaml and consumed by the deployment via asdlc-api-secrets.

In `@deployments/helm-charts/wso2-ae-platform/templates/postgres/secret.yaml`:
- Around line 14-15: The PostgreSQL secret template is still sourcing the
password from chart values via the secret rendering path, so it remains baked
into Helm-managed manifests. Update the secret-handling flow in the postgres
Secret template to stop templating .Values.postgres.auth.password directly:
either require an existing/external Secret reference or generate a one-time
local password during install and persist it outside chart values. Keep the
change centered around the postgres secret template and the postgres.auth values
contract so the password is no longer shipped from default values.

In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`:
- Around line 100-105: The reuse logic in the task signing key job only checks
whether the Secret exists, so it can exit even when the expected
task-signing.pem entry is missing. Update the Secret validation in the
task-signing-key job script to verify the key data exists before reusing it, and
only exit early when both the Secret and task-signing.pem are present; otherwise
continue with key generation so the mounted file is always available.

In `@deployments/helm-charts/wso2-agentic-engineer-bundle/values.yaml`:
- Around line 158-160: The githubClientSecret entry is currently treated like a
seedable value even though it is empty, which can cause an empty secret to be
persisted and block later updates. Update the values handling for
githubClientSecret in the seed/push flow so empty values are skipped or marked
as externally pre-seeded, and ensure the logic around the seed/push templates
does not apply IfNotExists semantics to this field.

---

Outside diff comments:
In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`:
- Around line 16-31: The RBAC for the key generator is overly broad because it
uses a ClusterRole for a Secret that lives only in the release namespace. Update
the task-signing-key-job template to use namespace-scoped RBAC by replacing the
ClusterRole/ClusterRoleBinding with a Role/RoleBinding tied to {{
.Release.Namespace }}, and keep the secret permissions limited to the existing
key generator job objects. Use the existing task-signing-key-job resource names
and annotations to locate the related RBAC sections that need to be changed
together.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b609c06d-bdc0-4a86-81d6-1bad05404946

📥 Commits

Reviewing files that changed from the base of the PR and between 5c66ac3 and 460658c.

📒 Files selected for processing (10)
  • deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/cluster-secret-store.yaml
  • deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/deployment.yaml
  • deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/external-secret.yaml
  • deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/push-secret.yaml
  • deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/seed-secret.yaml
  • deployments/helm-charts/wso2-ae-platform/templates/postgres/secret.yaml
  • deployments/helm-charts/wso2-ae-platform/templates/postgres/statefulset.yaml
  • deployments/helm-charts/wso2-ae-platform/values.yaml
  • deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml
  • deployments/helm-charts/wso2-agentic-engineer-bundle/values.yaml

Comment on lines +14 to +17
{{- $storeName := .Values.externalSecret.secretStoreRef.name | default "default" }}
{{- $existing := lookup "external-secrets.io/v1" "ClusterSecretStore" "" $storeName }}
{{- if not $existing }}
apiVersion: external-secrets.io/v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Keep secretStoreRef.kind consistent with the rendered store type.

Lines 14-17 always look up/create a ClusterSecretStore, but external-secret.yaml and push-secret.yaml read .Values.externalSecret.secretStoreRef.kind. If that value is switched to SecretStore, the chart will still provision the cluster-scoped resource while the consumers reference a namespaced one. Either pin the kind to ClusterSecretStore everywhere or branch this template on the configured kind.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 14-14: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/cluster-secret-store.yaml`
around lines 14 - 17, The rendered store type is inconsistent between this
template and the consumers in external-secret.yaml and push-secret.yaml. Update
the cluster-secret-store template to either always use ClusterSecretStore by
pinning the kind in .Values.externalSecret.secretStoreRef.kind across the chart,
or branch the lookup/create logic in this template based on the configured kind
so it only provisions the matching SecretStore or ClusterSecretStore. Reference
the cluster-secret-store.yaml template and the secretStoreRef.kind usage in the
external-secret and push-secret templates while making the change.

Comment on lines +88 to +92
- match:
secretKey: databaseURL
remoteRef:
remoteKey: {{ .Values.externalSecret.keys.databaseURL }}
property: "value"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

databaseURL cannot rotate after the first install.

Lines 88-92 always publish databaseURL through the IfNotExists PushSecret. If postgres.url or the bundled DB credentials change later, OpenBao keeps the old value and asdlc-api continues consuming a stale connection string from asdlc-api-secrets. Give databaseURL an overwrite path, or derive it without a one-time seed.

Comment on lines +11 to +18
{{- $hasSecrets := false }}
{{- range $k, $v := .Values.secrets }}
{{- $policy := $v.forceDefaultOverride | default "" | toString }}
{{- if ne $policy "false" }}
{{- $hasSecrets = true }}
{{- end }}
{{- end }}
{{- if $hasSecrets }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Always render the seed Secret while databaseURL is part of the flow.

Lines 11-18 gate the whole resource only on .Values.secrets, but Lines 29-33 always define databaseURL, push-secret.yaml always tries to publish it, and the deployment reads it from asdlc-api-secrets. With the new default secrets: {}, asdlc-api-seed is never created, so the database secret chain stops before ESO can populate the runtime Secret.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 11-11: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deployments/helm-charts/wso2-ae-platform/templates/asdlc-api/seed-secret.yaml`
around lines 11 - 18, The seed Secret is incorrectly skipped when
.Values.secrets is empty, which breaks the databaseURL secret flow. Update the
seed-secret.yaml gating logic around the secret rendering so the asdlc-api-seed
resource is always created when databaseURL is part of the chain, even with the
default secrets: {} value. Keep the existing secret iteration logic in sync with
the resource template and make sure the databaseURL entry can still be published
by push-secret.yaml and consumed by the deployment via asdlc-api-secrets.

Comment on lines +14 to +15
stringData:
password: {{ .Values.postgres.auth.password | quote }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

This still renders the PostgreSQL password from chart values.

Moving the password into a Secret removes it from the pod spec, but templating .Values.postgres.auth.password here still keeps the value in Helm-managed manifests, and the current values contract still ships a repo-known default. To fully meet the secret-handling goal, generate this once for local installs or require an existing/external secret instead of rendering the password from chart values.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deployments/helm-charts/wso2-ae-platform/templates/postgres/secret.yaml`
around lines 14 - 15, The PostgreSQL secret template is still sourcing the
password from chart values via the secret rendering path, so it remains baked
into Helm-managed manifests. Update the secret-handling flow in the postgres
Secret template to stop templating .Values.postgres.auth.password directly:
either require an existing/external Secret reference or generate a one-time
local password during install and persist it outside chart values. Keep the
change centered around the postgres secret template and the postgres.auth values
contract so the password is no longer shipped from default values.

Comment on lines +100 to 105
echo "Checking if task signing key Secret already exists..."
if kubectl get secret "$SECRET_NAME" -n {{ .Release.Namespace }} >/dev/null 2>&1; then
echo "Task signing key Secret already exists (reusing existing key)"
echo "This preserves JWT verification across helm upgrades and pod restarts"
exit 0
fi

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Validate the expected key before reusing the Secret.

The current check skips generation when the Secret object exists, even if task-signing.pem is missing. Check for that key before exiting so the mounted file is always present.

Proposed idempotency check
               echo "Checking if task signing key Secret already exists..."
               if kubectl get secret "$SECRET_NAME" -n {{ .Release.Namespace }} >/dev/null 2>&1; then
-                echo "Task signing key Secret already exists (reusing existing key)"
-                echo "This preserves JWT verification across helm upgrades and pod restarts"
-                exit 0
+                if kubectl get secret "$SECRET_NAME" -n {{ .Release.Namespace }} -o jsonpath='{.data.task-signing\.pem}' | grep -q .; then
+                  echo "Task signing key Secret already exists (reusing existing key)"
+                  echo "This preserves JWT verification across helm upgrades and pod restarts"
+                  exit 0
+                fi
+                echo "Task signing key Secret exists but task-signing.pem is missing; regenerating"
               fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "Checking if task signing key Secret already exists..."
if kubectl get secret "$SECRET_NAME" -n {{ .Release.Namespace }} >/dev/null 2>&1; then
echo "Task signing key Secret already exists (reusing existing key)"
echo "This preserves JWT verification across helm upgrades and pod restarts"
exit 0
fi
echo "Checking if task signing key Secret already exists..."
if kubectl get secret "$SECRET_NAME" -n {{ .Release.Namespace }} >/dev/null 2>&1; then
if kubectl get secret "$SECRET_NAME" -n {{ .Release.Namespace }} -o jsonpath='{.data.task-signing\.pem}' | grep -q .; then
echo "Task signing key Secret already exists (reusing existing key)"
echo "This preserves JWT verification across helm upgrades and pod restarts"
exit 0
fi
echo "Task signing key Secret exists but task-signing.pem is missing; regenerating"
fi
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@deployments/helm-charts/wso2-agentic-engineer-bundle/templates/task-signing-key-job.yaml`
around lines 100 - 105, The reuse logic in the task signing key job only checks
whether the Secret exists, so it can exit even when the expected
task-signing.pem entry is missing. Update the Secret validation in the
task-signing-key job script to verify the key data exists before reusing it, and
only exit early when both the Secret and task-signing.pem are present; otherwise
continue with key generation so the mounted file is always available.

Comment on lines +158 to +160
githubClientSecret:
value: ""
forceDefaultOverride: ""

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Do not seed an empty GitHub client secret with IfNotExists.

The seed/push templates include non-false entries, so this can persist an empty value on first install and later non-force updates will not replace it. Mark this entry as externally pre-seeded or skip empty values in the seed/push flow.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deployments/helm-charts/wso2-agentic-engineer-bundle/values.yaml` around
lines 158 - 160, The githubClientSecret entry is currently treated like a
seedable value even though it is empty, which can cause an empty secret to be
persisted and block later updates. Update the values handling for
githubClientSecret in the seed/push flow so empty values are skipped or marked
as externally pre-seeded, and ensure the logic around the seed/push templates
does not apply IfNotExists semantics to this field.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Avoid providing helm charts secrets as plaintext

1 participant