Harden flame-node chart security

[brucetony]

Summary by CodeRabbit

• New Features

  • Support using external Kubernetes Secrets for Keycloak, MinIO and PostgreSQL credentials
  • Keycloak default user can be enabled or disabled via configuration
  • Data store configuration key renamed and enable toggle updated; MinIO root credentials are no longer hardcoded

• Chores

  • Updated default message broker endpoints
  • Container image tags bumped to 0.6.4

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e8aabb07-a84b-4b53-9671-8b4c120ea5ba

📥 Commits

Reviewing files that changed from the base of the PR and between e4fa99f and 2a373ce.

📒 Files selected for processing (1)

• charts/flame-node/values.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• charts/flame-node/values.yaml

---

📝 Walkthrough

Walkthrough

This PR refactors credential management across the flame-node Helm chart to support external secrets. It introduces a Keycloak credentials helper, converts hardcoded secrets to dynamic templates with conditional existingSecret lookup, standardizes PostgreSQL configuration, renames the data store dependency to use an alias, and updates container images and service URLs.

Changes

External Secrets and Credential Management

Layer / File(s)	Summary
Data store dependency aliasing charts/flame-node/Chart.yaml, charts/flame-node/flame-node-data-store/values.yaml, charts/flame-node/values.yaml, charts/flame-node/values_min.yaml	The flame-node-data-store dependency now uses alias: dataStore and the values configuration key is renamed from flame-node-data-store to dataStore throughout. MinIO defaults are updated to support existingSecret for credential management.
Keycloak credentials helper and external secrets framework charts/flame-node/templates/_helpers.tpl, charts/flame-node/values.yaml	New keycloak.credentials.secretName helper conditionally resolves secret names from keycloakx.auth.existingSecret or defaults to flame-keycloak-credentials-secret. Values extended with keycloakx.defaultUserEnabled, bootstrap admin credentials, and optional existingSecret configuration for Keycloak.
Dynamic credential secret templates charts/flame-node/templates/secret.yaml	Replaces hardcoded credential values with Helm templates that conditionally lookup existing Kubernetes secrets via existingSecret paths or auto-generate random credentials for PostgreSQL (postgres, Kong, Keycloak) and Keycloak bootstrap admin secrets using randAlphaNum and base64 encoding.
Keycloak realm and bootstrap configuration charts/flame-node/templates/keycloak/flame-keycloak-realm-configmap.yaml, charts/flame-node/templates/keycloak/keycloak-secret-sync-job.yaml, charts/flame-node/templates/keycloak/env-configmap.yaml	Default Keycloak user is conditionally included in realm ConfigMap based on defaultUserEnabled. Keycloak secret-sync-job uses the templated keycloak.credentials.secretName helper and multi-line RBAC resource names format. HTTPS proxy configuration updated to use KC_PROXY_HEADERS: xforwarded instead of KC_PROXY: edge and KC_HOSTNAME_STRICT_HTTPS: false.
PostgreSQL credential standardization charts/flame-node/values.yaml	Adds auth configuration blocks to all three PostgreSQL instances with auto-generated superuser and user passwords, explicit default usernames and databases, and documented external-secret support.
Container image tags and service URLs charts/flame-node/values.yaml	Bumps hubAdapter and ui image tags from 0.6.3 to 0.6.4. Updates message broker base URLs to https://*.dev.privateaim.net/ endpoints for core, auth, and messenger services. Updates comment from "Keycloak related information" to "IDP related information".
Minimal values template updates charts/flame-node/values_min.yaml	Reflects the new keycloakx configuration structure with defaultUserEnabled and auth blocks, renames data store enablement to dataStore.enabled, and includes MinIO root credential and existingSecret configuration.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• PrivateAIM/helm#123: Updates Keycloak secret-sync-job configuration that this PR builds upon with the new keycloak.credentials.secretName helper.

Poem

🐰 From hardcoded keys to secrets that hide,
Helm charts now let external values guide.
Keys hop from files into Kubernetes night,
Random, optional, and safely out of sight.
A rabbit cheers — encryption done right!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Harden flame-node chart security' accurately reflects the main objective of the pull request, which involves improving security by removing hardcoded credentials, adding support for existing secrets, and introducing conditional credential management across multiple Helm chart components.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch node-security-update

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

charts/flame-node/templates/secret.yaml (1)

22-33: ⚡ Quick win

Consider helm.sh/resource-policy: keep on the auto-generated Postgres credential secrets.

These secrets now hold randomly-generated passwords that the persisted Postgres PVC/DB initialize against. lookup preserves them across upgrades, but if the Secret is ever deleted (e.g. partial uninstall while volumes are retained) while the PVC survives, a reinstall regenerates a new random password that won't match the on-disk database, breaking auth. The keycloak-client-secrets (line 9) already uses resource-policy: keep; applying the same here makes persistence robust. Applies equally to the kong (line 45) and keycloak (line 65) Postgres secrets.

🛡️ Example for the postgres-credentials-secret

 metadata:
   name: {{ $pgDefaultSecretName }}
   namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/resource-policy: keep
 type: Opaque

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/flame-node/templates/secret.yaml` around lines 22 - 33, Add the Helm
keep policy annotation to the autogenerated Postgres credential Secrets so they
are not deleted by Helm (preventing mismatched DB passwords after partial
uninstall/reinstall); specifically update the Secret templates that create the
secret named by $pgDefaultSecretName and the Kong and Keycloak Postgres secrets
to include metadata.annotations["helm.sh/resource-policy"]="keep" (add the
annotation block under metadata in the Secret manifests such as the template
that defines superPassword, DB_USER, DB_PASSWORD, DB_DATABASE and the equivalent
Kong and Keycloak secret templates).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/flame-node/values.yaml`:
- Around line 300-307: The values.yaml currently sets weak defaults
adminUsername: admin and adminPassword: admin which defeats the required guard
in secret.yaml; update charts/flame-node/values.yaml to remove the unsafe
default by setting adminPassword: "" (and optionally adminUsername: "" or
document that it must be set) so the required "adminPassword is required"
validation in secret.yaml actually fails when not provided; alternatively
implement auto-generation/persistence using the same lookup pattern as the
Postgres secrets if you prefer non-empty defaults.

---

Nitpick comments:
In `@charts/flame-node/templates/secret.yaml`:
- Around line 22-33: Add the Helm keep policy annotation to the autogenerated
Postgres credential Secrets so they are not deleted by Helm (preventing
mismatched DB passwords after partial uninstall/reinstall); specifically update
the Secret templates that create the secret named by $pgDefaultSecretName and
the Kong and Keycloak Postgres secrets to include
metadata.annotations["helm.sh/resource-policy"]="keep" (add the annotation block
under metadata in the Secret manifests such as the template that defines
superPassword, DB_USER, DB_PASSWORD, DB_DATABASE and the equivalent Kong and
Keycloak secret templates).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 530e8f20-56c7-4f76-a2a0-822f46967785

📥 Commits

Reviewing files that changed from the base of the PR and between 7ba8d97 and e4fa99f.

📒 Files selected for processing (10)

• charts/flame-node/Chart.yaml
• charts/flame-node/flame-node-data-store/charts/blaze-0.1.0.tgz
• charts/flame-node/flame-node-data-store/values.yaml
• charts/flame-node/templates/_helpers.tpl
• charts/flame-node/templates/keycloak/env-configmap.yaml
• charts/flame-node/templates/keycloak/flame-keycloak-realm-configmap.yaml
• charts/flame-node/templates/keycloak/keycloak-secret-sync-job.yaml
• charts/flame-node/templates/secret.yaml
• charts/flame-node/values.yaml
• charts/flame-node/values_min.yaml