This is an automated email from the ASF dual-hosted git repository.
kunwp1 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/texera.git
The following commit(s) were added to refs/heads/main by this push:
new ea1e9d1237 fix(helm): Add `AUTH_JWT_SECRET` to `values.yaml` (#4388)
ea1e9d1237 is described below
commit ea1e9d1237574a5da38079e5e9f185a31ee7d873
Author: ali risheh <[email protected]>
AuthorDate: Thu Apr 16 12:21:11 2026 -0700
fix(helm): Add `AUTH_JWT_SECRET` to `values.yaml` (#4388)
<!--
Thanks for sending a pull request (PR)! Here are some tips for you:
1. If this is your first time, please read our contributor guidelines:
[Contributing to
Texera](https://github.com/apache/texera/blob/main/CONTRIBUTING.md)
2. Ensure you have added or run the appropriate tests for your PR
3. If the PR is work in progress, mark it a draft on GitHub.
4. Please write your PR title to summarize what this PR proposes, we
are following Conventional Commits style for PR titles as well.
5. Be sure to keep the PR description updated to reflect all changes.
-->
### What changes were proposed in this PR?
Recently, we found that leaving empty `AUTH_JWT_SECRET` is a security
vulnerability. To address this issue, the corresponding environment
variable added to `values.yaml`. Also, environment variables are added
to access control service since it needs to decrypt user token as well.
### Any related issues, documentation, discussions?
Close #4397
### How was this PR tested?
Local and production
### Was this PR authored or co-authored using generative AI tooling?
No
---------
Co-authored-by: Chen Li <[email protected]>
---
bin/k8s/templates/access-control-service-deployment.yaml | 4 ++++
bin/k8s/values.yaml | 3 +++
2 files changed, 7 insertions(+)
diff --git a/bin/k8s/templates/access-control-service-deployment.yaml
b/bin/k8s/templates/access-control-service-deployment.yaml
index 1d6739e034..f4d4405d33 100644
--- a/bin/k8s/templates/access-control-service-deployment.yaml
+++ b/bin/k8s/templates/access-control-service-deployment.yaml
@@ -50,6 +50,10 @@ spec:
value: {{ .Values.workflowComputingUnitPool.name }}
- name: KUBERNETES_COMPUTE_UNIT_POOL_NAMESPACE
value: {{ .Values.workflowComputingUnitPool.namespace }}
+ {{- range .Values.texeraEnvVars }}
+ - name: {{ .name }}
+ value: "{{ .value }}"
+ {{- end }}
livenessProbe:
httpGet:
path: /api/healthcheck
diff --git a/bin/k8s/values.yaml b/bin/k8s/values.yaml
index 7558591c4d..c1ae399295 100644
--- a/bin/k8s/values.yaml
+++ b/bin/k8s/values.yaml
@@ -247,6 +247,9 @@ texeraEnvVars:
value: ""
- name: USER_SYS_DOMAIN
value: ""
+ - name: AUTH_JWT_SECRET
+ # Development-only default (256-bit HS256 secret). Production environments
MUST override this with a different, securely generated secret.
+ value: "a7f3c8e9b14d2e6f5a0b9c3d8e1f4a6b2c5d7e9f0a3b6c8d1e4f7a9b2c5d8e1f"
yWebsocketServer:
name: y-websocket-server
