Skip to content

Make it possible to specify superuser, superuserPassword and secretKey securely using Kubernetes Secrets#55

Open
srinathh wants to merge 5 commits intolangflow-ai:mainfrom
srinathh:main
Open

Make it possible to specify superuser, superuserPassword and secretKey securely using Kubernetes Secrets#55
srinathh wants to merge 5 commits intolangflow-ai:mainfrom
srinathh:main

Conversation

@srinathh
Copy link
Copy Markdown

@srinathh srinathh commented Aug 8, 2025

Fixes #54

Currently in backend-statefulset.yaml, parameters from value.yaml are directly copied into value. This prevents Kubernetes Secrets from being used & instead requires hard-coding these into values.yaml. With this implementaion, if we use Kubernetes Secrets in values.yaml, a string representation of the yaml gets copied over instead of the correct reference.

            - name: LANGFLOW_SUPERUSER
              value: "{{ .Values.langflow.backend.superuser | default "admin" }}"
            - name: LANGFLOW_SUPERUSER_PASSWORD
              value: "{{ .Values.langflow.backend.superuserPassword | default (randAlphaNum 32) }}"
            - name: LANGFLOW_SECRET_KEY
              value: "{{ .Values.langflow.backend.secretKey | default (randAlphaNum 32) }}"

Database settings are correctly handled and implementing this style will let secrets be used for superuser as well

            - name: LF_CHART_EXTERNALDB_DATABASE
            {{- toYaml .Values.langflow.backend.externalDatabase.database | nindent 14 }}
            - name: LF_CHART_EXTERNALDB_USER
            {{- toYaml .Values.langflow.backend.externalDatabase.user | nindent 14 }}
            - name: LF_CHART_EXTERNALDB_PASSWORD
            {{- toYaml .Values.langflow.backend.externalDatabase.password | nindent 14 }}

Additionally, setting admin password as a random default is worse than useless as then no one can ever login. It should not be optional. Similarly, SecretKey is ideally not optional if autologin is provided

This fix implements the same style as used in Database settings to superuser

srinathh and others added 5 commits August 8, 2025 21:42
@srinathh
make specifying superuserPassword & secretKey more secure
b6cfa24 
currently, the superuser, superuserPassword & secretKey are directly pulled as values into the backend chart. This prevents us from using Kubernetes Secrets for these values and instead requires them to be hard coded in values.yaml. This change allows Kubernetes Secrets to be used similar to how externaldb envs are handled
@srinathh
version bump
c46f20f
@srinathh
Merge pull request #1 from srinathh/bugfix/secure-superuserpassword
e0b6e1b 
make specifying superuserPassword & secretKey more secure
@srinathh
fixed indentation
8f22f88
@srinathh
bug fixes for indentation
dca01aa
@srinathh srinathh mentioned this pull request Aug 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

superuser, superuserPassword and secretKey forced to specify insecurely in values.yaml

1 participant

@srinathh