Skip to content

Remove hashedToken requirement from PAT secret by computing hash in Initium seed spec #5

New issue
New issue
Closed
#6
Closed
Remove hashedToken requirement from PAT secret by computing hash in Initium seed spec#5
#6
@mikkeldamsgaard

Description

@mikkeldamsgaard
mikkeldamsgaard
opened on Feb 26, 2026

Problem

When using the PAT seeding feature (pat.enabled: true), users must create a Kubernetes Secret containing both the plaintext PAT token and its base64-encoded SHA256 hash:

kubectl create secret generic netbird-pat \
  --from-literal=token='nbp_...' \
  --from-literal=hashedToken='base64hash...' \
  -n netbird

Computing the hash requires running a Python or OpenSSL command (see README), which is error-prone, adds friction, and creates a source of misconfiguration (e.g. hashing with a trailing newline, wrong encoding, etc.). The hash is a pure derivative of the token — it should not need to be supplied separately.

Proposed Solution

Initium v1.0.4 adds sha256("bytes") and base64encode extensions to the MiniJinja template language. This means the seed spec can compute the hashed token at runtime from the plaintext token alone:

# Before (current, Initium 1.0.1):
hashed_token: "{{ env.PAT_HASHED_TOKEN }}"

# After (proposed, Initium 1.0.4):
hashed_token: "{{ env.PAT_TOKEN | sha256{"bytes") | base64_encode }}"

This eliminates the hashedToken field entirely from the user-facing configuration.

Expected Behavior

After this change:

  1. Users create a Secret with only the plaintext PAT token
  2. The Initium seed Job computes the SHA256 hash and base64-encodes it at runtime
  3. The seeded PAT works identically for API authentication

Test Cases

  • PAT seeding works with all three backends (SQLite, PostgreSQL, MySQL)
  • curl -H "Authorization: Token nbp_..." returns valid API response
  • Secret with only token key is sufficient (no hashedToken needed)
  • Upgrading from previous chart version (with old-style Secret) works if user removes hashedToken and hashedTokenKey

Use Cases

  • Simplified GitOps: pipeline only needs to generate a random token, no hash computation
  • Reduced misconfiguration: no possibility of token/hash mismatch
  • Cleaner Secret management: single value instead of two derived values

Acceptance Criteria

  • Initium image upgraded to v1.0.4
  • pat.secret.hashedTokenKey removed from values.yaml
  • Seed spec uses base64encode(sha256(env.PAT_TOKEN)) MiniJinja expression
  • PAT seed Job injects plaintext token as PAT_TOKEN env var
  • README updated with simplified PAT generation and Secret creation
  • CHANGELOG updated with migration notes
  • All unit tests pass (updated assertions)
  • E2E tests pass on all three backends

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions