Skip to content

Hide Save-as-Demo UI when admin password is not configured#377

Merged
t0mdavid-m merged 1 commit intomainfrom
claude/fix-streamlit-secrets-61u1H
Apr 24, 2026
Merged

Hide Save-as-Demo UI when admin password is not configured#377
t0mdavid-m merged 1 commit intomainfrom
claude/fix-streamlit-secrets-61u1H

Conversation

@t0mdavid-m
Copy link
Copy Markdown
Member

@t0mdavid-m t0mdavid-m commented Apr 24, 2026
edited by coderabbitai Bot
Loading

Summary

Refactored the "Save as Demo" feature to hide the entire UI section when the admin password is not configured, rather than showing an error message after the user clicks the button. This improves UX by preventing users from attempting an action that cannot succeed.

Key Changes

  • src/common/common.py: Wrapped the entire "Save as Demo" expander in an if is_admin_configured() check, moving the admin configuration validation from post-click error handling to pre-render visibility control. Removed the redundant admin configuration check that was happening inside the button click handler.

  • src/common/admin.py: Enhanced is_admin_configured() to catch StreamlitSecretNotFoundError in addition to FileNotFoundError and KeyError, making it more robust when secrets are not available. Added a broad exception handler as a safety net.

  • k8s/base/streamlit-secrets.yaml: Created a new committed Secret manifest with an empty admin password by default. This replaces the example-only approach and ensures the Secret always exists in the cluster, with the feature disabled by default (empty password = hidden UI).

  • k8s/base/kustomization.yaml: Added streamlit-secrets.yaml to the resources list so the Secret is always deployed.

  • docs/kubernetes-deployment.md: Updated deployment instructions to reflect the new approach:

    • Removed references to .example files
    • Documented that the Secret ships with an empty password and is always created
    • Simplified admin password configuration to use kubectl patch on the live Secret (recommended) or git update-index --skip-worktree for local edits
    • Clarified that namePrefix now applies to the Secret since it's managed by Kustomize

  • .gitignore: Removed the k8s/**/streamlit-secrets.yaml entry since the file is now tracked (with empty password) and no longer needs to be ignored.

  • Removed files: Deleted k8s/base/streamlit-secrets.yaml.example and k8s/overlays/prod/streamlit-secrets.yaml.example as they are no longer needed.

Implementation Details

The feature now follows a "secure by default, opt-in to enable" pattern:

  • The Secret is always present with an empty password
  • Empty password → UI is hidden (no button, no error)
  • Non-empty password → UI is visible and functional
  • Operators can enable the feature by patching the live Secret without editing tracked files, or by using git update-index --skip-worktree to locally edit the committed file without tracking the change

https://claude.ai/code/session_01V1noocAR7uXWjWsC9oLGhz

Summary by CodeRabbit

  • Bug Fixes

    • "Save as Demo" feature is now hidden by default until an admin password is set, preventing users from attempting to use functionality that requires authentication to operate correctly.

  • Documentation

    • Updated Kubernetes deployment instructions to reflect changes in the admin credential and secrets management workflow for improved security and simplified configuration.

@claude
k8s: ship streamlit-secrets by default, hide admin UI when empty
391ed16 
The Secret used to be an out-of-band copy-the-example step, so forgetting
the resources-list edit left the pod booting with an empty admin-secrets
mount and a user-facing "Admin not configured" error for a feature that
was never wired up in the first place.

Now the Secret is committed to the base with an empty admin password and
included in k8s/base/kustomization.yaml, so kubectl apply -k always
creates it. The "Save as Demo" expander is gated on a non-empty password
and is hidden entirely (no error box) when not configured. Operators
enable the feature by patching the live Secret or by editing the file
locally with git update-index --skip-worktree, both documented.
Exception handling in is_admin_configured() is tightened to also catch
StreamlitSecretNotFoundError so a missing secrets file never raises.

https://claude.ai/code/session_01V1noocAR7uXWjWsC9oLGhz
@t0mdavid-m t0mdavid-m merged commit 3387b9c into main Apr 24, 2026
8 of 9 checks passed
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 24, 2026

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 785a618d-06d4-49ef-9fd0-4416afbb59e7

📥 Commits

Reviewing files that changed from the base of the PR and between 5bd5898 and 391ed16.

📒 Files selected for processing (8)
  • .gitignore
  • docs/kubernetes-deployment.md
  • k8s/base/kustomization.yaml
  • k8s/base/streamlit-secrets.yaml
  • k8s/base/streamlit-secrets.yaml.example
  • k8s/overlays/prod/streamlit-secrets.yaml.example
  • src/common/admin.py
  • src/common/common.py
📝 Walkthrough

Walkthrough

The pull request transitions the Streamlit secrets workflow from an optional template-based approach to a committed base Kubernetes Secret manifest. The .gitignore rule excluding streamlit-secrets.yaml is removed, documentation is updated to reflect the new deployment pattern, and the application now properly detects unconfigured admin passwords, gating the "Save as Demo" UI accordingly.

Changes

Cohort / File(s) Summary
Git Configuration
.gitignore		 Removes the gitignore rule that excluded k8s/**/streamlit-secrets.yaml, allowing the secrets manifest to be committed to version control.
Kubernetes Base Manifests
k8s/base/streamlit-secrets.yaml, k8s/base/kustomization.yaml		 Introduces a new committed streamlit-secrets Secret resource defining an empty admin password by default, and registers it in the Kustomize base resources list for automatic application.
Deprecated Example Manifests
k8s/base/streamlit-secrets.yaml.example, k8s/overlays/prod/streamlit-secrets.yaml.example		 Removes example-only Secret manifests, consolidating workflow documentation into the committed base resource and updated deployment guide.
Deployment Documentation
docs/kubernetes-deployment.md		 Updates instructions to use the committed base Secret as the default starting point, replacing imperative secret creation with kubectl patch commands and introducing git update-index --skip-worktree as an alternative for local password edits without tracking changes.
Admin Configuration Logic
src/common/admin.py, src/common/common.py		 Improves error handling to properly detect unconfigured admin states (treating missing secrets as unconfigured) and gates the "Save as Demo" UI to only display when admin password is explicitly set.

Possibly related PRs

Poem

🐰 A secret once hidden, now sits in the base,
No password at first—an empty space,
But patch it with care, and the Demo will shine,
The rabbit approves of this workflow design! ✨

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/fix-streamlit-secrets-61u1H

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@t0mdavid-m @claude