fix(helm): Add AUTH_JWT_SECRET to values.yaml#4388
Merged
Conversation
Contributor
Contributor
|
@aicam please create an issue first |
Contributor
|
@aicam can you explain what this solution is doing? |
Contributor
Author
The reason token can be forged is that we never rewrote the JWT secret default in |
bobbai00
requested changes
Apr 16, 2026
bobbai00
pushed a commit
to bobbai00/texera
that referenced
this pull request
Apr 18, 2026
<!-- Thanks for sending a pull request (PR)! Here are some tips for you: 1. If this is your first time, please read our contributor guidelines: [Contributing to Texera](https://github.com/apache/texera/blob/main/CONTRIBUTING.md) 2. Ensure you have added or run the appropriate tests for your PR 3. If the PR is work in progress, mark it a draft on GitHub. 4. Please write your PR title to summarize what this PR proposes, we are following Conventional Commits style for PR titles as well. 5. Be sure to keep the PR description updated to reflect all changes. --> ### What changes were proposed in this PR? Recently, we found that leaving empty `AUTH_JWT_SECRET` is a security vulnerability. To address this issue, the corresponding environment variable added to `values.yaml`. Also, environment variables are added to access control service since it needs to decrypt user token as well. ### Any related issues, documentation, discussions? Close apache#4397 ### How was this PR tested? Local and production ### Was this PR authored or co-authored using generative AI tooling? No --------- Co-authored-by: Chen Li <chenli@gmail.com>
bobbai00
pushed a commit
that referenced
this pull request
Apr 20, 2026
… created computing units (#4426) <!-- Thanks for sending a pull request (PR)! Here are some tips for you: 1. If this is your first time, please read our contributor guidelines: [Contributing to Texera](https://github.com/apache/texera/blob/main/CONTRIBUTING.md) 2. Ensure you have added or run the appropriate tests for your PR 3. If the PR is work in progress, mark it a draft on GitHub. 4. Please write your PR title to summarize what this PR proposes, we are following Conventional Commits style for PR titles as well. 5. Be sure to keep the PR description updated to reflect all changes. --> ### What changes were proposed in this PR? <!-- Please clarify what changes you are proposing. The purpose of this section is to outline the changes. Here are some tips for you: 1. If you propose a new API, clarify the use case for a new API. 2. If you fix a bug, you can clarify why it is a bug. 3. If it is a refactoring, clarify what has been changed. 3. It would be helpful to include a before-and-after comparison using screenshots or GIFs. 4. Please consider writing useful notes for better and faster reviews. --> Computing units are created by calling Kubernetes functions and are created in a separate namespace, in this regard they do not share other services and pods settings including environment variable. In this PR we pass `AUTH_JWT_SECRET` environment variable previously introduced in #4388 ### Any related issues, documentation, discussions? <!-- Please use this section to link other resources if not mentioned already. 1. If this PR fixes an issue, please include `Fixes #1234`, `Resolves #1234` or `Closes #1234`. If it is only related, simply mention the issue number. 2. If there is design documentation, please add the link. 3. If there is a discussion in the mailing list, please add the link. --> Fixes #4425 ### How was this PR tested? <!-- If tests were added, say they were added here. Or simply mention that if the PR is tested with existing test cases. Make sure to include/update test cases that check the changes thoroughly including negative and positive cases if possible. If it was tested in a way different from regular unit tests, please clarify how you tested step by step, ideally copy and paste-able, so that other reviewers can test and check, and descendants can verify in the future. If tests were not added, please describe why they were not added and/or why it was difficult to add. --> Tested using the k8s deployment ### Was this PR authored or co-authored using generative AI tooling? <!-- If generative AI tooling has been used in the process of authoring this PR, please include the phrase: 'Generated-by: ' followed by the name of the tool and its version. If no, write 'No'. Please refer to the [ASF Generative Tooling Guidance](https://www.apache.org/legal/generative-tooling.html) for details. --> No --------- Co-authored-by: Chen Li <chenli@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this PR?
Recently, we found that leaving empty
AUTH_JWT_SECRETis a security vulnerability. To address this issue, the corresponding environment variable added tovalues.yaml. Also, environment variables are added to access control service since it needs to decrypt user token as well.Any related issues, documentation, discussions?
Close #4397
How was this PR tested?
Local and production
Was this PR authored or co-authored using generative AI tooling?
No