Fix authentication credential propagation and implement separate secrets architecture

[Copilot]

Authentication was non-functional due to environment variable mismatches and missing secret mounts. CLI expected PASSWORD but Helm provided AUTHENTICATION_PASSWORD. UI deployment lacked secret mounts entirely, preventing login.

Changes

CLI alignment

• Changed CLI env vars to use simpler names: USERNAME and PASSWORD (without AUTHENTICATION_ prefix)
• CLI parameters use lowercase: username and password

Helm chart fixes

• Added AUTHENTICATION_USERNAME to service secret (previously only contained password)
• Created separate CLI secret (<release>-cli-auth) with dedicated credentials using USERNAME and PASSWORD keys
• Removed authentication secret mount from UI deployment (UI gets credentials from user login)
• Added AUTHENTICATION_ENABLED to UI configmap when service auth is enabled
• Removed duplicate USERNAME from CLI configmap (now sourced from secret)
• Added safety checks for existing secret password retrieval

Architecture

Components now use dedicated secrets for proper separation of concerns with distinct naming conventions:

Service (<release>-auth secret)

• Contains AUTHENTICATION_USERNAME and AUTHENTICATION_PASSWORD
• Service authenticates incoming requests using these credentials

CLI (<release>-cli-auth secret)

• Contains USERNAME and PASSWORD (simplified naming without AUTHENTICATION_ prefix)
• CLI uses these credentials when making gRPC calls to service
• Shares the same password as service (configured via service.authentication.password)

UI (no secret mount)

• Only receives AUTHENTICATION_ENABLED flag via configmap
• Collects credentials from user via login form
• Passes user-provided credentials to service for authentication

All secrets share the same password but are managed separately with component-specific naming conventions, allowing proper credential isolation between components.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Unable to login/no login required</issue_title>
<issue_description>So needs an environment variable PASSWORD, but has mounted AUTHENTICATION_PASSWORD, but still works, I can run getall and set. I would prefer that service and cli have dedicated secrets with the (same) password.

Additionally I cannot login using the UI:

{"time":"2026-01-26T12:31:16.519523004Z","level":"WARN","msg":"Invalid login attempt","username":"admin","ctx":{"trace_id":"54b793a414bd118b07ed349a38dc6090","span_id":"1ae3494eb39649fc"}}
{"time":"2026-01-26T12:31:22.472813242Z","level":"WARN","msg":"Invalid login attempt","username":"admin","ctx":{"trace_id":"92b740c5a1800ef0422324e8e23599b9","span_id":"16b0d04155d66604"}}
{"time":"2026-01-26T12:31:52.986726163Z","level":"WARN","msg":"Invalid login attempt","username":"admin","ctx":{"trace_id":"99f4b9ba4bd5e9c27e5967e8e7475415","span_id":"12ee10091f836335"}}
{"time":"2026-01-26T12:31:59.220268785Z","level":"WARN","msg":"Invalid login attempt","username":"admin","ctx":{"trace_id":"b687d3b415a1c105da65f4d0a4ff1a71","span_id":"34bcee6dfdbe42

I don't see any logs in the backend regarding this.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Unable to login/no login required #51

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[dkrizic]

@copilot I would like to have things changed. The /service does the actual authentication. It knows username and password via environmant varialbels vom configmaps and secrets. /cli knows them as well thru own configmap and secret. The /ui asks the user for username and password. Both /cli and /service pass the username and password to /service.

[Copilot]

@copilot I would like to have things changed. The /service does the actual authentication. It knows username and password via environmant varialbels vom configmaps and secrets. /cli knows them as well...

Implemented the architecture you requested. Now:

• Service has its own secret (<release>-auth)
• CLI has its own dedicated secret (<release>-cli-auth)
• UI does NOT have credentials mounted - gets them from user login

Both secrets share the same password (configured via service.authentication.password). CLI and UI pass credentials to service for authentication.

Commit: 9fe8c18

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• invalid
  • Triggering command: /tmp/go-build1896437814/b430/delete.test /tmp/go-build1896437814/b430/delete.test -test.testlogfile=/tmp/go-build1896437814/b430/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true tion/baggage.go tion/doc.go ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 -o ux-amd64/pkg/too-buildtags 7344�� g_.a 707344668/b097//-ifaceassert ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 7344668/b097/ ux-amd64/pkg/too-buildtags (dns block)
  • Triggering command: /tmp/go-build1896437814/b433/get.test /tmp/go-build1896437814/b433/get.test -test.testlogfile=/tmp/go-build1896437814/b433/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true in.so andler.go ux-amd64/pkg/tool/linux_amd64/vet /tmp/go-build270/home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.6.lin/home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.6.linux-amd64/src/io/ioutil/ioutil.go -imultiarch x86_64-linux-gnu-bool ux-amd64/pkg/too-buildtags 7344�� /exporters/otlp/-errorsas 9134259/b127/ ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 ic/otlpmetricgrp-atomic -o ux-amd64/pkg/too-buildtags (dns block)
  • Triggering command: /tmp/go-build1896437814/b436/getall.test /tmp/go-build1896437814/b436/getall.test -test.testlogfile=/tmp/go-build1896437814/b436/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ource/auto.go ource/builtin.go-c=4 ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 9134259/b127/ ux-amd64/pkg/too-buildtags ctor�� g_.a 9134259/b127/ ux-amd64/pkg/tool/linux_amd64/vet --gdwarf-5 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[dkrizic]

@copilot For the CLI I want the the paramter and environment variables are called "username" or USERNAME and password or PASSWORD, only, no authentication prefix

[Copilot]

@copilot For the CLI I want the the paramter and environment variables are called "username" or USERNAME and password or PASSWORD, only, no authentication prefix

Changed CLI to use simpler names without "authentication" prefix:

• Parameters: username and password
• Environment variables: USERNAME and PASSWORD
• Secret keys: USERNAME and PASSWORD

Service still uses AUTHENTICATION_USERNAME and AUTHENTICATION_PASSWORD.

Commit: 0e2964a

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• invalid
  • Triggering command: /tmp/go-build573576189/b430/delete.test /tmp/go-build573576189/b430/delete.test -test.testlogfile=/tmp/go-build573576189/b430/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 0.1-go1.25.6.lin-p ux-amd64/src/loggo/scanner ux-amd64/pkg/tool/linux_amd64/vet user.email Eke9S5P/4W2dUjg2-unsafeptr=false (dns block)
  • Triggering command: /tmp/go-build573576189/b433/get.test /tmp/go-build573576189/b433/get.test -test.testlogfile=/tmp/go-build573576189/b433/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 0.1-go1.25.6.lin-p ux-amd64/src/netos/exec ux-amd64/pkg/tool/linux_amd64/vet pull.rebase (dns block)
  • Triggering command: /tmp/go-build573576189/b436/getall.test /tmp/go-build573576189/b436/getall.test -test.testlogfile=/tmp/go-build573576189/b436/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true map.go resolver.go ux-amd64/pkg/tool/linux_amd64/vet pull.rebase (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)