Replace hardcoded secrets with auto-generated secrets and add validation pipeline#4
Draft
Replace hardcoded secrets with auto-generated secrets and add validation pipeline#4
Conversation
Co-authored-by: nielsweistra <7041359+nielsweistra@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] instructions
Replace hardcoded secrets with auto-generated secrets in Helm chart
Aug 22, 2025
Contributor
|
@copilot also add a pipeline for the validaytion steps |
- Add GitHub Actions workflows for CI/CD validation - Include Helm lint, template rendering, security scanning - Add chart testing with Kind cluster - Create Makefile for local development workflow - Add documentation for validation and security features - Include .gitignore for build artifacts Co-authored-by: nielsweistra <7041359+nielsweistra@users.noreply.github.com>
Contributor
Author
I've added a comprehensive validation pipeline for the Helm chart. The pipeline includes: GitHub Actions Workflows:
Local Development:
Key validation features:
All validation steps are now automated and will run on every PR and push. The commit is 7c27ed9. |
Copilot
AI
changed the title
Replace hardcoded secrets with auto-generated secrets in Helm chart
Replace hardcoded secrets with auto-generated secrets and add validation pipeline
Aug 22, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR replaces all hardcoded secrets in the Matrix Synapse Helm chart with auto-generated secrets that are preserved across upgrades, and adds a comprehensive validation pipeline to ensure chart quality and security.
Problem
The chart contained several hardcoded secrets that posed security risks:
macaroon_secret_key:uLJ62kwNWO_DLcKAmbzqYkFwlDQWjNl5@G#SKT*i9~bZrZy~_@form_secret:2iTjom-bIq5Yh6:afKjUed^2Eokx8cd_kzdUN,A#0MFAn.tSrCclient_secretfor OIDC:uLJ62kwNWO_DLcKAmbzqYkFwlDQWjNl5@G#SKT*i9~bZrZy~_@coturn.sharedSecret:"ChangeMe"Solution
Implemented a comprehensive secret management system using Helm's
lookupfunction and added automated validation:Secret Management
randAlphaNum(64 characters for most secrets, 32 for coturn)lookupto check for existing secrets and preserves them during upgradesValidation Pipeline
Added comprehensive validation workflows including:
GitHub Actions Workflows:
Local Development Tools:
make validate,make test,make ci)Changes Made
Enhanced
matrix-secret.yamlmacook_secret_key→macaroonSecretKeyformSecret,clientSecret,coturnSharedSecretUpdated homeserver template in
_helpers.tplModified
values.yamlcoturn.sharedSecret: "ChangeMe"Added Validation Infrastructure
Security Benefits
Testing
Fixes #3.
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.