EAI-6099 Parametrize Minio & Postgresql usernames and OpenBAO domain in Helm#701
Merged
EAI-6099 Parametrize Minio & Postgresql usernames and OpenBAO domain in Helm#701
Conversation
The aiwb-cnpg-user and keycloak-cnpg-user Secrets in secrets-override-hardcoded.yaml duplicated identical content already created by secrets-aiwb-cnpg.yaml in PLUGGABLE_DB=false mode, and were orphaned (referenced no chart) in PLUGGABLE_DB=true mode. Only the default-user MinIO Secret remains, since its API_ACCESS_KEY value is coupled to a hardcoded reference in silogen/openbao-config.
Replace the static secrets-aiwb-cnpg.yaml with inline `kubectl create secret` calls in install_base.sh, populated from AIWB_DB_USER/PASSWORD, KEYCLOAK_DB_USER/PASSWORD, and new AIWB_CNPG_SUPERUSER_* / KEYCLOAK_CNPG_SUPERUSER_* env vars (default: placeholder). The CNPG cluster now bootstraps with the same username/password the AIWB and Keycloak charts read at startup, so the override step in secrets-override-hardcoded.yaml is no longer needed for the *-cnpg-user secrets. Pass --set postgresql.username unconditionally to the AIWB and Keycloak helm template calls so the chart matches the bootstrapped CNPG user in both PLUGGABLE_DB modes. Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
…e openbao-config Two related changes: 1. Standalone helm install path (docs/manual_helm_install): replace static secrets-aiwb-minio.yaml + secrets-override-hardcoded.yaml with inline `kubectl create secret` calls in install_base.sh, populated from new MINIO_API_ACCESS_KEY / MINIO_API_SECRET_KEY / MINIO_CONSOLE_ACCESS_KEY / MINIO_CONSOLE_SECRET_KEY env vars (all default: placeholder). The same API_* pair feeds both `default-user` (Tenant bootstrap) and `minio-credentials` (AIWB / workbench) so the credentials match by construction. Renames MINIO_ACCESS_KEY / MINIO_SECRET_KEY → MINIO_API_ACCESS_KEY / MINIO_API_SECRET_KEY in the PLUGGABLE_S3=true branch and helper script (s3_minio_container.sh prints the new names). Both static YAMLs are now redundant and removed. 2. openbao-config chart: parametrize the previously hardcoded `api-default-user` and `default-user` access keys via new values `minio.apiAccessKey` / `minio.consoleAccessKey`. Defaults preserve current behaviour for the Argo install path; integrators can override via `--set minio.apiAccessKey=...`. Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
Restructure both component docs to cover in-cluster (default) and external (pluggable) modes with concrete kubectl/helm commands the reader can run directly. Drop references to install_base.sh and other shell scripts so the markdown stands on its own; the scripts are now an executable companion to these docs rather than their source of truth.
Q-Dub
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
EAI-6099
Changes to bootstrap.sh are verified by running the old and new commands locally and comparing to output. The output in both is equivalent.