Portkey-AI · avaya09 · Jun 3, 2026 · Jun 3, 2026
diff --git a/charts/portkey-app/templates/_helpers.tpl b/charts/portkey-app/templates/_helpers.tpl
@@ -89,11 +89,40 @@ HTTP/HTTPS protocol
 {{ default "http" .Values.config.containerProtocol }}
 {{- end }}
 
+{{/*
+Validate that the JWT private key is set when the chart manages the secret.
+Skipped when an existing secret is supplied via config.existingSecretName.
+*/}}
+{{- define "portkey.validateJwtPrivateKey" -}}
+{{- if not .Values.config.existingSecretName }}
+{{- if not .Values.config.jwtPrivateKey }}
+{{- fail "config.jwtPrivateKey must not be empty. Set a strong secret used for signing the frontend JWT tokens, or provide it via config.existingSecretName." }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Validate that exactly one authentication mode is selected.
+Either config.oauth.enabled (SSO) or config.noAuth.enabled must be true, but not both.
+Enabling neither leaves the app without an auth mode; enabling both produces an
+invalid/ambiguous configuration (e.g. AUTH_MODE concatenates to "SSONO_AUTH").
+*/}}
+{{- define "portkey.validateAuthMode" -}}
+{{- if and .Values.config.oauth.enabled .Values.config.noAuth.enabled }}
+{{- fail "Both config.oauth.enabled and config.noAuth.enabled are true. Exactly one authentication mode must be selected: set config.oauth.enabled=true for SSO, or config.noAuth.enabled=true to run without authentication." }}
+{{- end }}
+{{- if and (not .Values.config.oauth.enabled) (not .Values.config.noAuth.enabled) }}
+{{- fail "No authentication mode selected. Set config.oauth.enabled=true to use SSO, or explicitly opt into config.noAuth.enabled=true to run without authentication." }}
+{{- end }}
+{{- end }}
+
 {{/*
 Name of the secret containing the secrets for this chart. This can be overridden by a secrets file created by
 the user or some other secret provisioning mechanism
 */}}
 {{- define "portkey.secretsName" -}}
+{{- include "portkey.validateJwtPrivateKey" . -}}
+{{- include "portkey.validateAuthMode" . -}}
 {{- if .Values.config.existingSecretName }}
 {{- .Values.config.existingSecretName }}
 {{- else }}
@@ -156,6 +185,31 @@ the user or some other secret provisioning mechanism
 {{- include "portkey.fullname" . }}-{{ .Values.gateway.name }}
 {{- end }}
 
+{{/*
+Name of the Secret holding log storage credentials.
+Overridable via logStorage.existingSecretName.
+*/}}
+{{- define "portkey.logStoreSecretsName" -}}
+{{- if .Values.logStorage.existingSecretName }}
+{{- .Values.logStorage.existingSecretName }}
+{{- else }}
+{{- include "portkey.gatewaySecretsName" . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Name of the Secret holding bedrockAssumed credentials.
+Overridable via bedrockAssumed.existingSecretName; otherwise the keys
+live in the chart-managed gateway Secret.
+*/}}
+{{- define "portkey.bedrockSecretsName" -}}
+{{- if .Values.bedrockAssumed.existingSecretName }}
+{{- .Values.bedrockAssumed.existingSecretName }}
+{{- else }}
+{{- include "portkey.gatewaySecretsName" . }}
+{{- end }}
+{{- end }}
+
 {{- define "portkey.gatewayClientAuth" -}}
 {{- .Values.config.defaultGatewayClientAuth | default "client_auth-PRIVATE_SEVICE" | quote }}
 {{- end }}
@@ -352,96 +406,96 @@ Template containing common environment variables that are used by several servic
 - name: LOG_STORE
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStore
 {{- if .Values.logStorage.mongo.enabled}}
 - name: MONGO_DB_CONNECTION_URL
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: mongoConnectionUrl
 - name: MONGO_DATABASE
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: mongoDatabase
 - name: MONGO_COLLECTION_NAME
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: mongoGenerationsCollection
 - name: MONGO_GENERATION_HOOKS_COLLECTION_NAME
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: mongoHooksCollection
 {{- end }}
 {{- if or .Values.logStorage.s3Compat.enabled }}
 - name: LOG_STORE_BASEPATH
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreBasePath
 {{- end }}      
 {{- if or .Values.logStorage.s3Compat.enabled .Values.logStorage.s3Assume.enabled }}
 - name: LOG_STORE_ACCESS_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreAccessKey
 - name: LOG_STORE_SECRET_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreSecretKey
 - name: LOG_STORE_REGION
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreRegion
 - name: LOG_STORE_GENERATIONS_BUCKET
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreGenerationsBucket
 {{- end }}
 {{- if .Values.logStorage.s3Assume.enabled }}
 - name: LOG_STORE_AWS_ROLE_ARN
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreAwsRoleArn
 - name: LOG_STORE_AWS_EXTERNAL_ID
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreExternalId
 {{- end }}
 {{- if .Values.logStorage.azure.enabled}}
 - name: AZURE_AUTH_MODE
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureAuthMode
 - name: AZURE_MANAGED_CLIENT_ID
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureManagedClientId
 - name: AZURE_STORAGE_ACCOUNT
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureStorageAccount
 - name: AZURE_STORAGE_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureStorageKey
 - name: AZURE_STORAGE_CONTAINER
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureStorageContainer
 {{- end }}
 {{- end }}
@@ -454,17 +508,17 @@ Template containing common environment variables that are used by several servic
 - name: AWS_ASSUME_ROLE_ACCESS_KEY_ID
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.bedrockSecretsName" . }}
       key: bedrockAssumedAccessKey
 - name: AWS_ASSUME_ROLE_SECRET_ACCESS_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.bedrockSecretsName" . }}
       key: bedrockAssumedSecretKey
 - name: AWS_ASSUME_ROLE_REGION
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.bedrockSecretsName" . }}
       key: bedrockAssumedRegion
 {{- end }}
 - name: ALBUS_BASEPATH
@@ -609,6 +663,7 @@ Template containing common environment variables that are used by several servic
 - name: ENABLE_GRAFANA
   value: {{ if .Values.apm.grafana.enabled }} "true" {{ else }} "false" {{ end }}
 - name: ENABLE_PROMETHEUS
+
   value: {{ if .Values.apm.grafana.prometheus.enabled }} "true" {{ else }} "false" {{ end }}
 {{- if .Values.apm.grafana.prometheus.enabled }}
 - name: PROMETHEUS_GATEWAY_URL

diff --git a/charts/portkey-app/values.yaml b/charts/portkey-app/values.yaml
@@ -82,7 +82,7 @@ config:
   existingSecretName: ""
   defaultGatewayURL: ""
   defaultGatewayClientAuth: ""
-  jwtPrivateKey: "<some-random-string>"
+  jwtPrivateKey: ""                              # Set to a strong secret for the JWT private key used for signing the frontend JWT tokens
   controlPlaneURL: ""
   containerProtocol: "http"
   disableOrgCreation: false
@@ -92,7 +92,7 @@ config:
   onboardingSupportMessage: ""
 
   noAuth:
-    enabled: true
+    enabled: false
 
   oauth:
     enabled: false
@@ -539,7 +539,7 @@ frontend:
         periodSeconds: 60
 
   service:
-    type: LoadBalancer
+    type: ClusterIP
     httpPort: 80
     httpsPort: 443
     labels: {}

diff --git a/charts/portkey-gateway/templates/_helpers.tpl b/charts/portkey-gateway/templates/_helpers.tpl
@@ -518,10 +518,35 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/component: minio
 {{- end }}
 
+{{/*
+Validate MinIO auth key configuration.
+- Fails fast if both minio.authKey.create and minio.authKey.existingSecret are set,
+  since the chart can either create the Secret or consume an existing one, not both.
+- Validates accessKey/secretKey only when the chart is actually creating the Secret
+  (create=true and no existingSecret).
+Only enforced when MinIO is enabled.
+*/}}
+{{- define "minio.validateAuthKey" -}}
+{{- if .Values.minio.enabled }}
+{{- if and .Values.minio.authKey.create .Values.minio.authKey.existingSecret }}
+{{- fail "minio.authKey.create and minio.authKey.existingSecret are mutually exclusive. Set create=true to have the chart create the Secret, or provide existingSecret (with create=false) to use your own." }}
+{{- end }}
+{{- if .Values.minio.authKey.create }}
+{{- if not .Values.minio.authKey.accessKey }}
+{{- fail "minio.authKey.accessKey must not be empty when minio.authKey.create is true. Set it, or provide credentials via minio.authKey.existingSecret (with create=false)." }}
+{{- end }}
+{{- if not .Values.minio.authKey.secretKey }}
+{{- fail "minio.authKey.secretKey must not be empty when minio.authKey.create is true. Set it, or provide credentials via minio.authKey.existingSecret (with create=false)." }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 MinIO auth key secret name
 */}}
 {{- define "minio.secretName" -}}
+{{- include "minio.validateAuthKey" . -}}
 {{- if .Values.minio.authKey.existingSecret -}}
 {{- .Values.minio.authKey.existingSecret -}}
 {{- else -}}