From 8e08fe8c542ca271c05f2c58ac28df3bfbe9a776 Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Wed, 19 Nov 2025 21:19:33 +0200 Subject: [PATCH 1/3] fix(admin-ui): Enabled admin-ui ingress by default Signed-off-by: Amro Misbah --- charts/gluu-all-in-one/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gluu-all-in-one/values.yaml b/charts/gluu-all-in-one/values.yaml index a4aab1a632..4a82d7f892 100644 --- a/charts/gluu-all-in-one/values.yaml +++ b/charts/gluu-all-in-one/values.yaml @@ -381,7 +381,7 @@ admin-ui: enabled: true ingress: # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice - adminUiEnabled: false + adminUiEnabled: true # -- Admin UI ingress resource labels. key app is taken. adminUiLabels: {} # -- Admin UI ingress resource additional annotations. From 15cc62f8af98f923e1e8332808b18c4af24d70fc Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Thu, 27 Nov 2025 22:44:43 +0200 Subject: [PATCH 2/3] docs: add warnings to protect admin ui endpoint Signed-off-by: Amro Misbah --- charts/gluu-all-in-one/templates/NOTES.txt | 15 +++++++++++++++ charts/gluu/templates/NOTES.txt | 15 +++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 charts/gluu-all-in-one/templates/NOTES.txt create mode 100644 charts/gluu/templates/NOTES.txt diff --git a/charts/gluu-all-in-one/templates/NOTES.txt b/charts/gluu-all-in-one/templates/NOTES.txt new file mode 100644 index 0000000000..8677584f79 --- /dev/null +++ b/charts/gluu-all-in-one/templates/NOTES.txt @@ -0,0 +1,15 @@ +{{ if index .Values "admin-ui" "ingress" "adminUiEnabled" -}} +******************************************************************************** +*** SECURITY WARNING: ADMIN-UI EXPOSED *** +******************************************************************************** +The flag `admin-ui.ingress.adminUiEnabled` is set to TRUE. + +This publicly exposes the Admin UI at "/admin" + +RECOMMENDATION: +1. For production, ensure this endpoint is restricted via NetworkPolicies, + IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing. +2. This can be left public in demo or internal development environments only. + +******************************************************************************** +{{- end }} \ No newline at end of file diff --git a/charts/gluu/templates/NOTES.txt b/charts/gluu/templates/NOTES.txt new file mode 100644 index 0000000000..3f2336e4cb --- /dev/null +++ b/charts/gluu/templates/NOTES.txt @@ -0,0 +1,15 @@ +{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}} +******************************************************************************** +*** SECURITY WARNING: ADMIN-UI EXPOSED *** +******************************************************************************** +The flag `global.admin-ui.ingress.adminUiEnabled` is set to TRUE. + +This publicly exposes the Admin UI at "/admin" + +RECOMMENDATION: +1. For production, ensure this endpoint is restricted via NetworkPolicies, + IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing. +2. This can be left public in demo or internal development environments only. + +******************************************************************************** +{{- end }} \ No newline at end of file From 149ce5ee8e2964af3c9512ed260a7b1632a5963d Mon Sep 17 00:00:00 2001 From: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com> Date: Fri, 28 Nov 2025 10:43:26 +0200 Subject: [PATCH 3/3] Update charts/gluu/templates/NOTES.txt Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com> --- charts/gluu/templates/NOTES.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/gluu/templates/NOTES.txt b/charts/gluu/templates/NOTES.txt index 3f2336e4cb..576878e00e 100644 --- a/charts/gluu/templates/NOTES.txt +++ b/charts/gluu/templates/NOTES.txt @@ -8,7 +8,7 @@ This publicly exposes the Admin UI at "/admin" RECOMMENDATION: 1. For production, ensure this endpoint is restricted via NetworkPolicies, - IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing. + IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet-facing. 2. This can be left public in demo or internal development environments only. ********************************************************************************