Skip to content

fix(admin-ui): Enable admin-ui ingress by default #2461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
moabu merged 6 commits into from
Nov 28, 2025
Merged

fix(admin-ui): Enable admin-ui ingress by default #2461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8e08fe8
fix(admin-ui): Enabled admin-ui ingress by default
misba7 Nov 19, 2025
770ec3f
Merge branch 'main' into fix-admin-ui-ingress
moabu Nov 27, 2025
15cc62f
docs: add warnings to protect admin ui endpoint
misba7 Nov 27, 2025
e637f90
Merge remote-tracking branch 'origin/fix-admin-ui-ingress' into fix-a…
misba7 Nov 27, 2025
415e7e5
Merge branch 'main' into fix-admin-ui-ingress
moabu Nov 28, 2025
149ce5e
Update charts/gluu/templates/NOTES.txt
moabu Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions charts/gluu-all-in-one/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{ if index .Values "admin-ui" "ingress" "adminUiEnabled" -}}
********************************************************************************
*** SECURITY WARNING: ADMIN-UI EXPOSED ***
********************************************************************************
The flag `admin-ui.ingress.adminUiEnabled` is set to TRUE.

This publicly exposes the Admin UI at "/admin"

RECOMMENDATION:
1. For production, ensure this endpoint is restricted via NetworkPolicies,
IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing.
2. This can be left public in demo or internal development environments only.

********************************************************************************
{{- end }}
Comment on lines +1 to +15
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Find values.yaml files in the charts directory
fd -t f "values.yaml" charts/

Repository: GluuFederation/flex

Length of output: 740

🏁 Script executed:

# Read the values.yaml file
cat -n charts/gluu-all-in-one/values.yaml | grep -A 10 -B 2 "admin-ui"

Repository: GluuFederation/flex

Length of output: 2718

Perfect! I've verified the configuration. The charts/gluu-all-in-one/values.yaml file at line 384 confirms that admin-ui.ingress.adminUiEnabled is set to true, which aligns with the template conditional and the PR objectives.

Fix the hyphenation on line 11; values.yaml configuration verified as correct.

The Helm conditional template syntax is correct and properly references admin-ui.ingress.adminUiEnabled, which is confirmed to be set to true in the values.yaml file. However, apply this diff to fix the grammar:

-   IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing.
+   IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet-facing.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
{{ if index .Values "admin-ui" "ingress" "adminUiEnabled" -}}
********************************************************************************
*** SECURITY WARNING: ADMIN-UI EXPOSED ***
********************************************************************************
The flag `admin-ui.ingress.adminUiEnabled` is set to TRUE.
This publicly exposes the Admin UI at "/admin"
RECOMMENDATION:
1. For production, ensure this endpoint is restricted via NetworkPolicies,
IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing.
2. This can be left public in demo or internal development environments only.
********************************************************************************
{{- end }}
{{ if index .Values "admin-ui" "ingress" "adminUiEnabled" -}}
********************************************************************************
*** SECURITY WARNING: ADMIN-UI EXPOSED ***
********************************************************************************
The flag `admin-ui.ingress.adminUiEnabled` is set to TRUE.
This publicly exposes the Admin UI at "/admin"
RECOMMENDATION:
1. For production, ensure this endpoint is restricted via NetworkPolicies,
IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet-facing.
2. This can be left public in demo or internal development environments only.
********************************************************************************
{{- end }}
🧰 Tools
🪛 LanguageTool

[grammar] ~11-~11: Use a hyphen to join words.
Context: .... This endpoint is normally not internet facing. 2. This can be left public in de...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents 
In charts/gluu-all-in-one/templates/NOTES.txt around lines 1 to 15, fix the
hyphenation on line 11 by replacing any occurrence of "Admin-UI" with "Admin UI"
(remove the hyphen) so the phrase reads consistently as "Admin UI" in the
notice.

2 changes: 1 addition & 1 deletion charts/gluu-all-in-one/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,7 +381,7 @@ admin-ui:
enabled: true
ingress:
# -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice
adminUiEnabled: false
adminUiEnabled: true
Copy link
Member

@moabu moabu Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are enabling this by default we need to post a message that this is enabled and that the user should protect the /admin endpoint when helm install / helm upgrade is run.

Copy link
Contributor Author

@misba7 misba7 Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@moabu
mmm. I think anyone installing gluu flex instead of janssen, it's for wanting an accessible admin-ui. That's the only difference.
So it made sense for me that gluu-aio mimics gluu which has adminUiEnabled enabled by default.

flex/charts/gluu/values.yaml

Line 916 in 06deec7

adminUiEnabled: true

Copy link
Member

@moabu moabu Nov 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. This comment applies to the gluu microservices chart as well. I think we need to post a warning. What I’m suggesting is that we introduce templates/NOTES.txt in both charts with the following message

{{- $adminUiEnabled := false -}}
{{- if and .Values.global (index .Values.global "admin-ui") -}}
  {{- if (index .Values.global "admin-ui" "ingress" "adminUiEnabled") -}}
    {{- $adminUiEnabled = true -}}
  {{- end -}}
{{- end -}}

{{- if $adminUiEnabled }}
********************************************************************************
*** SECURITY CONFIGURATION WARNING                                           ***
********************************************************************************
The flag `global.admin-ui.ingress.adminUiEnabled` is set to TRUE.

This exposes the Admin UI at: /admin-ui

RECOMMENDATION:
1. Use this setting ONLY for demo or internal development environments.
2. For production, ensure this endpoint is restricted via NetworkPolicies,
   IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing.
********************************************************************************
{{- end }}

# -- Admin UI ingress resource labels. key app is taken.
adminUiLabels: {}
# -- Admin UI ingress resource additional annotations.
Expand Down
15 changes: 15 additions & 0 deletions charts/gluu/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{ if index .Values "global" "admin-ui" "ingress" "adminUiEnabled" -}}
********************************************************************************
*** SECURITY WARNING: ADMIN-UI EXPOSED ***
********************************************************************************
The flag `global.admin-ui.ingress.adminUiEnabled` is set to TRUE.

This publicly exposes the Admin UI at "/admin"

RECOMMENDATION:
1. For production, ensure this endpoint is restricted via NetworkPolicies,
IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet-facing.
2. This can be left public in demo or internal development environments only.

********************************************************************************
{{- end }}