Show secrets variable, defaults to false

Signed-off-by: Mihai Criveti <[email protected]>

Author: crivetimihai

charts/mcp-stack/templates/NOTES.txt

@@ -3,14 +3,16 @@
    • Rendered after every install/upgrade.
    • Surfaces endpoints, credentials and helper commands so you can
      start interacting with the stack right away.
+   • Set showSecrets to show secrets.
 */ -}}
 
 {{- $ns       := .Release.Namespace }}
 {{- $fullName := include "mcp-stack.fullname" . }}
 
-{{- /* -----------------------------------------------------------------
-      Resource names (keep in sync with ./_helpers.tpl)
-------------------------------------------------------------------*/ -}}
+{{- /* ─── show / hide secrets ───────────────────────────── */}}
+{{- $showSecrets := false }}   {{/* set to true to reveal passwords & keys */}}
+
+{{- /* ─── Resource names (keep in sync with _helpers.tpl) ─ */}}
 {{- $gatewaySvc  := printf "%s-mcpgateway"            $fullName }}
 {{- $ftSvc       := printf "%s-mcp-fast-time-server"  $fullName }}
 {{- $postgresSvc := printf "%s-postgres"              $fullName }}
@@ -20,29 +22,21 @@
 {{- $gwSecret := printf "%s-gateway-secret" $fullName }}
 {{- $pgSecret := include "mcp-stack.postgresSecretName" . }}
 
-{{- /* -----------------------------------------------------------------
-      Pull secret values so we can display them
-------------------------------------------------------------------*/ -}}
-{{- $gwSecObj := lookup "v1" "Secret" $ns $gwSecret }}
-{{- $pgSecObj := lookup "v1" "Secret" $ns $pgSecret }}
-
+{{- /* ─── Secret look-ups (only used when $showSecrets=true) */}}
 {{- $basicAuthPass := "" }}
 {{- $jwtKey        := "" }}
-{{- if $gwSecObj }}
-  {{- $basicAuthPass = index $gwSecObj.data "BASIC_AUTH_PASSWORD" | b64dec }}
-  {{- $jwtKey        = index $gwSecObj.data "JWT_SECRET_KEY"      | b64dec }}
-{{- end }}
-
-{{- /* ── Postgres password ─────────────────────────────── */}}
-{{- $pgSec := lookup "v1" "Secret" $ns $pgSecret }}
-{{- $pgPass := "<secret-not-yet-created>" }}
-{{- if $pgSec }}
-  {{- $pgPass = (index $pgSec.data "POSTGRES_PASSWORD" | b64dec) }}
+{{- $pgPass        := "" }}
+{{- if $showSecrets }}
+  {{- with (lookup "v1" "Secret" $ns $gwSecret) }}
+    {{- $basicAuthPass = index .data "BASIC_AUTH_PASSWORD" | b64dec }}
+    {{- $jwtKey        = index .data "JWT_SECRET_KEY"      | b64dec }}
+  {{- end }}
+  {{- with (lookup "v1" "Secret" $ns $pgSecret) }}
+    {{- $pgPass = index .data "POSTGRES_PASSWORD" | b64dec }}
+  {{- end }}
 {{- end }}
 
-{{- /* -----------------------------------------------------------------
-      Convenience shorthands
-------------------------------------------------------------------*/ -}}
+{{- /* ─── Convenience ports ─────────────────────────────── */}}
 {{- $gwPort      := .Values.mcpContextForge.service.port | default 80 }}
 {{- $pgPort      := .Values.postgres.service.port        | default 5432 }}
 {{- $redisPort   := .Values.redis.service.port           | default 6379 }}
@@ -59,10 +53,18 @@
 {{- end }}
   • Basic-Auth :
       user      = {{ .Values.mcpContextForge.secret.BASIC_AUTH_USER }}
-      password  = {{ .Values.mcpContextForge.secret.BASIC_AUTH_PASSWORD | default "<set-in-values>" }}
-      `kubectl -n {{ $ns }} get secret {{ $gwSecret }} -o jsonpath="{.data.BASIC_AUTH_PASSWORD}" | base64 -d`
+{{- if $showSecrets }}
+      password  = {{ $basicAuthPass }}
+{{- else }}
+      password  : <hidden>
+{{- end }}
+      (kubectl  = `kubectl -n {{ $ns }} get secret {{ $gwSecret }} -o jsonpath="{.data.BASIC_AUTH_PASSWORD}" | base64 -d`)
+{{- if $showSecrets }}
   • JWT signing key (JWT_SECRET_KEY) = {{ $jwtKey }}
-      `kubectl -n {{ $ns }} get secret {{ $gwSecret }} -o jsonpath="{.data.JWT_SECRET_KEY}" | base64 -d`
+{{- else }}
+  • JWT signing key (JWT_SECRET_KEY) : <hidden>
+{{- end }}
+      (kubectl  = `kubectl -n {{ $ns }} get secret {{ $gwSecret }} -o jsonpath="{.data.JWT_SECRET_KEY}" | base64 -d`)
   • Port-forward : `kubectl -n {{ $ns }} port-forward svc/{{ $gatewaySvc }} 4444:{{ $gwPort }}`
 
 {{- /* ════════════  Fast-Time-Server  ════════════ */}}
@@ -75,8 +77,12 @@
   • Host / Port  : {{ $postgresSvc }}.{{ $ns }}.svc.cluster.local:{{ $pgPort }}
   • DB           : {{ .Values.postgres.credentials.database }}
   • User         : {{ .Values.postgres.credentials.user }}
-  • Password     : {{ .Values.postgres.credentials.password | default "<set-in-values>" }}
-      `kubectl -n {{ $ns }} get secret {{ $pgSecret }} -o jsonpath="{.data.POSTGRES_PASSWORD}" | base64 -d`
+{{- if $showSecrets }}
+  • Password     : {{ $pgPass | default "<secret-not-yet-created>" }}
+{{- else }}
+  • Password     : <hidden>
+{{- end }}
+      (kubectl  = `kubectl -n {{ $ns }} get secret {{ $pgSecret }} -o jsonpath="{.data.POSTGRES_PASSWORD}" | base64 -d`)
 
 🔑 **Redis**
   • Host / Port  : {{ $redisSvc }}.{{ $ns }}.svc.cluster.local:{{ $redisPort }}
@@ -92,9 +98,13 @@
 # 1) Forward the Gateway locally (skip if using ingress):
 kubectl -n {{ $ns }} port-forward svc/{{ $gatewaySvc }} 4444:{{ $gwPort }} &
 
-# 2) Obtain a JWT via Basic-Auth (requires 'jq'): # TODO not yet implemented use jwt tool manually
+# 2) Obtain a JWT via Basic-Auth (requires 'jq'):
+{{- if $showSecrets }}
 export GW_TOKEN=$(curl -s -u '{{ .Values.mcpContextForge.secret.BASIC_AUTH_USER }}:{{ $basicAuthPass }}' \
   -X POST http://localhost:4444/auth/login | jq -r '.access_token')
+{{- else }}
+# export GW_TOKEN=(fetch after you retrieve the password with kubectl)
+{{- end }}
 
 # 3) Register the Fast-Time-Server with the Gateway:
 curl -s -X POST \