Tyk Stack Helm Chart: Secrets Templates Issues

[m4s-b3n]

Summary

There are several issues with the secrets templates in the tyk-stack Helm chart where secrets are created unconditionally or with incorrect logic, leading to unnecessary resources and potential confusion.

---

Issue 1: tyk-stack Secret is Always Created Regardless of useSecretName

File: tyk-stack/templates/secrets.yaml

Description

The tyk-stack secrets template creates a Secret unconditionally, ignoring the global.secrets.useSecretName setting. When a user specifies a pre-created secret via global.secrets.useSecretName, the chart should skip creating its own secret, but it doesn't.

Impact

• unnecessary secret created

---

Issue 2: tyk-pump Secret Creates mongoURL Even When Using PostgreSQL

File: components/tyk-pump/templates/secrets.yaml

Description

The pump secrets template creates a mongoURL entry in the secret even when PostgreSQL is configured as the database backend and MongoDB is not configured at all.

Current Behavior

The condition for creating the secret is:

{{- if not ( and ((.Values.global.redis.passSecret).name)
                 ((.Values.global.mongo.connectionURLSecret).name)
                 ((.Values.global.postgres.connectionStringSecret).name)) -}}

This means the secret is created if any of the three secrets (redis, mongo, postgres) is not externally provided. Inside, it creates:

{{- if not ((.Values.global.mongo.connectionURLSecret).name) }}
  mongoURL: {{ include "tyk-pump.mongo_url" . | quote }}
{{- end }}

The problem is that when using PostgreSQL:

1. global.mongo.connectionURLSecret.name is typically not set (because Mongo isn't used)
2. This triggers the creation of a mongoURL field with empty/default values
3. The outer condition also evaluates incorrectly because it requires ALL three secrets to be set

Expected Behavior

• The secret creation logic should be database-aware
• When using PostgreSQL, MongoDB-related fields should not be created
• The outer condition should use OR logic for optional backends, not AND logic

---

Issue 3: tyk-dashboard Secret Has Same MongoDB/PostgreSQL Logic Issue

File: components/tyk-dashboard/templates/secrets.yaml

Description

The dashboard secrets template has the same issue as the pump template - it creates MongoDB connection strings even when PostgreSQL is the configured backend.

Current Behavior

{{- if not ( and .Values.global.secrets.useSecretName 
                 ((.Values.global.redis.passSecret).name) 
                 ((.Values.global.mongo.connectionURLSecret).name) 
                 ((.Values.global.postgres.connectionStringSecret).name)) -}}

This condition requires ALL of the following to be true to skip secret creation:

• useSecretName is set
• Redis secret is externally provided
• Mongo secret is externally provided
• Postgres secret is externally provided

When using PostgreSQL only, the MongoDB secret is not provided (because it's not used), so the condition fails and creates the secret with MongoDB-related fields.

Expected Behavior

Same as Issue 2 - the logic should be:

• Database-aware (check if Mongo/Postgres is actually being used)
• Use OR logic for optional components
• Only create secrets for the database backend that is actually in use

---

Reproduction Steps

1. Deploy tyk-stack with PostgreSQL backend configured

2. Set global.secrets.useSecretName to reference a pre-created secret

3. Configure global.postgres.connectionStringSecret.name for external postgres secret

4. Do not configure any MongoDB settings (as it's not used)

5. Observe:

   • secret-tyk-stack-* is still created (Issue 1)
   • Dashboard and Pump secrets contain empty/default mongoURL (Issues 2 & 3)

[probelabs]

Thank You for Your Detailed Report

Hello @m4s-b3n, thank you for opening this issue and providing such a clear and detailed analysis of the problems with secret creation in the tyk-stack Helm chart. Your assessment appears to be correct on all points.

Triage and Analysis

Based on your report, I've reviewed the template files, and I can confirm the issues you've described:

1. tyk-stack Secret Creation: You are correct. The secret in tyk-stack/templates/secrets.yaml is created unconditionally, without checking for the global.secrets.useSecretName value. This results in an unnecessary secret when an external one is specified.

2. tyk-pump Secret Logic: The conditional logic in components/tyk-pump/templates/secrets.yaml is indeed flawed. The use of and requires that secrets for all potential backends (Redis, Mongo, Postgres) be provided to prevent the chart from creating its own. This incorrectly triggers the creation of a secret containing a mongoURL when only PostgreSQL is in use.

3. tyk-dashboard Secret Logic: This template (components/tyk-dashboard/templates/secrets.yaml) suffers from the same logical flaw as the tyk-pump secret, causing it to generate secrets with MongoDB connection details even when they are not needed.

These are clear bugs in the chart's templating logic that lead to incorrect resource creation and potential configuration confusion. Your detailed explanation and reproduction steps are very helpful for addressing this.

Next Steps

The engineering team will review this issue for prioritization. We appreciate you bringing this to our attention.

References

• tyk-stack/templates/secrets.yaml
• components/tyk-pump/templates/secrets.yaml
• components/tyk-dashboard/templates/secrets.yaml

---

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>