apache · MonkeyCanCode · Jul 11, 2025 · Jul 5, 2025 · Jul 6, 2025 · Jul 7, 2025
diff --git a/helm/polaris/README.md b/helm/polaris/README.md
@@ -219,14 +219,20 @@ ct install --namespace polaris --debug --charts ./helm/polaris \
 |-----|------|---------|-------------|
 | advancedConfig | object | `{}` | Advanced configuration. You can pass here any valid Polaris or Quarkus configuration property. Any property that is defined here takes precedence over all the other configuration values generated by this chart. Properties can be passed "flattened" or as nested YAML objects (see examples below). Note: values should be strings; avoid using numbers, booleans, or other types. |
 | affinity | object | `{}` | Affinity and anti-affinity for polaris pods. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity. |
-| authentication | object | `{"authenticator":{"type":"default"},"tokenBroker":{"maxTokenGeneration":"PT1H","secret":{"name":null,"privateKey":"private.pem","publicKey":"public.pem","secretKey":"secret"},"type":"rsa-key-pair"},"tokenService":{"type":"default"}}` | Polaris authentication configuration. |
+| authentication | object | `{"authenticator":{"type":"default"},"tokenBroker":{"maxTokenGeneration":"PT1H","secret":{"name":null,"privateKey":"private.pem","publicKey":"public.pem","rsaKeyPair":{"privateKey":"private.pem","publicKey":"public.pem"},"secretKey":"symmetric.pem","symmetricKey":{"secretKey":"symmetric.pem"}},"type":"rsa-key-pair"},"tokenService":{"type":"default"}}` | Polaris authentication configuration. |
 | authentication.authenticator | object | `{"type":"default"}` | The type of authentication to use. Two built-in types are supported: default and test; test is not recommended for production. |
-| authentication.tokenBroker | object | `{"maxTokenGeneration":"PT1H","secret":{"name":null,"privateKey":"private.pem","publicKey":"public.pem","secretKey":"secret"},"type":"rsa-key-pair"}` | The type of token broker to use. Two built-in types are supported: rsa-key-pair and symmetric-key. |
-| authentication.tokenBroker.secret | object | `{"name":null,"privateKey":"private.pem","publicKey":"public.pem","secretKey":"secret"}` | The secret name to pull the public and private keys, or the symmetric key secret from. |
+| authentication.tokenBroker | object | `{"maxTokenGeneration":"PT1H","secret":{"name":null,"privateKey":"private.pem","publicKey":"public.pem","rsaKeyPair":{"privateKey":"private.pem","publicKey":"public.pem"},"secretKey":"symmetric.pem","symmetricKey":{"secretKey":"symmetric.pem"}},"type":"rsa-key-pair"}` | The type of token broker to use. Two built-in types are supported: rsa-key-pair and symmetric-key. |
+| authentication.tokenBroker.maxTokenGeneration | string | `"PT1H"` | Maximum token generation duration (e.g., PT1H for 1 hour). |
+| authentication.tokenBroker.secret | object | `{"name":null,"privateKey":"private.pem","publicKey":"public.pem","rsaKeyPair":{"privateKey":"private.pem","publicKey":"public.pem"},"secretKey":"symmetric.pem","symmetricKey":{"secretKey":"symmetric.pem"}}` | The secret name to pull the public and private keys, or the symmetric key secret from. |
 | authentication.tokenBroker.secret.name | string | `nil` | The name of the secret to pull the keys from. If not provided, a key pair will be generated. This is not recommended for production. |
-| authentication.tokenBroker.secret.privateKey | string | `"private.pem"` | The private key file to use for RSA key pair token broker. Only required when using rsa-key-pair. |
-| authentication.tokenBroker.secret.publicKey | string | `"public.pem"` | The public key file to use for RSA key pair token broker. Only required when using rsa-key-pair. |
-| authentication.tokenBroker.secret.secretKey | string | `"secret"` | The symmetric key file to use for symmetric key token broker. Only required when using symmetric-key. |
+| authentication.tokenBroker.secret.privateKey | string | `"private.pem"` | DEPRECATED: Use `authentication.tokenBroker.secret.rsaKeyPair.privateKey` instead. Key name inside the secret for the private key |
+| authentication.tokenBroker.secret.publicKey | string | `"public.pem"` | DEPRECATED: Use `authentication.tokenBroker.secret.rsaKeyPair.publicKey` instead. Key name inside the secret for the public key |
+| authentication.tokenBroker.secret.rsaKeyPair | object | `{"privateKey":"private.pem","publicKey":"public.pem"}` | Optional: configuration specific to RSA key pair secret. |
+| authentication.tokenBroker.secret.rsaKeyPair.privateKey | string | `"private.pem"` | Key name inside the secret for the private key |
+| authentication.tokenBroker.secret.rsaKeyPair.publicKey | string | `"public.pem"` | Key name inside the secret for the public key |
+| authentication.tokenBroker.secret.secretKey | string | `"symmetric.pem"` | DEPRECATED: Use `authentication.tokenBroker.secret.symmetricKey.secretKey` instead. Key name inside the secret for the symmetric key |
+| authentication.tokenBroker.secret.symmetricKey | object | `{"secretKey":"symmetric.pem"}` | Optional: configuration specific to symmetric key secret. |
+| authentication.tokenBroker.secret.symmetricKey.secretKey | string | `"symmetric.pem"` | Key name inside the secret for the symmetric key |
 | authentication.tokenService | object | `{"type":"default"}` | The type of token service to use. Two built-in types are supported: default and test; test is not recommended for production. |
 | autoscaling.enabled | bool | `false` | Specifies whether automatic horizontal scaling should be enabled. Do not enable this when using in-memory version store type. |
 | autoscaling.maxReplicas | int | `3` | The maximum number of replicas to maintain. |

diff --git a/helm/polaris/templates/_helpers.tpl b/helm/polaris/templates/_helpers.tpl
@@ -181,13 +181,19 @@ Prints the config volume definition for deployments and jobs.
           name: {{ tpl .Values.authentication.tokenBroker.secret.name . }}
           items:
           {{- if eq .Values.authentication.tokenBroker.type "rsa-key-pair" }}
-            - key: {{ tpl .Values.authentication.tokenBroker.secret.publicKey . }}
+            {{- /* Backward compatibility for publicKey: new takes precedence */ -}}
+            {{- $publicKey := coalesce .Values.authentication.tokenBroker.secret.rsaKeyPair.publicKey .Values.authentication.tokenBroker.secret.publicKey }}
+            {{- /* Backward compatibility for privateKey: new takes precedence */ -}}
+            {{- $privateKey := coalesce .Values.authentication.tokenBroker.secret.rsaKeyPair.privateKey .Values.authentication.tokenBroker.secret.privateKey }}
+            - key: {{ tpl $publicKey . }}
               path: public.pem
-            - key: {{ tpl .Values.authentication.tokenBroker.secret.privateKey . }}
+            - key: {{ tpl $privateKey . }}
               path: private.pem
           {{- end }}
           {{- if eq .Values.authentication.tokenBroker.type "symmetric-key" }}
-            - key: {{ tpl .Values.authentication.tokenBroker.secret.secretKey . }}
+            {{- /* Backward compatibility for symmetricKey: new takes precedence */ -}}
+            {{- $secretKey := coalesce .Values.authentication.tokenBroker.secret.symmetricKey.secretKey .Values.authentication.tokenBroker.secret.secretKey }}
+            - key: {{ tpl $secretKey . }}
               path: symmetric.key
           {{- end }}
       {{- end }}

diff --git a/helm/polaris/tests/deployment_test.yaml b/helm/polaris/tests/deployment_test.yaml
@@ -927,15 +927,22 @@ tests:
                       - key: application.properties
                         path: application.properties
 
-  - it: should configure config volume with token broker secret
+  - it: should configure config volume with token broker secret (rsa-key-pair - deprecation)
     set:
       image.configDir: /config/dir
       authentication:
         tokenBroker:
           secret:
             name: polaris-token-broker
+            type: rsa-key-pair
             publicKey: public.key
             privateKey: private.key
+            secretKey: symmetric.pem
+            rsaKeyPair:
+              publicKey: ~
+              privateKey: ~
+            symmetricKey:
+              secretKey: ~
     asserts:
       - contains:
           path: spec.template.spec.containers[0].volumeMounts
@@ -962,6 +969,128 @@ tests:
                       - key: private.key
                         path: private.pem
 
+  - it: should configure config volume with token broker secret (symmetric-key - deprecation)
+    set:
+      image.configDir: /config/dir
+      authentication:
+        tokenBroker:
+          type: symmetric-key
+          secret:
+            name: polaris-token-broker
+            publicKey: public.key
+            privateKey: private.key
+            secretKey: symmetric.pem
+            rsaKeyPair:
+              publicKey: ~
+              privateKey: ~
+            symmetricKey:
+              secretKey: ~
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: config-volume
+            mountPath: /config/dir
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: config-volume
+            projected:
+              sources:
+                - configMap:
+                    name: polaris-release
+                    items:
+                      - key: application.properties
+                        path: application.properties
+                - secret:
+                    name: polaris-token-broker
+                    items:
+                      - key: symmetric.pem
+                        path: symmetric.key
+
+  - it: should configure config volume with token broker secret (rsa-key-pair)
+    set:
+      image.configDir: /config/dir
+      authentication:
+        tokenBroker:
+          secret:
+            name: polaris-token-broker
+            type: rsa-key-pair
+            publicKey: deprecation_public.key
+            privateKey: deprecation_private.key
+            secretKey: deprecation_symmetric.pem
+            rsaKeyPair:
+              publicKey: public.key
+              privateKey: private.key
+            symmetricKey:
+              secretKey: symmetric.pem
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: config-volume
+            mountPath: /config/dir
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: config-volume
+            projected:
+              sources:
+                - configMap:
+                    name: polaris-release
+                    items:
+                      - key: application.properties
+                        path: application.properties
+                - secret:
+                    name: polaris-token-broker
+                    items:
+                      - key: public.key
+                        path: public.pem
+                      - key: private.key
+                        path: private.pem
+
+  - it: should configure config volume with token broker secret (symmetric-key)
+    set:
+      image.configDir: /config/dir
+      authentication:
+        tokenBroker:
+          type: symmetric-key
+          secret:
+            name: polaris-token-broker
+            publicKey: deprecation_public.key
+            privateKey: deprecation_private.key
+            secretKey: deprecation_symmetric.pem
+            rsaKeyPair:
+              publicKey: public.key
+              privateKey: private.key
+            symmetricKey:
+              secretKey: symmetric.pem
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: config-volume
+            mountPath: /config/dir
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: config-volume
+            projected:
+              sources:
+                - configMap:
+                    name: polaris-release
+                    items:
+                      - key: application.properties
+                        path: application.properties
+                - secret:
+                    name: polaris-token-broker
+                    items:
+                      - key: symmetric.pem
+                        path: symmetric.key
+
   - it: should set relational-jdbc persistence environment variables
     set:
       persistence: { type: "relational-jdbc", relationalJdbc: { secret: { name: "polaris-persistence", username: "username", password: "password", jdbcUrl: "jdbcUrl" } } }

diff --git a/helm/polaris/values.yaml b/helm/polaris/values.yaml
@@ -571,18 +571,32 @@ authentication:
   # -- The type of token broker to use. Two built-in types are supported: rsa-key-pair and symmetric-key.
   tokenBroker:
     type: rsa-key-pair  # symmetric-key
+    # -- Maximum token generation duration (e.g., PT1H for 1 hour).
     maxTokenGeneration: PT1H
     # -- The secret name to pull the public and private keys, or the symmetric key secret from.
     secret:
       # -- The name of the secret to pull the keys from. If not provided, a key pair will be generated.
       # This is not recommended for production.
       name: ~
-      # -- The public key file to use for RSA key pair token broker. Only required when using rsa-key-pair.
+      # -- DEPRECATED: Use `authentication.tokenBroker.secret.rsaKeyPair.publicKey` instead.
+      # Key name inside the secret for the public key
       publicKey: public.pem
-      # -- The private key file to use for RSA key pair token broker. Only required when using rsa-key-pair.
+      # -- DEPRECATED: Use `authentication.tokenBroker.secret.rsaKeyPair.privateKey` instead.
+      # Key name inside the secret for the private key
       privateKey: private.pem
-      # -- The symmetric key file to use for symmetric key token broker. Only required when using symmetric-key.
-      secretKey: secret
+      # -- DEPRECATED: Use `authentication.tokenBroker.secret.symmetricKey.secretKey` instead.
+      # Key name inside the secret for the symmetric key
+      secretKey: symmetric.pem
+      # -- Optional: configuration specific to RSA key pair secret.
+      rsaKeyPair:
+        # -- Key name inside the secret for the public key
+        publicKey: public.pem
+        # -- Key name inside the secret for the private key
+        privateKey: private.pem
+      # -- Optional: configuration specific to symmetric key secret.
+      symmetricKey:
+        # -- Key name inside the secret for the symmetric key
+        secretKey: symmetric.pem
 
 # -- Polaris CORS configuration.
 cors: