fix(helm): disable Keycloak test user by default

jezekra1 · jezekra1 · commit f2385b7c7a6a · 2026-04-13T11:21:36.000+02:00
Production deployments must not ship a known dev/dev credential. The
test user is now opt-in via values-local.yaml (cluster:install) and
values-test.yaml (e2e tests).

Assisted-By: Claude (Anthropic AI) &lt;noreply@anthropic.com&gt;
Signed-off-by: Radek Ježek &lt;radek.jezek@ibm.com&gt;
diff --git a/deploy/helm/humr/templates/NOTES.txt b/deploy/helm/humr/templates/NOTES.txt
@@ -14,7 +14,9 @@ Components:
   - Keycloak:   {{ include "humr.keycloak.fullname" . }}.{{ .Release.Namespace }}.svc:{{ .Values.keycloak.port }}
     - Admin:    {{ include "humr.url.keycloak" . }} (user: {{ .Values.keycloak.admin.user }})
     - Realm:    {{ .Values.keycloak.realm }}
+    {{- if .Values.keycloak.testUser.enabled }}
     - Test user: {{ .Values.keycloak.testUser.username }} / {{ .Values.keycloak.testUser.password }}
+    {{- end }}
 {{- end }}
 
 Agent namespace: {{ .Values.agentNamespace }}
diff --git a/deploy/helm/humr/templates/keycloak/realm-configmap.yaml b/deploy/helm/humr/templates/keycloak/realm-configmap.yaml
@@ -137,6 +137,7 @@ data:
         }
       ],
       "users": [
+        {{- if .Values.keycloak.testUser.enabled }}
         {
           "username": {{ .Values.keycloak.testUser.username | quote }},
           "enabled": true,
@@ -152,6 +153,7 @@ data:
             }
           ]
         }
+        {{- end }}
       ]
     }
 {{- end }}
diff --git a/deploy/helm/humr/values-local.yaml b/deploy/helm/humr/values-local.yaml
@@ -24,3 +24,10 @@ defaultTemplate:
     repository: humr-example-agent
     tag: latest
     pullPolicy: Never
+
+# Bootstrap a known dev/dev user for local cluster — never enabled in production.
+keycloak:
+  testUser:
+    enabled: true
+    username: dev
+    password: dev
diff --git a/deploy/helm/humr/values-test.yaml b/deploy/helm/humr/values-test.yaml
@@ -19,6 +19,11 @@ onecli:
       memory: 512Mi
 
 keycloak:
+  # E2E tests log in as dev/dev — never enabled in production.
+  testUser:
+    enabled: true
+    username: dev
+    password: dev
   resources:
     requests:
       cpu: 100m
diff --git a/deploy/helm/humr/values.yaml b/deploy/helm/humr/values.yaml
@@ -126,10 +126,13 @@ keycloak:
   controllerClientId: humr-controller
   controllerClientSecret: ""
 
-  # -- Test user bootstrapped via realm import
+  # -- Test user bootstrapped via realm import.
+  # DISABLED by default — production deployments must not ship a known credential.
+  # Local dev (values-local.yaml) and e2e tests (values-test.yaml) enable it.
   testUser:
-    username: dev
-    password: dev
+    enabled: false
+    username: ""
+    password: ""
 
   # -- Database connection (empty host = use shared local postgres)
   db:

Original file line number	Diff line number	Diff line change
`@@ -137,6 +137,7 @@ data:`
`137`	`137`	`}`
`138`	`138`	`],`
`139`	`139`	`"users": [`
	`140`	`+ {{- if .Values.keycloak.testUser.enabled }}`
`140`	`141`	`{`
`141`	`142`	`"username": {{ .Values.keycloak.testUser.username \| quote }},`
`142`	`143`	`"enabled": true,`
`@@ -152,6 +153,7 @@ data:`
`152`	`153`	`}`
`153`	`154`	`]`
`154`	`155`	`}`
	`156`	`+ {{- end }}`
`155`	`157`	`]`
`156`	`158`	`}`
`157`	`159`	`{{- end }}`