marmotdata
diff --git a/‎charts/marmot/Chart.yaml‎
Lines changed: 2 additions & 2 deletions b/‎charts/marmot/Chart.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎charts/marmot/templates/NOTES.txt‎
Lines changed: 68 additions & 4 deletions b/‎charts/marmot/templates/NOTES.txt‎
Lines changed: 68 additions & 4 deletions
diff --git a/‎charts/marmot/templates/deployment.yaml‎
Lines changed: 59 additions & 2 deletions b/‎charts/marmot/templates/deployment.yaml‎
Lines changed: 59 additions & 2 deletions
diff --git a/‎charts/marmot/templates/encryption-key-job.yaml‎
Lines changed: 75 additions & 0 deletions b/‎charts/marmot/templates/encryption-key-job.yaml‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎charts/marmot/templates/role.yaml‎
Lines changed: 21 additions & 0 deletions b/‎charts/marmot/templates/role.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎charts/marmot/templates/rolebinding.yaml‎
Lines changed: 21 additions & 0 deletions b/‎charts/marmot/templates/rolebinding.yaml‎
Lines changed: 21 additions & 0 deletions
@@ -2,8 +2,8 @@ apiVersion: v2
 name: marmot
 description: Marmot is an open-source data catalog that helps teams discover, understand, and govern their data assets. It's designed for modern data ecosystems where data flows through multiple systems, formats, and teams.
 type: application
-version: 0.2.0
-appVersion: "0.2.0"
+version: 0.4.1
+appVersion: "0.4.1"
 home: https://github.com/marmotdata/marmot
 sources:
   - https://github.com/marmotdata/marmot
 
@@ -1,5 +1,69 @@
-{{- if .Values.postgresql.enabled }}
-⚠️  WARNING: You are using the embedded PostgreSQL database.
-⚠️  This is NOT recommended for production use!
-⚠️  For production deployments, please use an external PostgreSQL instance.
+Thank you for installing {{ .Chart.Name }}!
+
+Your release is named {{ .Release.Name }}.
+
+To access Marmot:
+
+{{- if .Values.ingress.enabled }}
+{{- range .Values.ingress.hosts }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .host }}
 {{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "marmot.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "marmot.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "marmot.fullname" . }} 8080:{{ .Values.service.port }}
+  echo http://127.0.0.1:8080
+{{- end }}
+
+Default credentials: admin / admin
+
+{{- if and (not .Values.config.server.encryptionKey) (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
+
+═══════════════════════════════════════════════════════════════
+⚠️  ENCRYPTION KEY AUTO-GENERATED
+═══════════════════════════════════════════════════════════════
+
+An encryption key was automatically generated and stored in:
+  Secret: {{ include "marmot.fullname" . }}-encryption-key
+  Namespace: {{ .Release.Namespace }}
+
+BACK UP THIS KEY IMMEDIATELY:
+
+  kubectl get secret {{ include "marmot.fullname" . }}-encryption-key \
+    -n {{ .Release.Namespace }} \
+    -o jsonpath='{.data.encryption-key}' | base64 -d
+
+Store this key securely! Loss of this key means:
+  • Permanent loss of encrypted pipeline credentials
+  • Inability to decrypt existing pipeline configurations
+
+The secret will persist even if you uninstall this release.
+
+═══════════════════════════════════════════════════════════════
+{{- end }}
+
+{{- if .Values.config.server.allowUnencrypted }}
+
+═══════════════════════════════════════════════════════════════
+⚠️  WARNING: ENCRYPTION DISABLED
+═══════════════════════════════════════════════════════════════
+
+Pipeline credentials will be stored in PLAINTEXT in the database.
+This is a SECURITY RISK and should only be used for development.
+
+To enable encryption:
+  1. Generate a key: marmot generate-encryption-key
+  2. Store in a secret and update your values.yaml
+  3. Upgrade this release
+
+═══════════════════════════════════════════════════════════════
+{{- end }}
+
+For more information:
+  Docs: https://docs.marmotdata.io
+  Support: https://github.com/marmotdata/marmot/issues
@@ -59,7 +59,34 @@ spec:
             - name: MARMOT_SERVER_ROOT_URL
               value: {{ .Values.config.server.rootUrl | quote }}
             {{- end }}
-            
+            {{- if or .Values.config.server.encryptionKey .Values.config.server.encryptionKeySecretRef .Values.config.server.autoGenerateEncryptionKey }}
+            - name: MARMOT_SERVER_ENCRYPTION_KEY
+              {{- if .Values.config.server.encryptionKeySecretRef }}
+              {{- if and .Values.config.server.encryptionKey .Values.config.server.encryptionKeySecretRef }}
+              {{- fail "Cannot specify both config.server.encryptionKey and config.server.encryptionKeySecretRef" }}
+              {{- end }}
+              {{- if .Values.config.server.autoGenerateEncryptionKey }}
+              {{- fail "Cannot specify both config.server.autoGenerateEncryptionKey and config.server.encryptionKeySecretRef" }}
+              {{- end }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.server.encryptionKeySecretRef.name }}
+                  key: {{ .Values.config.server.encryptionKeySecretRef.key }}
+              {{- else if .Values.config.server.encryptionKey }}
+              {{- if .Values.config.server.autoGenerateEncryptionKey }}
+              {{- fail "Cannot specify both config.server.autoGenerateEncryptionKey and config.server.encryptionKey" }}
+              {{- end }}
+              value: {{ .Values.config.server.encryptionKey | quote }}
+              {{- else if .Values.config.server.autoGenerateEncryptionKey }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "marmot.fullname" . }}-encryption-key
+                  key: encryption-key
+              {{- end }}
+            {{- end }}
+            - name: MARMOT_SERVER_ALLOW_UNENCRYPTED
+              value: {{ .Values.config.server.allowUnencrypted | quote }}
+
             # Database configuration - use subchart values if enabled
             - name: MARMOT_DATABASE_HOST
               {{- if .Values.postgresql.enabled }}
@@ -126,6 +153,8 @@ spec:
             {{- end }}
 
             # Auth configuration
+            - name: MARMOT_AUTH_OPENLINEAGE_ENABLED
+              value: {{ .Values.config.auth.openlineage.enabled | quote }}
             - name: MARMOT_AUTH_ANONYMOUS_ENABLED
               value: {{ .Values.config.auth.anonymous.enabled | quote }}
             - name: MARMOT_AUTH_ANONYMOUS_ROLE
@@ -162,7 +191,35 @@ spec:
               value: {{ .Values.config.auth.providers.okta.clientSecret | quote }}
               {{- end }}
             {{- end }}
-            
+
+            # Rate limit configuration
+            - name: MARMOT_RATE_LIMIT_ENABLED
+              value: {{ .Values.config.rateLimit.enabled | quote }}
+
+            # UI configuration
+            - name: MARMOT_UI_BANNER_ENABLED
+              value: {{ .Values.config.ui.banner.enabled | quote }}
+            {{- if .Values.config.ui.banner.enabled }}
+            - name: MARMOT_UI_BANNER_DISMISSIBLE
+              value: {{ .Values.config.ui.banner.dismissible | quote }}
+            - name: MARMOT_UI_BANNER_VARIANT
+              value: {{ .Values.config.ui.banner.variant | quote }}
+            - name: MARMOT_UI_BANNER_MESSAGE
+              value: {{ .Values.config.ui.banner.message | quote }}
+            - name: MARMOT_UI_BANNER_ID
+              value: {{ .Values.config.ui.banner.id | quote }}
+            {{- end }}
+
+            # Pipelines configuration
+            - name: MARMOT_PIPELINES_MAX_WORKERS
+              value: {{ .Values.config.pipelines.maxWorkers | quote }}
+            - name: MARMOT_PIPELINES_SCHEDULER_INTERVAL
+              value: {{ .Values.config.pipelines.schedulerInterval | quote }}
+            - name: MARMOT_PIPELINES_LEASE_EXPIRY
+              value: {{ .Values.config.pipelines.leaseExpiry | quote }}
+            - name: MARMOT_PIPELINES_CLAIM_EXPIRY
+              value: {{ .Values.config.pipelines.claimExpiry | quote }}
+
             # Additional environment variables
             {{- range $key, $value := .Values.env }}
             - name: {{ $key }}
 
@@ -0,0 +1,75 @@
+{{- if and (not .Values.config.server.encryptionKey) (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "marmot.fullname" . }}-encryption-key-generator
+  labels:
+    {{- include "marmot.labels" . | nindent 4 }}
+    app.kubernetes.io/component: encryption-key-generator
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      name: {{ include "marmot.fullname" . }}-encryption-key-generator
+      labels:
+        {{- include "marmot.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: encryption-key-generator
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "marmot.serviceAccountName" . }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        fsGroup: 65534
+      containers:
+      - name: generate-key
+        image: bitnami/kubectl:latest
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+        command:
+        - /bin/bash
+        - -c
+        - |
+          set -e
+
+          SECRET_NAME="{{ include "marmot.fullname" . }}-encryption-key"
+          NAMESPACE="{{ .Release.Namespace }}"
+
+          echo "Checking if encryption key secret exists..."
+
+          if kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" &>/dev/null; then
+            echo "✅ Encryption key secret already exists: $SECRET_NAME"
+            echo "   Skipping key generation"
+            exit 0
+          fi
+
+          echo "Generating new encryption key..."
+          # Generate a 32-byte random key and encode as base64
+          ENCRYPTION_KEY=$(openssl rand -base64 32)
+
+          echo "Creating Kubernetes secret: $SECRET_NAME"
+          kubectl create secret generic "$SECRET_NAME" \
+            --namespace="$NAMESPACE" \
+            --from-literal=encryption-key="$ENCRYPTION_KEY"
+
+          kubectl label secret "$SECRET_NAME" \
+            --namespace="$NAMESPACE" \
+            app.kubernetes.io/name={{ include "marmot.name" . }} \
+            app.kubernetes.io/instance={{ .Release.Name }} \
+            app.kubernetes.io/managed-by={{ .Release.Service }} \
+            app.kubernetes.io/component=encryption-key
+
+          kubectl annotate secret "$SECRET_NAME" \
+            --namespace="$NAMESPACE" \
+            "helm.sh/resource-policy"="keep"
+
+          echo "✅ Encryption key generated and stored in secret: $SECRET_NAME"
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if and (not .Values.config.server.encryptionKey) (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "marmot.fullname" . }}-encryption-key-manager
+  labels:
+    {{- include "marmot.labels" . | nindent 4 }}
+    app.kubernetes.io/component: encryption-key-manager
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "create", "update", "patch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["{{ include "marmot.fullname" . }}-encryption-key"]
+  verbs: ["get", "update", "patch"]
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if and (not .Values.config.server.encryptionKey) (not .Values.config.server.encryptionKeySecretRef) .Values.config.server.autoGenerateEncryptionKey }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "marmot.fullname" . }}-encryption-key-manager
+  labels:
+    {{- include "marmot.labels" . | nindent 4 }}
+    app.kubernetes.io/component: encryption-key-manager
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "marmot.fullname" . }}-encryption-key-manager
+subjects:
+- kind: ServiceAccount
+  name: {{ include "marmot.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}