From 3e69a8da912eaee01c5287e1332c9c52ee2339da Mon Sep 17 00:00:00 2001
From: Stefan Hausotte <stefan.hausotte@gmx.de>
Date: Thu, 15 Jan 2026 17:02:14 +0100
Subject: [PATCH 1/3] feat: Add support for a shared cookie signing key

---
 README.md                                  | 24 +++++++++++++++++++++-
 charts/kellnr/Chart.yaml                   |  4 ++--
 charts/kellnr/templates/_helpers.tpl       | 20 ++++++++++++++++++
 charts/kellnr/templates/config.yaml        |  4 ++++
 charts/kellnr/templates/secret-config.yaml |  2 ++
 charts/kellnr/values.yaml                  |  6 ++++++
 6 files changed, 57 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 9e67c97..8e487ca 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,29 @@ All settings can be set with the `--set name=value` flag on `helm install`. Some
 
 ### Kellnr
 
-Check the [documentation](https://kellnr.io/documentation) and the [values.yaml](./charts/kellnr/values.yaml) for possible configuration values. 
+Check the [documentation](https://kellnr.io/documentation) and the [values.yaml](./charts/kellnr/values.yaml) for possible configuration values.
+
+#### Cookie signing key
+
+Kellnr uses a cookie signing key to sign its session cookie.
+
+| Setting                          | Required | Description                                                                                                       | Default |
+|----------------------------------|----------|-------------------------------------------------------------------------------------------------------------------|---------|
+| kellnr.registry.cookieSigningKey | No       | Cookie signing key used for `KELLNR_REGISTRY__COOKIE_SIGNING_KEY`. Must be at least 64 characters.               | ""     |
+
+Notes:
+
+- If `secret.enabled: true` and `kellnr.registry.cookieSigningKey` is empty, the chart will generate a random 64-character value and store it in the generated Secret.
+- If `secret.enabled: false` (ConfigMap mode), you should set `kellnr.registry.cookieSigningKey` explicitly (otherwise the env var is not set).
+
+Example:
+
+````yaml
+kellnr:
+  registry:
+    cookieSigningKey: "<at least 64 characters>"
+````
+
 
 ### Service
 
diff --git a/charts/kellnr/Chart.yaml b/charts/kellnr/Chart.yaml
index eb1e6a8..ffd168a 100644
--- a/charts/kellnr/Chart.yaml
+++ b/charts/kellnr/Chart.yaml
@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.3.6
+version: 4.4.0-rc.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "5.10.1"
+appVersion: "5.11.0-rc.1"
diff --git a/charts/kellnr/templates/_helpers.tpl b/charts/kellnr/templates/_helpers.tpl
index 413f39b..a2a1d41 100644
--- a/charts/kellnr/templates/_helpers.tpl
+++ b/charts/kellnr/templates/_helpers.tpl
@@ -71,3 +71,23 @@ Decide the proxy port number to use if set to auto
 {{- default 80 .Values.kellnr.origin.port }}
 {{- end }}
 {{- end }}
+
+{{/*
+Cookie signing key used by Kellnr.
+- If user provided a value, enforce min length (>= 64 bytes/chars).
+- Else generate a random 64-char value.
+
+Note: Helm templates don't have a "bytes" unit here; we can only validate string length.
+*/}}
+{{- define "kellnr.cookieSigningKey" -}}
+{{- $key := default "" .Values.kellnr.registry.cookieSigningKey -}}
+{{- if ne $key "" -}}
+  {{- if lt (len $key) 64 -}}
+    {{- fail "kellnr.registry.cookieSigningKey must be at least 64 characters" -}}
+  {{- end -}}
+  {{- $key -}}
+{{- else -}}
+  {{- randAlphaNum 64 -}}
+{{- end -}}
+{{- end }}
+
diff --git a/charts/kellnr/templates/config.yaml b/charts/kellnr/templates/config.yaml
index aea36a9..b1b067b 100644
--- a/charts/kellnr/templates/config.yaml
+++ b/charts/kellnr/templates/config.yaml
@@ -11,7 +11,11 @@ data:
   KELLNR_REGISTRY__MAX_CRATE_SIZE: {{ .Values.kellnr.registry.maxCrateSize | quote }}
   KELLNR_REGISTRY__MAX_DB_CONNECTIONS: {{ .Values.kellnr.registry.maxDbConnections | quote }}
   KELLNR_REGISTRY__AUTH_REQUIRED: {{ .Values.kellnr.registry.authRequired | quote }}
+{{- if .Values.kellnr.registry.cookieSigningKey }}
+  KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ .Values.kellnr.registry.cookieSigningKey | quote }}
+{{- end }}
 {{- if .Values.kellnr.registry.requiredCrateFields }}
+
   KELLNR_REGISTRY__REQUIRED_CRATE_FIELDS: {{ .Values.kellnr.registry.requiredCrateFields | quote }}
 {{- end }}
   KELLNR_REGISTRY__NEW_CRATES_RESTRICTED: {{ .Values.kellnr.registry.newCratesRestricted | quote }}
diff --git a/charts/kellnr/templates/secret-config.yaml b/charts/kellnr/templates/secret-config.yaml
index 88a82ee..92f164f 100644
--- a/charts/kellnr/templates/secret-config.yaml
+++ b/charts/kellnr/templates/secret-config.yaml
@@ -12,6 +12,8 @@ stringData:
   KELLNR_REGISTRY__CACHE_SIZE: {{ .Values.kellnr.registry.cacheSize | quote }}
   KELLNR_REGISTRY__MAX_CRATE_SIZE: {{ .Values.kellnr.registry.maxCrateSize | quote }}
   KELLNR_REGISTRY__AUTH_REQUIRED: {{ .Values.kellnr.registry.authRequired | quote }}
+  KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ include "kellnr.cookieSigningKey" . | quote }}
+
   KELLNR_DOCS__ENABLED: {{ .Values.kellnr.docs.enabled | quote }}
   KELLNR_DOCS__MAX_SIZE: {{ .Values.kellnr.docs.maxSize | quote }}
   KELLNR_PROXY__ENABLED: {{ .Values.kellnr.proxy.enabled | quote }}
diff --git a/charts/kellnr/values.yaml b/charts/kellnr/values.yaml
index 63f4372..9a2d873 100644
--- a/charts/kellnr/values.yaml
+++ b/charts/kellnr/values.yaml
@@ -71,6 +71,12 @@ kellnr:
     requiredCrateFields: "" # Comma-separated list of fields, e.g. "description,license,repository"
     newCratesRestricted: false
     maxDbConnections: 0 # 0 means no limit
+
+    # Used to sign the session cookie. Must be at least 64 bytes.
+    # If empty, a random 64-byte value is generated by the chart (when `secret.enabled: true`).
+    # When `secret.enabled: false`, you should set this to a fixed value.
+    cookieSigningKey: ""
+
   docs:
     enabled: false
     maxSize: 100

From f6321c7fbff38f80651abd43f2363054ad50a29b Mon Sep 17 00:00:00 2001
From: Stefan Hausotte <stefan.hausotte@gmx.de>
Date: Thu, 15 Jan 2026 19:31:19 +0100
Subject: [PATCH 2/3] fix: Do not set a random cookie key

---
 README.md                                  | 3 ++-
 charts/kellnr/templates/_helpers.tpl       | 7 ++++---
 charts/kellnr/templates/secret-config.yaml | 6 +++++-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 8e487ca..324bddb 100644
--- a/README.md
+++ b/README.md
@@ -72,7 +72,8 @@ Kellnr uses a cookie signing key to sign its session cookie.
 
 Notes:
 
-- If `secret.enabled: true` and `kellnr.registry.cookieSigningKey` is empty, the chart will generate a random 64-character value and store it in the generated Secret.
+- If `secret.enabled: true` and `kellnr.registry.cookieSigningKey` is empty, the chart will **not** set `KELLNR_REGISTRY__COOKIE_SIGNING_KEY`.
+
 - If `secret.enabled: false` (ConfigMap mode), you should set `kellnr.registry.cookieSigningKey` explicitly (otherwise the env var is not set).
 
 Example:
diff --git a/charts/kellnr/templates/_helpers.tpl b/charts/kellnr/templates/_helpers.tpl
index a2a1d41..4dd3368 100644
--- a/charts/kellnr/templates/_helpers.tpl
+++ b/charts/kellnr/templates/_helpers.tpl
@@ -74,8 +74,8 @@ Decide the proxy port number to use if set to auto
 
 {{/*
 Cookie signing key used by Kellnr.
-- If user provided a value, enforce min length (>= 64 bytes/chars).
-- Else generate a random 64-char value.
+- If user provided a value, enforce min length (>= 64 bytes/chars) and return it.
+- If not provided, return empty string so the env var can be omitted entirely.
 
 Note: Helm templates don't have a "bytes" unit here; we can only validate string length.
 */}}
@@ -87,7 +87,8 @@ Note: Helm templates don't have a "bytes" unit here; we can only validate string
   {{- end -}}
   {{- $key -}}
 {{- else -}}
-  {{- randAlphaNum 64 -}}
+  {{- "" -}}
 {{- end -}}
 {{- end }}
 
+
diff --git a/charts/kellnr/templates/secret-config.yaml b/charts/kellnr/templates/secret-config.yaml
index 92f164f..529d46e 100644
--- a/charts/kellnr/templates/secret-config.yaml
+++ b/charts/kellnr/templates/secret-config.yaml
@@ -12,7 +12,11 @@ stringData:
   KELLNR_REGISTRY__CACHE_SIZE: {{ .Values.kellnr.registry.cacheSize | quote }}
   KELLNR_REGISTRY__MAX_CRATE_SIZE: {{ .Values.kellnr.registry.maxCrateSize | quote }}
   KELLNR_REGISTRY__AUTH_REQUIRED: {{ .Values.kellnr.registry.authRequired | quote }}
-  KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ include "kellnr.cookieSigningKey" . | quote }}
+{{- $cookieKey := include "kellnr.cookieSigningKey" . -}}
+{{- if ne $cookieKey "" }}
+  KELLNR_REGISTRY__COOKIE_SIGNING_KEY: {{ $cookieKey | quote }}
+{{- end }}
+
 
   KELLNR_DOCS__ENABLED: {{ .Values.kellnr.docs.enabled | quote }}
   KELLNR_DOCS__MAX_SIZE: {{ .Values.kellnr.docs.maxSize | quote }}

From bbb6d3bf6c8e99f143efe292de3c8b2ee0fbaef7 Mon Sep 17 00:00:00 2001
From: Stefan Hausotte <stefan.hausotte@gmx.de>
Date: Fri, 16 Jan 2026 09:13:36 +0100
Subject: [PATCH 3/3] chore: clean up

---
 charts/kellnr/Chart.yaml  | 4 ++--
 charts/kellnr/values.yaml | 9 +++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/charts/kellnr/Chart.yaml b/charts/kellnr/Chart.yaml
index ffd168a..ad7c8ac 100644
--- a/charts/kellnr/Chart.yaml
+++ b/charts/kellnr/Chart.yaml
@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.4.0-rc.1
+version: 4.4.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "5.11.0-rc.1"
+appVersion: "5.11.0"
diff --git a/charts/kellnr/values.yaml b/charts/kellnr/values.yaml
index 9a2d873..4ae486e 100644
--- a/charts/kellnr/values.yaml
+++ b/charts/kellnr/values.yaml
@@ -2,6 +2,9 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+# For more than 1 replica, it is recommended
+# to set the "cookieSigningKey", to share auth.
+# cookies for the UI between the replicas.
 replicaCount: 1
 
 strategy:
@@ -31,8 +34,7 @@ serviceAccount:
 
 podAnnotations: {}
 
-podSecurityContext:
-  {}
+podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext:
@@ -184,8 +186,7 @@ dns:
     searches:
       - ""
 
-resources:
-  {}
+resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following