WorkloadManager has auth middleware, but the Helm chart never passes --enable-auth, so the deployed service runs with auth skipped.
That means any in-cluster client that can reach workloadmanager can hit create/delete session APIs directly. Router auth/RLAC does not help if the backend API is reachable.
Steps:
- Render/install the base chart.
- Check the workloadmanager deployment args.
- --enable-auth is missing.
- Request handling goes through authMiddleware, sees EnableAuth == false, and continues
Expected:
The chart should enable WorkloadManager auth, or expose an explicit value that defaults to the secure path.
Actual:
Auth is disabled by default in the rendered deployment.
Environment:
Current main, base Helm chart.
WorkloadManager has auth middleware, but the Helm chart never passes --enable-auth, so the deployed service runs with auth skipped.
That means any in-cluster client that can reach workloadmanager can hit create/delete session APIs directly. Router auth/RLAC does not help if the backend API is reachable.
Steps:
Expected:
The chart should enable WorkloadManager auth, or expose an explicit value that defaults to the secure path.
Actual:
Auth is disabled by default in the rendered deployment.
Environment:
Current main, base Helm chart.