chore(security): replace TLS cert/key PEM placeholders with obvious placeholders

kriscoleman · claude · kriscoleman · commit 64d366b85769 · 2026-06-22T11:19:21.000-04:00
The mlflow chart and the self-signed-vs-user-provided-tls pattern shipped example
TLS values as empty PEM blocks:

    cert: |
      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      -----END PRIVATE KEY-----

GitHub secret scanning flags these (generic private key) even though they're
empty, which clutters the security reports and makes audits noisier.

Replace them with explicit, obviously-fake placeholders
(REPLACE_WITH_YOUR_PEM_ENCODED_TLS_CERTIFICATE / ..._PRIVATE_KEY) so there are no
PEM markers left to flag, it's unmistakable that nothing real is committed, and
it's clear a real value must be supplied. Regenerated the mlflow helm-docs README
table to match.

Co-Authored-By: Claude Fable 5 &lt;noreply@anthropic.com&gt;
diff --git a/applications/mlflow/charts/mlflow/README.md b/applications/mlflow/charts/mlflow/README.md
@@ -835,7 +835,7 @@ When making changes to the MLflow Helm chart, corresponding updates may be neede
 | mlflow.image.repository | string | `"mlflow/mlflow"` | Image repository |
 | mlflow.image.tag | string | `"v3.3.2"` | Image tag |
 | mlflow.imagePullSecets | list | `[]` | Image pull secrets |
-| mlflow.ingress | object | `{"annotations":{},"className":"nginx","enabled":false,"extraHosts":[],"extraPaths":[],"extraRules":[],"extraTls":[],"hostname":"chart-example.local","path":"/","pathType":"ImplementationSpecific","tls":{"cert":"-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n","enabled":false,"genSelfSignedCert":false,"key":"-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"}}` | Mlflow Ingress configuration [[ref]](https://kubernetes.io/docs/concepts/services-networking/ingress/) |
+| mlflow.ingress | object | `{"annotations":{},"className":"nginx","enabled":false,"extraHosts":[],"extraPaths":[],"extraRules":[],"extraTls":[],"hostname":"chart-example.local","path":"/","pathType":"ImplementationSpecific","tls":{"cert":"REPLACE_WITH_YOUR_PEM_ENCODED_TLS_CERTIFICATE","enabled":false,"genSelfSignedCert":false,"key":"REPLACE_WITH_YOUR_PEM_ENCODED_TLS_PRIVATE_KEY"}}` | Mlflow Ingress configuration [[ref]](https://kubernetes.io/docs/concepts/services-networking/ingress/) |
 | mlflow.ingress.annotations | object | `{}` | Annotations to add to the ingress |
 | mlflow.ingress.className | string | `"nginx"` | Ingress class name |
 | mlflow.ingress.enabled | bool | `false` | Specifies whether a ingress should be created |
@@ -846,7 +846,7 @@ When making changes to the MLflow Helm chart, corresponding updates may be neede
 | mlflow.ingress.hostname | string | `"chart-example.local"` | Ingress hostname |
 | mlflow.ingress.path | string | `"/"` | Ingress path |
 | mlflow.ingress.pathType | string | `"ImplementationSpecific"` | Ingress path type |
-| mlflow.ingress.tls | object | `{"cert":"-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n","enabled":false,"genSelfSignedCert":false,"key":"-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n"}` | Ingress TLS configuration |
+| mlflow.ingress.tls | object | `{"cert":"REPLACE_WITH_YOUR_PEM_ENCODED_TLS_CERTIFICATE","enabled":false,"genSelfSignedCert":false,"key":"REPLACE_WITH_YOUR_PEM_ENCODED_TLS_PRIVATE_KEY"}` | Ingress TLS configuration |
 | mlflow.ingress.tls.enabled | bool | `false` | Specifies whether to enable TLS |
 | mlflow.ingress.tls.genSelfSignedCert | bool | `false` | Specifies whether to generate self-signed certificate |
 | mlflow.labels | object | `{}` | Labels to add to the mlflow deployment |
diff --git a/applications/mlflow/charts/mlflow/values.yaml b/applications/mlflow/charts/mlflow/values.yaml
@@ -220,12 +220,12 @@ mlflow:
       enabled: false
       # -- Specifies whether to generate self-signed certificate
       genSelfSignedCert: false
-      cert: |
-        -----BEGIN CERTIFICATE-----
-        -----END CERTIFICATE-----
-      key: |
-        -----BEGIN PRIVATE KEY-----
-        -----END PRIVATE KEY-----
+      # -- PEM-encoded TLS certificate. Replace the placeholder with your real
+      # certificate (or set genSelfSignedCert: true to generate one).
+      cert: "REPLACE_WITH_YOUR_PEM_ENCODED_TLS_CERTIFICATE"
+      # -- PEM-encoded TLS private key. Replace the placeholder with your real key
+      # (or set genSelfSignedCert: true to generate one).
+      key: "REPLACE_WITH_YOUR_PEM_ENCODED_TLS_PRIVATE_KEY"
     # -- Extra hosts to configure for the ingress object
     extraHosts: []
     # -- Extra paths to configure for the ingress object
diff --git a/patterns/self-signed-vs-user-provided-tls/README.md b/patterns/self-signed-vs-user-provided-tls/README.md
@@ -14,12 +14,10 @@ ingress:
   tls:
     enabled: true
     genSelfSignedCert: true
-    cert: |
-      -----BEGIN CERTIFICATE-----
-      -----END CERTIFICATE-----
-    key: |
-      -----BEGIN PRIVATE KEY-----
-      -----END PRIVATE KEY-----
+    # Replace the placeholders with your real PEM-encoded cert/key, or set
+    # genSelfSignedCert: true to have them generated and omit these.
+    cert: "REPLACE_WITH_YOUR_PEM_ENCODED_TLS_CERTIFICATE"
+    key: "REPLACE_WITH_YOUR_PEM_ENCODED_TLS_PRIVATE_KEY"
 ```
 
 2. Add a tls secret to your chart and implement the templating to conditionally choose between user-provided and self-signed
