fix(security): auto-generate JWT and encryption secrets on first boot

New installations no longer ship with hardcoded secrets. On first boot,
cryptographically secure random values are generated and persisted in a
new system_secrets table. Subsequent restarts read from the database,
ensuring stable secrets without any manual configuration.

Priority chain: env var > database > auto-generate.

Upgrade safety for existing installations:
- If KITE_ENCRYPT_KEY env var was set: unchanged, value is persisted to DB
- If running with the hardcoded default: existing encrypted data is
  detected, the default is preserved in DB, and a loud warning is emitted
  urging operators to rotate to a secure key
- JWT secret follows the same logic (session invalidation on rotation is
  acceptable — users simply re-authenticate)

Helm chart changes:
- jwtSecret and encryptKey default to empty (auto-generated by the app)
- Secret template only injects env vars when values are non-empty
- existingSecret workflow is unaffected

Removes the redundant KITE_ENCRYPT_KEY warning from LoadEnvs (now
handled by EnsureSecrets with better migration-aware logic).

Author: DioCrafts

charts/kite/templates/secret.yaml

@@ -8,8 +8,12 @@ metadata:
     {{- include "kite.labels" . | nindent 4 }}
 type: Opaque
 data:
+  {{- if .Values.jwtSecret }}
   JWT_SECRET: {{ .Values.jwtSecret | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.encryptKey }}
   KITE_ENCRYPT_KEY: {{ .Values.encryptKey | b64enc | quote }}
+  {{- end }}
   {{- if ne .Values.db.type "sqlite" }}
   DB_TYPE: {{ .Values.db.type | b64enc | quote }}
   DB_DSN: {{ .Values.db.dsn | b64enc | quote }}

charts/kite/values.yaml

@@ -49,15 +49,18 @@ basePath: ""
 # Be careful with this setting in production
 anonymousUserEnabled: false
 
-# This is the key used for signing JWT tokens
-# Change this in production
-# Ignored if using existingSecret
-jwtSecret: "kite-default-jwt-secret-key-change-in-production"
+# Secret key used for signing JWT tokens.
+# If empty, the application auto-generates a secure random key on first
+# boot and persists it in the database (recommended for most setups).
+# Set explicitly to override or when sharing state across replicas.
+# Ignored if using existingSecret.
+jwtSecret: ""
 
-# This is the key used for encrypting sensitive data
-# Change this in production
-# Ignored if using existingSecret
-encryptKey: "kite-default-encryption-key-change-in-production"
+# Key used for encrypting sensitive data (OAuth secrets, etc.).
+# If empty, the application auto-generates a secure random key on first
+# boot and persists it in the database.
+# Ignored if using existingSecret.
+encryptKey: ""
 
 # Superuser configuration
 # Used to create an initial superuser account on first startup
@@ -305,3 +308,85 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+
+# ══════════════════════════════════════════════════════════════════════════════
+# Declarative Configuration via KiteConfig CRD
+# ══════════════════════════════════════════════════════════════════════════════
+# When enabled, the chart creates a KiteConfig custom resource that Kite's
+# built-in controller watches and reconciles to the database automatically.
+# This enables fully declarative, GitOps-ready configuration of:
+#   - OAuth/OIDC providers
+#   - RBAC roles and group/user assignments
+#   - General application settings (AI, kubectl, analytics, etc.)
+#
+# The CRD (kiteconfigs.kite.io) is installed automatically via charts/kite/crds/.
+# Kite also self-registers the CRD at startup if RBAC allows it.
+#
+# Usage:
+#   1. Set kiteConfig.enabled: true
+#   2. Configure the sections below
+#   3. helm upgrade --install kite kite/kite -f your-values.yaml
+#   4. Kite detects the KiteConfig CR and applies it within seconds
+#
+# Example with Azure Entra ID:
+#   kiteConfig:
+#     enabled: true
+#     oauth:
+#       providers:
+#         - name: "microsoft-entra-id"
+#           issuerUrl: "https://login.microsoftonline.com/YOUR_TENANT/v2.0"
+#           secretRef:
+#             name: kite-oauth-credentials
+#             clientIdKey: client-id
+#             clientSecretKey: client-secret
+#           authUrl: "https://login.microsoftonline.com/YOUR_TENANT/oauth2/v2.0/authorize"
+#           tokenUrl: "https://login.microsoftonline.com/YOUR_TENANT/oauth2/v2.0/token"
+#           userInfoUrl: "https://graph.microsoft.com/oidc/userinfo"
+#           scopes: "openid profile email User.Read"
+#     roles:
+#       - name: admin
+#         assignments:
+#           - { subjectType: group, subject: "aad-group-id-for-admins" }
+#       - name: viewer
+#         assignments:
+#           - { subjectType: group, subject: "aad-group-id-for-viewers" }
+#       - name: project-alpha-dev
+#         description: "Developer access for Project Alpha"
+#         namespaces: ["alpha-dev", "alpha-pre"]
+#         verbs: ["get", "log", "terminal"]
+#         assignments:
+#           - { subjectType: group, subject: "aad-group-id-alpha-devs" }
+#     generalSettings:
+#       kubectlEnabled: true
+#       enableAnalytics: false
+# ══════════════════════════════════════════════════════════════════════════════
+kiteConfig:
+  # Set to true to create a KiteConfig CR from these values
+  enabled: false
+
+  # OAuth/OIDC providers
+  # oauth:
+  #   providers:
+  #     - name: "my-oidc-provider"
+  #       issuerUrl: ""
+  #       secretRef:
+  #         name: my-oauth-secret
+  #       scopes: "openid profile email"
+
+  # RBAC roles with assignments
+  # roles:
+  #   - name: admin
+  #     assignments:
+  #       - { subjectType: group, subject: "admin-group-id" }
+  #   - name: custom-role
+  #     description: "Custom scoped role"
+  #     namespaces: ["ns1", "ns2"]
+  #     verbs: ["get"]
+  #     assignments:
+  #       - { subjectType: group, subject: "group-id" }
+
+  # General settings
+  # generalSettings:
+  #   kubectlEnabled: true
+  #   enableAnalytics: false
+  #   enableVersionCheck: true

docs/config/chart-values.md

@@ -21,8 +21,8 @@ This document describes all available configuration options for the Kite Helm Ch
 | Parameter              | Description                                                                              | Default                                              |
 | ---------------------- | ---------------------------------------------------------------------------------------- | ---------------------------------------------------- |
 | `anonymousUserEnabled` | Enable anonymous user access with full admin privileges. Use with caution in production. | `false`                                              |
-| `jwtSecret`            | Secret key used for signing JWT tokens. Change this in production.                       | `"kite-default-jwt-secret-key-change-in-production"` |
-| `encryptKey`           | Secret key used for encrypting sensitive data. Change this in production.                | `"kite-default-encryption-key-change-in-production"` |
+| `jwtSecret`            | Secret key for signing JWT tokens. Auto-generated on first boot if empty.                | `""`                                                 |
+| `encryptKey`           | Secret key for encrypting sensitive data. Auto-generated on first boot if empty.         | `""`                                                 |
 | `host`                 | Hostname for the application                                                             | `""`                                                 |
 
 ## Database Configuration

docs/zh/config/chart-values.md

@@ -21,8 +21,8 @@
 | 参数                   | 描述                                                       | 默认值                                               |
 | ---------------------- | ---------------------------------------------------------- | ---------------------------------------------------- |
 | `anonymousUserEnabled` | 启用匿名用户访问，拥有完全管理员权限。生产环境请谨慎使用。 | `false`                                              |
-| `jwtSecret`            | 用于签名 JWT 令牌的密钥。生产环境请修改此值。              | `"kite-default-jwt-secret-key-change-in-production"` |
-| `encryptKey`           | 用于加密敏感数据的密钥。生产环境请修改此值。               | `"kite-default-encryption-key-change-in-production"` |
+| `jwtSecret`            | 用于签名 JWT 令牌的密钥。为空时首次启动自动生成。         | `""`                                                 |
+| `encryptKey`           | 用于加密敏感数据的密钥。为空时首次启动自动生成。           | `""`                                                 |
 | `host`                 | 应用程序的主机名                                           | `""`                                                 |
 
 ## 数据库配置

main.go

@@ -242,6 +242,7 @@ func main() {
 	r.Use(middleware.Logger())
 	r.Use(middleware.CORS())
 	model.InitDB()
+	model.EnsureSecrets()
 	if _, err := model.GetGeneralSetting(); err != nil {
 		klog.Warningf("Failed to load general setting: %v", err)
 	}

pkg/common/common.go

@@ -85,8 +85,6 @@ func LoadEnvs() {
 
 	if key := os.Getenv("KITE_ENCRYPT_KEY"); key != "" {
 		KiteEncryptKey = key
-	} else {
-		klog.Warningf("KITE_ENCRYPT_KEY is not set, using default key, this is not secure for production!")
 	}
 
 	if v := os.Getenv("ANONYMOUS_USER_ENABLED"); v == "true" {

pkg/model/model.go

@@ -91,6 +91,7 @@ func InitDB() {
 		}
 	}
 	models := []interface{}{
+		SystemSecret{},
 		User{},
 		Cluster{},
 		GeneralSetting{},

pkg/model/system_secret.go

@@ -0,0 +1,157 @@
+package model
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"os"
+
+	"github.com/zxh326/kite/pkg/common"
+	"gorm.io/gorm"
+	"k8s.io/klog/v2"
+)
+
+// SystemSecret stores auto-generated application secrets in the database.
+// Values are stored as plain text (NOT SecretString) because one of the
+// secrets IS the encryption key itself — encrypting it would be circular.
+type SystemSecret struct {
+	Name  string `gorm:"primaryKey;column:name;type:varchar(64)"`
+	Value string `gorm:"column:value;type:text;not null"`
+}
+
+const (
+	secretNameJWT     = "jwt_secret"
+	secretNameEncrypt = "encrypt_key"
+
+	// Known insecure defaults shipped in source code and Helm chart.
+	defaultJWTSecret  = "kite-default-jwt-secret-key-change-in-production"
+	defaultEncryptKey = "kite-default-encryption-key-change-in-production"
+)
+
+// EnsureSecrets guarantees that JwtSecret and KiteEncryptKey hold
+// cryptographically secure values. It must be called after InitDB()
+// and before any code that reads SecretString from the database.
+//
+// Priority for each secret:
+//  1. Environment variable (set via LoadEnvs) — always wins
+//  2. Value previously stored in the database — survives restarts
+//  3. Auto-generated random value — first boot
+//
+// For upgrades from older versions that ran with the hardcoded default
+// encryption key, existing encrypted data is detected and the default
+// is persisted so that data remains readable. A loud warning is emitted.
+func EnsureSecrets() {
+	common.JwtSecret = ensureOneSecret(
+		secretNameJWT, common.JwtSecret, "JWT_SECRET", defaultJWTSecret, false,
+		os.Getenv("JWT_SECRET") != "",
+	)
+	common.KiteEncryptKey = ensureOneSecret(
+		secretNameEncrypt, common.KiteEncryptKey, "KITE_ENCRYPT_KEY", defaultEncryptKey, true,
+		os.Getenv("KITE_ENCRYPT_KEY") != "",
+	)
+}
+
+func ensureOneSecret(dbName, currentValue, envName, knownDefault string, isEncryptionKey, envWasSet bool) string {
+	// ── 1. Env var was explicitly set → use it directly ──
+	// Do NOT persist to the database: operators who provide secrets via
+	// env vars expect them to stay outside the DB. Writing them to
+	// system_secrets would be a security regression (DB-only read
+	// exposure would reveal the signing/encryption keys).
+	if envWasSet {
+		return currentValue
+	}
+
+	// ── 2. Previously stored in database → use it ──
+	if stored := loadSecret(dbName); stored != "" {
+		return stored
+	}
+
+	// ── 3. No env var, no stored value. Fresh install or upgrade? ──
+	if isEncryptionKey && hasExistingEncryptedData() {
+		// Upgrade path: existing data was encrypted with the default key.
+		// Persist it so subsequent restarts keep working. Warn loudly.
+		persistSecret(dbName, currentValue)
+		klog.Warningf("════════════════════════════════════════════════════════════")
+		klog.Warningf("  %s is using the insecure hardcoded default.", envName)
+		klog.Warningf("  Existing encrypted data has been preserved.")
+		klog.Warningf("  Please set %s to a secure random value", envName)
+		klog.Warningf("  and re-encrypt your data.")
+		klog.Warningf("════════════════════════════════════════════════════════════")
+		return currentValue
+	}
+
+	// Fresh install → generate a cryptographically secure random secret.
+	// persistSecret returns the winner's value on insert conflict.
+	secret := persistSecret(dbName, generateRandomSecret(32))
+	klog.Infof("Auto-generated %s and stored in database (first boot)", envName)
+	return secret
+}
+
+// generateRandomSecret returns a base64url-encoded string of n random bytes.
+func generateRandomSecret(n int) string {
+	b := make([]byte, n)
+	if _, err := rand.Read(b); err != nil {
+		klog.Fatalf("Failed to generate random secret: %v", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(b)
+}
+
+func loadSecret(name string) string {
+	var s SystemSecret
+	if err := DB.Where("name = ?", name).First(&s).Error; err != nil {
+		return ""
+	}
+	return s.Value
+}
+
+// persistSecret inserts the secret into the database if no row exists yet.
+// If a row already exists (another replica won the race, or a previous boot
+// stored it), the existing value is returned unchanged — never overwritten.
+// This ensures all pods converge on whichever value was written first.
+func persistSecret(name, value string) string {
+	var existing SystemSecret
+	err := DB.Where("name = ?", name).First(&existing).Error
+
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		if err := DB.Create(&SystemSecret{Name: name, Value: value}).Error; err != nil {
+			// Another replica may have inserted first — adopt the winner.
+			if stored := loadSecret(name); stored != "" {
+				klog.Infof("Secret %q was created by another instance, adopting its value", name)
+				return stored
+			}
+			klog.Warningf("Failed to persist secret %q: %v", name, err)
+		}
+		return value
+	}
+	if err != nil {
+		klog.Warningf("Failed to read secret %q: %v", name, err)
+		return value
+	}
+	// Row already exists — adopt the stored value (first writer wins).
+	return existing.Value
+}
+
+// hasExistingEncryptedData returns true when the database already contains
+// rows with non-empty SecretString columns — meaning data was encrypted
+// with whatever key was active at the time. Only checks columns that
+// actually hold encrypted payloads (not mere row existence).
+func hasExistingEncryptedData() bool {
+	var count int64
+	// Cluster.Config is a SecretString; in-cluster entries may have it empty.
+	DB.Model(&Cluster{}).Where("config IS NOT NULL AND config != ''").Count(&count)
+	if count > 0 {
+		return true
+	}
+	// OAuthProvider.ClientSecret is always encrypted when present.
+	DB.Model(&OAuthProvider{}).Where("client_secret IS NOT NULL AND client_secret != ''").Count(&count)
+	if count > 0 {
+		return true
+	}
+	DB.Model(&User{}).Where("api_key IS NOT NULL AND api_key != ''").Count(&count)
+	if count > 0 {
+		return true
+	}
+	// GeneralSetting.AIAPIKey is also a SecretString field.
+	DB.Model(&GeneralSetting{}).Where("ai_api_key IS NOT NULL AND ai_api_key != ''").Count(&count)
+	return count > 0
+}