linode · ferruhcihan · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 22, 2026
@@ -9,9 +9,9 @@ name: Build test push release
 on:
   push:
     branches:
-      - '**'
+      - "**"
     tags-ignore:
-      - '*'
+      - "*"
 env:
   COMMIT_MSG: ${{ github.event.head_commit.message }}
   CACHE_REGISTRY: ghcr.io
@@ -35,11 +35,21 @@ jobs:
           echo "TAG=$tag" >> $GITHUB_ENV
       - name: Checkout
         uses: actions/checkout@v6
+      - name: Fetch values-schema.yaml from apl-core
+        run: |
+          # Try matching branch first, fall back to main
+          curl -sL -f -H "Authorization: token ${{ env.BOT_TOKEN }}" \
+            "https://raw.githubusercontent.com/linode/apl-core/${{ env.TAG }}/values-schema.yaml" \
+            -o src/values-schema.yaml 2>/dev/null \
+          || curl -sL -f -H "Authorization: token ${{ env.BOT_TOKEN }}" \
+            "https://raw.githubusercontent.com/linode/apl-core/main/values-schema.yaml" \
+            -o src/values-schema.yaml
+          echo "Schema fetched for branch: ${{ env.TAG }} (with main fallback)"
       - name: CI tests, image build and push tag for main or branch
         uses: whoan/docker-build-with-cache-action@v8
         with:
           username: ${{ env.BOT_USERNAME }}
-          password: '${{ env.BOT_TOKEN }}'
+          password: "${{ env.BOT_TOKEN }}"
           registry: ${{ env.CACHE_REGISTRY }}
           image_name: ${{ env.CACHE_REPO }}
           image_tag: ${{ env.TAG }}

@@ -1,8 +1,8 @@
-name: 'postman'
+name: "postman"
 on:
   pull_request:
     branches:
-      - '*'
+      - "*"
   workflow_dispatch:
 jobs:
   postman:
@@ -57,6 +57,8 @@ jobs:
           npm install
           npm run compile
           NODE_PATH="/usr/local/lib/node_modules" npm run server > $GITHUB_WORKSPACE/core.log 2>&1 &
+      - name: Sync values schema from apl-core
+        run: cp apl-core/values-schema.yaml src/values-schema.yaml
       - name: Start api
         run: |
           npm install

@@ -44,6 +44,7 @@ kms.json*
 
 /vendors/client/
 /src/generated-*
+/src/values-schema.yaml
 secrets.*.yaml.dec
 
 #intelij

@@ -13,6 +13,7 @@
     "@casl/ability": "6.8.0",
     "@kubernetes/client-node": "1.4.0",
     "@linode/api-v4": "0.157.0",
+    "@linode/kubeseal-encrypt": "^1.0.1",
     "@types/json-schema": "7.0.15",
     "@types/jsonwebtoken": "9.0.10",
     "axios": "1.13.6",
@@ -53,8 +54,8 @@
     "@eslint/compat": "2.0.3",
     "@redocly/openapi-cli": "1.0.0-beta.95",
     "@semantic-release/changelog": "6.0.3",
-    "@types/async-retry": "^1.4.8",
     "@semantic-release/git": "10.0.1",
+    "@types/async-retry": "^1.4.8",
     "@types/debug": "^4.1.12",
     "@types/expect": "24.3.2",
     "@types/express": "^5.0.6",
@@ -135,6 +136,7 @@
     "clean": "rm -rf dist >/dev/null",
     "cz": "git-cz",
     "cz:retry": "git-cz --retry",
+    "predev": "npm run schema:sync",
     "dev": "run-p watch dev:node",
     "dev:node": "tsx watch --env-file=.env --inspect=4321 src/app.ts",
     "lint": "run-p types lint:ts",
@@ -144,6 +146,7 @@
     "postinstall": "npm run build:models",
     "pre-release:client": "npm version prerelease --preid rc --no-commit-hooks --no-git-tag-version && bin/release-client.sh",
     "release": "standard-version",
+    "schema:sync": "APL_CORE_PATH=${APL_CORE_PATH:-../apl-core} && cp \"$APL_CORE_PATH/values-schema.yaml\" src/values-schema.yaml && echo \"Schema synced from $APL_CORE_PATH\"",
     "release:bump:minor": "standard-version --skip.changelog true --release-as minor",
     "release:client": "bin/release-client.sh",
     "start": "node dist/src/app.js",

@@ -4,13 +4,13 @@ import { initApp, loadSpec } from 'src/app'
 import getToken from 'src/fixtures/jwt'
 import OtomiStack from 'src/otomi-stack'
 import request from 'supertest'
+import TestAgent from 'supertest/lib/agent'
 import { HttpError } from './error'
+import { FileStore } from './fileStore/file-store'
 import { Git } from './git'
 import { getSessionStack } from './middleware'
 import { App, CodeRepo, Netpol, SealedSecret } from './otomi-models'
 import * as getValuesSchemaModule from './utils'
-import TestAgent from 'supertest/lib/agent'
-import { FileStore } from './fileStore/file-store'
 
 const platformAdminToken = getToken(['platform-admin'])
 const teamAdminToken = getToken(['team-admin', 'team-team1'])
@@ -20,7 +20,29 @@ const userToken = getToken([])
 const teamId = 'team1'
 const otherTeamId = 'team2'
 
-jest.mock('./k8s_operations')
+jest.mock('./k8s_operations', () => {
+  const original = jest.requireActual('./k8s_operations')
+  return {
+    ...original,
+    apply: jest.fn(),
+    checkPodExists: jest.fn(),
+    getCloudttyActiveTime: jest.fn(),
+    getKubernetesVersion: jest.fn().mockResolvedValue('x.x.x'),
+    getSecretValues: jest.fn().mockResolvedValue({ adminPassword: 'test-admin-password' }),
+    getTeamSecretsFromK8s: jest.fn().mockResolvedValue([]),
+    getUserSecretFromK8s: jest.fn().mockResolvedValue(undefined),
+    listUserSecretsFromK8s: jest.fn().mockResolvedValue([]),
+    k8sdelete: jest.fn(),
+    watchPodUntilRunning: jest.fn(),
+    getSealedSecretsCertificate: jest.fn().mockResolvedValue(''),
+    getSealedSecretSyncedStatus: jest.fn().mockResolvedValue('NotFound'),
+    getSealedSecretStatus: jest.fn().mockResolvedValue('NotFound'),
+    getSealedSecretsKeys: jest.fn().mockResolvedValue({}),
+    getWorkloadStatus: jest.fn().mockResolvedValue('NotFound'),
+    getBuildStatus: jest.fn().mockResolvedValue('NotFound'),
+    getServiceStatus: jest.fn().mockResolvedValue('NotFound'),
+  }
+})
 jest.mock('./utils/sealedSecretUtils')
 beforeAll(async () => {
   jest.spyOn(console, 'log').mockImplementation(() => {})
@@ -92,6 +114,7 @@ describe('API authz tests', () => {
 
   beforeEach(() => {
     jest.spyOn(otomiStack, 'createTeam').mockResolvedValue({ name: 'team', resourceQuota: [] })
+    jest.spyOn(getValuesSchemaModule, 'getValuesSchema').mockResolvedValue({})
   })
 
   afterEach(() => {

@@ -9,7 +9,7 @@ const debug = Debug('otomi:api:v1:apps')
  * Get all apps across all teams
  * Returns list of all apps with their ids and enabled status
  */
-export const getApps = (req: OpenApiRequestExt, res: Response): void => {
+export const getApps = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   debug('getAllApps')
-  res.json(req.otomi.getApps())
+  res.json(await req.otomi.getApps())
 }
@@ -9,10 +9,10 @@ const debug = Debug('otomi:api:v1:apps')
  * Get apps for a team
  * Returns list of team apps with their ids and enabled status
  */
-export const getTeamApps = (req: OpenApiRequestExt, res: Response): void => {
+export const getTeamApps = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   const { teamId } = req.params
   debug('getTeamApps', teamId)
-  res.json(req.otomi.getTeamApps(teamId))
+  res.json(await req.otomi.getTeamApps(teamId))
 }
 
 /**

@@ -5,9 +5,9 @@ import { App, OpenApiRequestExt } from 'src/otomi-models'
  * GET /v1/apps/{teamId}/{appId}
  * Get a specific team app
  */
-export const getTeamApp = (req: OpenApiRequestExt, res: Response): void => {
+export const getTeamApp = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   const { teamId, appId } = req.params
-  res.json(req.otomi.getTeamApp(teamId, appId))
+  res.json(await req.otomi.getTeamApp(teamId, appId))
 }
 
 /**

@@ -8,9 +8,9 @@ const debug = Debug('otomi:api:v1:dashboard')
  * GET /v1/dashboard
  * Get dashboard information
  */
-export const getDashboard = (req: OpenApiRequestExt, res: Response): void => {
+export const getDashboard = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   const { teamId } = req.query
   debug(`getDashboard(${teamId})`)
-  const v = req.otomi.getDashboard(teamId as string)
+  const v = await req.otomi.getDashboard(teamId as string)
   res.json(v)
 }
@@ -8,8 +8,8 @@ const debug = Debug('otomi:api:v1:services')
  * GET /v1/services
  * Get all services running on the cluster
  */
-export const getAllServices = (req: OpenApiRequestExt, res: Response): void => {
+export const getAllServices = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   debug('getAllServices')
-  const v = req.otomi.getAllServices()
+  const v = await req.otomi.getAllServices()
   res.json(v)
 }
@@ -1,6 +1,5 @@
 import Debug from 'debug'
 import { Response } from 'express'
-import { omit } from 'lodash'
 import { OpenApiRequestExt } from 'src/otomi-models'
 
 const debug = Debug('otomi:api:v1:settings')
@@ -9,15 +8,11 @@ const debug = Debug('otomi:api:v1:settings')
  * GET /v1/settings
  * Get settings (optionally filtered by IDs)
  */
-export const getSettings = (req: OpenApiRequestExt, res: Response): void => {
+export const getSettings = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   const { ids } = req.query
   // Handle comma-separated string or array
   const idsArray = ids ? (typeof ids === 'string' ? ids.split(',') : (ids as string[])) : undefined
   debug(`getSettings(${idsArray})`)
-  const v = req.otomi.getSettings(idsArray)
-  if (v?.otomi) {
-    res.json(omit(v, ['otomi.adminPassword', 'otomi.git.password']))
-  } else {
-    res.json(v)
-  }
+  const v = await req.otomi.getSettings(idsArray)
+  res.json(v)
 }
@@ -1,7 +1,6 @@
 import Debug from 'debug'
 import { Response } from 'express'
 import { OpenApiRequestExt, Settings } from 'src/otomi-models'
-import { omit } from 'lodash'
 
 const debug = Debug('otomi:api:v1:settings')
 
@@ -14,9 +13,5 @@ export const editSettings = async (req: OpenApiRequestExt, res: Response): Promi
   const ids = Object.keys(req.body as Settings)
   debug(`editSettings(${ids.join(',')})`)
   const v = await req.otomi.editSettings(req.body as Settings, settingId)
-  if (v?.otomi) {
-    res.json(omit(v, ['otomi.adminPassword', 'otomi.git.password']))
-  } else {
-    res.json(v)
-  }
+  res.json(v)
 }
@@ -8,7 +8,7 @@ const debug = Debug('otomi:api:v1:settingsinfo')
  * GET /v1/settingsInfo
  * Get settings info
  */
-export const getSettingsInfo = (req: OpenApiRequestExt, res: Response): void => {
+export const getSettingsInfo = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   debug('getSettingsInfo')
-  res.json(req.otomi.getSettingsInfo())
+  res.json(await req.otomi.getSettingsInfo())
 }
@@ -8,10 +8,10 @@ const debug = Debug('otomi:api:v1:teams:services')
  * GET /v1/teams/{teamId}/services
  * Get services from a given team
  */
-export const getTeamServices = (req: OpenApiRequestExt, res: Response): void => {
+export const getTeamServices = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   const { teamId } = req.params
   debug(`getTeamServices(${teamId})`)
-  const v = req.otomi.getTeamServices(teamId)
+  const v = await req.otomi.getTeamServices(teamId)
   res.json(v)
 }
 

@@ -8,10 +8,10 @@ const debug = Debug('otomi:api:v1:teams:services')
  * GET /v1/teams/{teamId}/services/{serviceName}
  * Get a specific service
  */
-export const getService = (req: OpenApiRequestExt, res: Response): void => {
+export const getService = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   const { teamId, serviceName } = req.params
   debug(`getService(${serviceName})`)
-  const data = req.otomi.getService(decodeURIComponent(teamId), decodeURIComponent(serviceName))
+  const data = await req.otomi.getService(decodeURIComponent(teamId), decodeURIComponent(serviceName))
   res.json(data)
 }
 

@@ -8,9 +8,9 @@ const debug = Debug('otomi:api:v1:users')
  * GET /v1/users
  * Get all users
  */
-export const getAllUsers = (req: OpenApiRequestExt, res: Response): void => {
+export const getAllUsers = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   debug('getAllUsers')
-  const v = req.otomi.getAllUsers(req.user)
+  const v = await req.otomi.getAllUsers(req.user)
   res.json(v)
 }
 

@@ -8,10 +8,10 @@ const debug = Debug('otomi:api:v1:users')
  * GET /v1/users/{userId}
  * Get a specific user
  */
-export const getUser = (req: OpenApiRequestExt, res: Response): void => {
+export const getUser = async (req: OpenApiRequestExt, res: Response): Promise<void> => {
   const { userId } = req.params
   debug(`getUser(${userId})`)
-  const data = req.otomi.getUser(decodeURIComponent(userId), req.user)
+  const data = await req.otomi.getUser(decodeURIComponent(userId), req.user)
   res.json(data)
 }
 

@@ -22,7 +22,7 @@ import { apiRateLimiter, authRateLimiter } from 'src/middleware/rate-limit'
 import { setMockIdx } from 'src/mocks'
 import { AplResponseObject, OpenAPIDoc, Schema, SealedSecretManifestResponse } from 'src/otomi-models'
 import { default as OtomiStack } from 'src/otomi-stack'
-import { extract, getPaths, getValuesSchema } from 'src/utils'
+import { getValuesSchema } from 'src/utils'
 import {
   CATALOG_CACHE_REFRESH_INTERVAL_MS,
   CHECK_LATEST_COMMIT_INTERVAL,
@@ -48,7 +48,6 @@ debug('NODE_ENV: ', process.env.NODE_ENV)
 
 type OtomiSpec = {
   spec: OpenAPIDoc
-  secretPaths: string[]
   valuesSchema: Record<string, any>
 }
 
@@ -84,7 +83,7 @@ const resourceStatus = async (errorSet) => {
     debug('Values are not loaded yet')
     return
   }
-  const { cluster } = otomiStack.getSettings(['cluster'])
+  const { cluster } = await otomiStack.getSettings(['cluster'])
   const domainSuffix = cluster?.domainSuffix
   const resources: Record<string, (AplResponseObject | SealedSecretManifestResponse)[]> = {
     workloads: otomiStack.getAllAplWorkloads(),
@@ -126,17 +125,11 @@ export const loadSpec = async (): Promise<void> => {
   debug(`Loading api spec from: ${openApiPath}`)
   const spec = (await $parser.parse(openApiPath)) as OpenAPIDoc
   const valuesSchema = await getValuesSchema()
-  const secrets = extract(valuesSchema, (o, i) => i === 'x-secret')
-  const secretPaths = getPaths(secrets)
-  otomiSpec = { spec, secretPaths, valuesSchema }
+  otomiSpec = { spec, valuesSchema }
 }
 export const getSpec = (): OtomiSpec => {
   return otomiSpec
 }
-export function getSecretPaths(): string[] {
-  const { secretPaths } = getSpec()
-  return secretPaths
-}
 export const getAppSchema = (appId: string): Schema => {
   let id: string = appId
   if (appId.startsWith('ingress-nginx')) id = 'ingress-nginx-platform'