From 4369472153eab34f25bfd47fabf11cbf635ec1a7 Mon Sep 17 00:00:00 2001 From: Sam Morrison Date: Thu, 28 May 2026 14:00:18 +1000 Subject: [PATCH] Support referencing an existing Secret Add `fider.existingSecret` value to let users point the deployment at a pre-existing Kubernetes Secret for the secret environment variables instead of having the chart create one from `fider.secretEnv`. When set, no Secret resource is rendered and both the dbchecker init container and the main container reference the external Secret via `envFrom`. Co-Authored-By: Claude Opus 4.7 (1M context) Signed-off-by: Sam Morrison --- charts/fider/templates/_helpers.tpl | 21 +++++++++++++++++++++ charts/fider/templates/deployment.yaml | 8 ++++---- charts/fider/templates/secret.yaml | 2 +- charts/fider/values.yaml | 5 ++++- 4 files changed, 30 insertions(+), 6 deletions(-) diff --git a/charts/fider/templates/_helpers.tpl b/charts/fider/templates/_helpers.tpl index 79c4792..9664f2d 100644 --- a/charts/fider/templates/_helpers.tpl +++ b/charts/fider/templates/_helpers.tpl @@ -60,3 +60,24 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Name of the secret holding fider's secret environment variables. +Uses .Values.fider.existingSecret when set, otherwise the chart-managed secret. +*/}} +{{- define "fider.secretName" -}} +{{- if .Values.fider.existingSecret -}} +{{- .Values.fider.existingSecret -}} +{{- else -}} +{{- printf "%s-env-secrets" (include "fider.fullname" .) -}} +{{- end -}} +{{- end }} + +{{/* +Whether a secret reference exists (either chart-managed or pre-existing). +*/}} +{{- define "fider.hasSecret" -}} +{{- if or .Values.fider.existingSecret .Values.fider.secretEnv -}} +true +{{- end -}} +{{- end }} diff --git a/charts/fider/templates/deployment.yaml b/charts/fider/templates/deployment.yaml index a231253..2fbd177 100644 --- a/charts/fider/templates/deployment.yaml +++ b/charts/fider/templates/deployment.yaml @@ -34,10 +34,10 @@ spec: imagePullPolicy: {{ .Values.dbchecker.image.pullPolicy }} securityContext: {{- toYaml .Values.dbchecker.securityContext | nindent 10 }} - {{- if .Values.fider.secretEnv }} + {{- if include "fider.hasSecret" . }} envFrom: - secretRef: - name: {{ template "fider.fullname" . }}-env-secrets + name: {{ include "fider.secretName" . }} {{- end }} command: ["wait4x"] args: ["--no-color", "--timeout", "60s", "postgresql", "$(DATABASE_URL)"] @@ -74,10 +74,10 @@ spec: {{- end }} - name: METRICS_ENABLED value: 'true' - {{- if .Values.fider.secretEnv }} + {{- if include "fider.hasSecret" . }} envFrom: - secretRef: - name: {{ template "fider.fullname" . }}-env-secrets + name: {{ include "fider.secretName" . }} {{- end }} {{- if .Values.fider.legalPages.enabled }} volumeMounts: diff --git a/charts/fider/templates/secret.yaml b/charts/fider/templates/secret.yaml index b8ec961..2450aa8 100644 --- a/charts/fider/templates/secret.yaml +++ b/charts/fider/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.fider.secretEnv }} +{{- if and .Values.fider.secretEnv (not .Values.fider.existingSecret) }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/fider/values.yaml b/charts/fider/values.yaml index 58a3e1e..100c887 100644 --- a/charts/fider/values.yaml +++ b/charts/fider/values.yaml @@ -52,7 +52,10 @@ fider: # - name: EMAIL_AWSSES_ACCESS_KEY_ID # value: youraccesskeygoeshere - # -- These environment variables are stored in a Kubernetes secret + # -- Name of a pre-existing Kubernetes Secret containing the secret environment variables (e.g. DATABASE_URL, JWT_SECRET). When set, `secretEnv` is ignored and no Secret is created by this chart; the referenced Secret is used directly via `envFrom`. + existingSecret: "" + + # -- These environment variables are stored in a Kubernetes secret. Ignored when `existingSecret` is set. secretEnv: # -- Connection string to the PostgreSQL database DATABASE_URL: 'postgres://fider:s0m3g00dp4ssw0rd@postgresql-service:5432/fider?sslmode=disable'