getfider · sorrison · May 28, 2026
diff --git a/charts/fider/templates/_helpers.tpl b/charts/fider/templates/_helpers.tpl
@@ -60,3 +60,24 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Name of the secret holding fider's secret environment variables.
+Uses .Values.fider.existingSecret when set, otherwise the chart-managed secret.
+*/}}
+{{- define "fider.secretName" -}}
+{{- if .Values.fider.existingSecret -}}
+{{- .Values.fider.existingSecret -}}
+{{- else -}}
+{{- printf "%s-env-secrets" (include "fider.fullname" .) -}}
+{{- end -}}
+{{- end }}
+
+{{/*
+Whether a secret reference exists (either chart-managed or pre-existing).
+*/}}
+{{- define "fider.hasSecret" -}}
+{{- if or .Values.fider.existingSecret .Values.fider.secretEnv -}}
+true
+{{- end -}}
+{{- end }}
diff --git a/charts/fider/templates/deployment.yaml b/charts/fider/templates/deployment.yaml
@@ -34,10 +34,10 @@ spec:
         imagePullPolicy: {{ .Values.dbchecker.image.pullPolicy }}
         securityContext:
           {{- toYaml .Values.dbchecker.securityContext | nindent 10 }}
-      {{- if .Values.fider.secretEnv }}
+      {{- if include "fider.hasSecret" . }}
         envFrom:
         - secretRef:
-            name: {{ template "fider.fullname" . }}-env-secrets
+            name: {{ include "fider.secretName" . }}
       {{- end }}
         command: ["wait4x"]
         args: ["--no-color", "--timeout", "60s", "postgresql", "$(DATABASE_URL)"]
@@ -74,10 +74,10 @@ spec:
         {{- end }}
         - name: METRICS_ENABLED
           value: 'true'
-        {{- if .Values.fider.secretEnv }}
+        {{- if include "fider.hasSecret" . }}
         envFrom:
         - secretRef:
-            name: {{ template "fider.fullname" . }}-env-secrets
+            name: {{ include "fider.secretName" . }}
         {{- end }}
         {{- if .Values.fider.legalPages.enabled }}
         volumeMounts:

diff --git a/charts/fider/templates/secret.yaml b/charts/fider/templates/secret.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.fider.secretEnv }}
+{{- if and .Values.fider.secretEnv (not .Values.fider.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:

diff --git a/charts/fider/values.yaml b/charts/fider/values.yaml
@@ -52,7 +52,10 @@ fider:
     # - name: EMAIL_AWSSES_ACCESS_KEY_ID
     #   value: youraccesskeygoeshere
 
-  # -- These environment variables are stored in a Kubernetes secret
+  # -- Name of a pre-existing Kubernetes Secret containing the secret environment variables (e.g. DATABASE_URL, JWT_SECRET). When set, `secretEnv` is ignored and no Secret is created by this chart; the referenced Secret is used directly via `envFrom`.
+  existingSecret: ""
+
+  # -- These environment variables are stored in a Kubernetes secret. Ignored when `existingSecret` is set.
   secretEnv:
     # -- Connection string to the PostgreSQL database
     DATABASE_URL: 'postgres://fider:s0m3g00dp4ssw0rd@postgresql-service:5432/fider?sslmode=disable'