s3: full existing secret support, external fixes

Author: nicktrn

hosting/k8s/helm/templates/_helpers.tpl

@@ -260,6 +260,94 @@ clickhouse-password
 {{- end -}}
 {{- end }}
 
+{{/*
+S3 external secret name
+*/}}
+{{- define "trigger-v4.s3.external.secretName" -}}
+{{- if .Values.s3.external.existingSecret -}}
+{{ .Values.s3.external.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 external secret access key ID key
+*/}}
+{{- define "trigger-v4.s3.external.accessKeyIdKey" -}}
+{{- if .Values.s3.external.existingSecret -}}
+{{ .Values.s3.external.existingSecretAccessKeyIdKey }}
+{{- else -}}
+s3-access-key-id
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 external secret secret access key key
+*/}}
+{{- define "trigger-v4.s3.external.secretAccessKeyKey" -}}
+{{- if .Values.s3.external.existingSecret -}}
+{{ .Values.s3.external.existingSecretSecretAccessKeyKey }}
+{{- else -}}
+s3-secret-access-key
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth secret name
+*/}}
+{{- define "trigger-v4.s3.auth.secretName" -}}
+{{- if .Values.s3.auth.existingSecret -}}
+{{ .Values.s3.auth.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth secret access key ID key
+*/}}
+{{- define "trigger-v4.s3.auth.accessKeyIdKey" -}}
+{{- if .Values.s3.auth.existingSecret -}}
+{{ .Values.s3.auth.accessKeyIdSecretKey }}
+{{- else -}}
+s3-auth-access-key-id
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth secret secret access key key
+*/}}
+{{- define "trigger-v4.s3.auth.secretAccessKeyKey" -}}
+{{- if .Values.s3.auth.existingSecret -}}
+{{ .Values.s3.auth.secretAccessKeySecretKey }}
+{{- else -}}
+s3-auth-secret-access-key
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth effective access key ID (with fallback to rootUser)
+*/}}
+{{- define "trigger-v4.s3.auth.effectiveAccessKeyId" -}}
+{{- if .Values.s3.auth.accessKeyId -}}
+{{ .Values.s3.auth.accessKeyId }}
+{{- else -}}
+{{ .Values.s3.auth.rootUser }}
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth effective secret access key (with fallback to rootPassword)
+*/}}
+{{- define "trigger-v4.s3.auth.effectiveSecretAccessKey" -}}
+{{- if .Values.s3.auth.secretAccessKey -}}
+{{ .Values.s3.auth.secretAccessKey }}
+{{- else -}}
+{{ .Values.s3.auth.rootPassword }}
+{{- end -}}
+{{- end }}
+
 {{/*
 Electric service URL
 */}}

hosting/k8s/helm/templates/secrets.yaml

@@ -11,8 +11,14 @@ data:
   MAGIC_LINK_SECRET: {{ .Values.secrets.magicLinkSecret | b64enc | quote }}
   ENCRYPTION_KEY: {{ .Values.secrets.encryptionKey | b64enc | quote }}
   MANAGED_WORKER_SECRET: {{ .Values.secrets.managedWorkerSecret | b64enc | quote }}
-  OBJECT_STORE_ACCESS_KEY_ID: {{ .Values.secrets.objectStore.accessKeyId | b64enc | quote }}
-  OBJECT_STORE_SECRET_ACCESS_KEY: {{ .Values.secrets.objectStore.secretAccessKey | b64enc | quote }}
+  {{- if and .Values.s3.external.accessKeyId (not .Values.s3.external.existingSecret) }}
+  s3-access-key-id: {{ .Values.s3.external.accessKeyId | b64enc | quote }}
+  s3-secret-access-key: {{ .Values.s3.external.secretAccessKey | b64enc | quote }}
+  {{- end }}
+  {{- if and .Values.s3.deploy (not .Values.s3.auth.existingSecret) }}
+  s3-auth-access-key-id: {{ include "trigger-v4.s3.auth.effectiveAccessKeyId" . | b64enc | quote }}
+  s3-auth-secret-access-key: {{ include "trigger-v4.s3.auth.effectiveSecretAccessKey" . | b64enc | quote }}
+  {{- end }}
   {{- if and .Values.postgres.external.databaseUrl (not .Values.postgres.external.existingSecret) }}
   postgres-database-url: {{ .Values.postgres.external.databaseUrl | b64enc | quote }}
   {{- if .Values.postgres.external.directUrl }}

hosting/k8s/helm/templates/validate-external-config.yaml

@@ -20,9 +20,16 @@ This template will fail the Helm deployment if external config is missing for re
 {{- end }}
 {{- end }}
 
-{{- if not .Values.s3.deploy }}
-{{- if or (not .Values.s3.external.endpoint) (not .Values.s3.external.accessKeyId) }}
-{{- fail "S3 external configuration is required when s3.deploy=false. Please provide s3.external.endpoint and s3.external.accessKeyId" }}
+{{- if .Values.s3.deploy }}
+{{- if and (not .Values.s3.auth.existingSecret) (not .Values.s3.auth.accessKeyId) (not .Values.s3.auth.rootUser) }}
+{{- fail "S3 auth credentials are required when s3.deploy=true. Please provide either s3.auth.accessKeyId, s3.auth.existingSecret, or s3.auth.rootUser" }}
+{{- end }}
+{{- else }}
+{{- if not .Values.s3.external.endpoint }}
+{{- fail "S3 external configuration is required when s3.deploy=false. Please provide s3.external.endpoint" }}
+{{- end }}
+{{- if and (not .Values.s3.external.existingSecret) (not .Values.s3.external.accessKeyId) }}
+{{- fail "S3 credentials are required when s3.deploy=false. Please provide either s3.external.accessKeyId or s3.external.existingSecret" }}
 {{- end }}
 {{- end }}
 

hosting/k8s/helm/templates/webapp.yaml

@@ -284,16 +284,55 @@ spec:
                 secretKeyRef:
                   name: {{ include "trigger-v4.secretsName" . }}
                   key: MANAGED_WORKER_SECRET
+            {{- if .Values.s3.deploy }}
+            {{- if .Values.s3.auth.existingSecret }}
+            - name: OBJECT_STORE_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.s3.auth.secretName" . }}
+                  key: {{ include "trigger-v4.s3.auth.accessKeyIdKey" . }}
+            - name: OBJECT_STORE_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.s3.auth.secretName" . }}
+                  key: {{ include "trigger-v4.s3.auth.secretAccessKeyKey" . }}
+            {{- else }}
             - name: OBJECT_STORE_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
                   name: {{ include "trigger-v4.secretsName" . }}
-                  key: OBJECT_STORE_ACCESS_KEY_ID
+                  key: s3-auth-access-key-id
             - name: OBJECT_STORE_SECRET_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
                   name: {{ include "trigger-v4.secretsName" . }}
-                  key: OBJECT_STORE_SECRET_ACCESS_KEY
+                  key: s3-auth-secret-access-key
+            {{- end }}
+            {{- else }}
+            {{- if .Values.s3.external.existingSecret }}
+            - name: OBJECT_STORE_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.s3.external.secretName" . }}
+                  key: {{ include "trigger-v4.s3.external.accessKeyIdKey" . }}
+            - name: OBJECT_STORE_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.s3.external.secretName" . }}
+                  key: {{ include "trigger-v4.s3.external.secretAccessKeyKey" . }}
+            {{- else if .Values.s3.external.accessKeyId }}
+            - name: OBJECT_STORE_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.secretsName" . }}
+                  key: s3-access-key-id
+            - name: OBJECT_STORE_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "trigger-v4.secretsName" . }}
+                  key: s3-secret-access-key
+            {{- end }}
+            {{- end }}
             {{- end }}
             {{- if .Values.webapp.observability }}
             {{- if .Values.webapp.observability.tracing.exporterUrl }}

hosting/k8s/helm/values.yaml

@@ -25,8 +25,6 @@ secrets:
   #   - MAGIC_LINK_SECRET
   #   - ENCRYPTION_KEY
   #   - MANAGED_WORKER_SECRET
-  #   - OBJECT_STORE_ACCESS_KEY_ID
-  #   - OBJECT_STORE_SECRET_ACCESS_KEY
   existingSecret: ""
 
   # Session secret for user authentication (32 hex chars)
@@ -37,10 +35,7 @@ secrets:
   encryptionKey: "f686147ab967943ebbe9ed3b496e465a"
   # Worker secret for managed worker authentication (32 hex chars)
   managedWorkerSecret: "447c29678f9eaf289e9c4b70d3dd8a7f"
-  # Object store credentials (change for production)
-  objectStore:
-    accessKeyId: "admin"
-    secretAccessKey: "very-safe-password"
+  # Object store credentials moved to s3.auth and s3.external section
 
 # Webapp configuration
 webapp:
@@ -567,6 +562,13 @@ s3:
   auth:
     rootUser: "admin"
     rootPassword: "very-safe-password"
+    # Webapp credentials for S3 access (defaults to root credentials if not specified)
+    accessKeyId: "" # Defaults to rootUser if empty
+    secretAccessKey: "" # Defaults to rootPassword if empty
+    # Existing secret support for webapp credentials
+    existingSecret: "" # If set, accessKeyId/secretAccessKey will be ignored
+    accessKeyIdSecretKey: "access-key-id" # Key in existingSecret containing access key ID
+    secretAccessKeySecretKey: "secret-access-key" # Key in existingSecret containing secret access key
 
   # The required "packets" bucket is created by default.
   defaultBuckets: "packets"
@@ -579,8 +581,13 @@ s3:
   # External S3 connection (when deploy: false)
   external:
     endpoint: "" # e.g., "https://s3.amazonaws.com" or "https://your-minio.com:9000"
-    accessKeyId: ""
-    secretAccessKey: ""
+    accessKeyId: "admin" # Default for internal MinIO - change for production
+    secretAccessKey: "very-safe-password" # Default for internal MinIO - change for production
+    #
+    # Secure credential management
+    existingSecret: "" # Name of existing secret containing S3 credentials
+    existingSecretAccessKeyIdKey: "access-key-id" # Key in existing secret containing access key ID
+    existingSecretSecretAccessKeyKey: "secret-access-key" # Key in existing secret containing secret access key
 
 # Docker Registry configuration
 registry: