support external secrets

Author: nicktrn

hosting/k8s/helm/templates/_helpers.tpl

@@ -147,6 +147,17 @@ http://{{ include "trigger-v4.fullname" . }}-minio:{{ .Values.minio.service.port
 {{- end -}}
 {{- end }}
 
+{{/*
+Get the secrets name - either existing secret or generated name
+*/}}
+{{- define "trigger-v4.secretsName" -}}
+{{- if .Values.secrets.existingSecret -}}
+{{ .Values.secrets.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.fullname" . }}-secrets
+{{- end -}}
+{{- end }}
+
 {{/*
 Registry connection details
 */}}

hosting/k8s/helm/templates/secrets.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.secrets.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -12,6 +13,7 @@ data:
   managed-worker-secret: {{ .Values.secrets.managedWorkerSecret | b64enc | quote }}
   object-store-access-key-id: {{ .Values.secrets.objectStore.accessKeyId | b64enc | quote }}
   object-store-secret-access-key: {{ .Values.secrets.objectStore.secretAccessKey | b64enc | quote }}
+{{- end }}
 ---
 {{- if and .Values.registry.enabled .Values.registry.auth.enabled }}
 apiVersion: v1

hosting/k8s/helm/templates/supervisor.yaml

@@ -121,7 +121,7 @@ spec:
             - name: MANAGED_WORKER_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trigger-v4.fullname" . }}-secrets
+                  name: {{ include "trigger-v4.secretsName" . }}
                   key: managed-worker-secret
             # Worker instance configuration
             - name: TRIGGER_WORKER_INSTANCE_NAME

hosting/k8s/helm/templates/webapp.yaml

@@ -128,32 +128,32 @@ spec:
             - name: SESSION_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trigger-v4.fullname" . }}-secrets
+                  name: {{ include "trigger-v4.secretsName" . }}
                   key: session-secret
             - name: MAGIC_LINK_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trigger-v4.fullname" . }}-secrets
+                  name: {{ include "trigger-v4.secretsName" . }}
                   key: magic-link-secret
             - name: ENCRYPTION_KEY
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trigger-v4.fullname" . }}-secrets
+                  name: {{ include "trigger-v4.secretsName" . }}
                   key: encryption-key
             - name: MANAGED_WORKER_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trigger-v4.fullname" . }}-secrets
+                  name: {{ include "trigger-v4.secretsName" . }}
                   key: managed-worker-secret
             - name: OBJECT_STORE_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trigger-v4.fullname" . }}-secrets
+                  name: {{ include "trigger-v4.secretsName" . }}
                   key: object-store-access-key-id
             - name: OBJECT_STORE_SECRET_ACCESS_KEY
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trigger-v4.fullname" . }}-secrets
+                  name: {{ include "trigger-v4.secretsName" . }}
                   key: object-store-secret-access-key
             {{- if .Values.webapp.internal.otel.trace.exporterUrl }}
             - name: INTERNAL_OTEL_TRACE_EXPORTER_URL

hosting/k8s/helm/values.yaml

@@ -148,6 +148,17 @@ config:
 # 2. Override these values in your values.yaml or use external secret management
 # 3. Each secret must be exactly 32 hex characters (16 bytes)
 secrets:
+  # Name of existing secret to use instead of creating one
+  # If empty, a secret will be created with the values below
+  # The secret must contain the following keys:
+  #   - session-secret
+  #   - magic-link-secret  
+  #   - encryption-key
+  #   - managed-worker-secret
+  #   - object-store-access-key-id
+  #   - object-store-secret-access-key
+  existingSecret: ""
+  
   # Session secret for user authentication (32 hex chars)
   sessionSecret: "2818143646516f6fffd707b36f334bbb"
   # Magic link secret for passwordless login (32 hex chars)