feat: support quick-start object storage secret refs

[yoosful]

Description

Fixes #723.

Adds quick-start chart support for sourcing object storage access keys from an existing Kubernetes Secret instead of rendering them as plain Helm values in the config-setup Job manifest.

New values:

global:
  objectStorage:
    existingSecret:
      name: my-s3-secret
      accessKeyIdKey: access-key-id
      accessKeyKey: access-key

When existingSecret.name is set, OBJECT_STORAGE_ACCESS_KEY_ID and OBJECT_STORAGE_ACCESS_KEY use valueFrom.secretKeyRef. When it is unset, the chart preserves the existing value: behavior for backward compatibility.

Why

The quick-start chart previously required object storage secrets to be stored directly in values files. That exposes credentials in rendered manifests and Helm release secrets. This keeps the existing simple local defaults while allowing production deployments to provide credentials through Kubernetes Secrets.

Validation

• helm lint deployments/charts/quick-start
• helm template osmo deployments/charts/quick-start --show-only templates/config-setup.yaml
• helm template osmo deployments/charts/quick-start --show-only templates/config-setup.yaml --set global.objectStorage.existingSecret.name=my-s3-secret --set global.objectStorage.existingSecret.accessKeyIdKey=access-key-id --set global.objectStorage.existingSecret.accessKeyKey=access-key
• Rendered the secret-backed config-setup Job and validated it against an EKS API server dry-run three times:
  • kubectl apply --dry-run=server -f <rendered-config-setup> x3
• Rendered the default config-setup Job and validated it once with EKS API server dry-run to confirm backward-compatible plain-value manifests remain valid.
• Created a temporary Kubernetes Secret and pod on EKS using the same secretKeyRef shape; the pod verified both object storage environment variables and exited successfully. Temporary validation resources were deleted afterward.

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

• New Features

  • Quick Start Helm Chart now supports sourcing object storage credentials from existing Kubernetes Secrets, offering an alternative to direct configuration values.

• Documentation

  • Updated configuration documentation to describe the new secret-based credential option and its setup parameters.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a4924adc-5fc1-484b-b821-0448adad0ccb

📥 Commits

Reviewing files that changed from the base of the PR and between c7bdfd4 and 1544de8.

📒 Files selected for processing (3)

• deployments/charts/quick-start/README.md
• deployments/charts/quick-start/templates/config-setup.yaml
• deployments/charts/quick-start/values.yaml

---

📝 Walkthrough

Walkthrough

The quick-start Helm chart now supports using Kubernetes Secrets for object storage credentials. A new global.objectStorage.existingSecret configuration block is added to values.yaml, and the config-setup Job template conditionally uses valueFrom.secretKeyRef to reference credentials from the specified Secret, with fallback to direct values when not configured.

Changes

Kubernetes Secret Support for Object Storage Credentials

Layer / File(s)	Summary
Configuration Schema deployments/charts/quick-start/values.yaml	New global.objectStorage.existingSecret block added with name, accessKeyIdKey, and accessKeyKey fields to reference pre-created Kubernetes Secrets.
Template Implementation deployments/charts/quick-start/templates/config-setup.yaml	Environment variables OBJECT_STORAGE_ACCESS_KEY_ID and OBJECT_STORAGE_ACCESS_KEY are updated to use valueFrom.secretKeyRef when global.objectStorage.existingSecret.name is set, falling back to direct values otherwise.
Documentation deployments/charts/quick-start/README.md	Global Configuration parameter table is extended to document the new global.objectStorage.existingSecret fields.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Secrets hidden in K8s, safe and sound,
No plain text scattered all around,
Existing Secrets now find their way,
Into config-setup, hooray, hooray! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main feature: adding support for object storage secret references in the quick-start Helm chart.
Linked Issues check	✅ Passed	All requirements from issue #723 are met: the PR implements conditional secret reference support with valueFrom.secretKeyRef rendering, maintains backward compatibility with existing value: behavior, and includes proper configuration schema.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the feature requested in issue #723: README documentation, values schema definition, and config-setup template conditional logic for secret references.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}