From 1c9a170f0074598014a09528676516361f552cb4 Mon Sep 17 00:00:00 2001 From: charlie83Gs Date: Mon, 23 Mar 2026 11:52:07 -0600 Subject: [PATCH] fix(helm): use CNPG-generated secrets for DB passwords Read DB passwords from CNPG credential secrets by default, with configurable override via credentialsSecret field per database. Each DB section (graphDb, writeDb, hatchetDb) now accepts: credentialsSecret: "" # empty = use CNPG-generated -credentials credentialsSecret: "my-custom-secret" # use custom secret (key: password) Remove DB password keys from the chart-managed app secret. The app secret now only contains API keys, JWT, OAuth, and Hatchet token. Co-Authored-By: Claude Opus 4.6 (1M context) --- helm/knowledge-tree/templates/_helpers.tpl | 8 ++++---- helm/knowledge-tree/templates/hatchet-deployment.yaml | 4 ++-- helm/knowledge-tree/templates/secret.yaml | 3 --- helm/knowledge-tree/values.yaml | 3 +++ 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/helm/knowledge-tree/templates/_helpers.tpl b/helm/knowledge-tree/templates/_helpers.tpl index 7085c323..0a2846b8 100644 --- a/helm/knowledge-tree/templates/_helpers.tpl +++ b/helm/knowledge-tree/templates/_helpers.tpl @@ -140,13 +140,13 @@ Outputs a list of env var definitions. - name: GRAPH_DB_PASSWORD valueFrom: secretKeyRef: - name: {{ include "knowledge-tree.secretName" . }} - key: graph-db-password + name: {{ default (printf "%s-credentials" (include "knowledge-tree.graphDbName" .)) .Values.graphDb.credentialsSecret }} + key: password - name: WRITE_DB_PASSWORD valueFrom: secretKeyRef: - name: {{ include "knowledge-tree.secretName" . }} - key: write-db-password + name: {{ default (printf "%s-credentials" (include "knowledge-tree.writeDbName" .)) .Values.writeDb.credentialsSecret }} + key: password - name: HATCHET_CLIENT_TOKEN valueFrom: secretKeyRef: diff --git a/helm/knowledge-tree/templates/hatchet-deployment.yaml b/helm/knowledge-tree/templates/hatchet-deployment.yaml index 687f21f8..64eaccf8 100644 --- a/helm/knowledge-tree/templates/hatchet-deployment.yaml +++ b/helm/knowledge-tree/templates/hatchet-deployment.yaml @@ -32,8 +32,8 @@ spec: - name: HATCHET_DB_PASSWORD valueFrom: secretKeyRef: - name: {{ include "knowledge-tree.secretName" . }} - key: hatchet-db-password + name: {{ default (printf "%s-credentials" (include "knowledge-tree.hatchetDbName" .)) .Values.hatchetDb.credentialsSecret }} + key: password - name: DATABASE_URL value: "postgresql://hatchet:$(HATCHET_DB_PASSWORD)@{{ include "knowledge-tree.hatchetDbHost" . }}:5432/hatchet?sslmode=disable" - name: SERVER_AUTH_COOKIE_DOMAIN diff --git a/helm/knowledge-tree/templates/secret.yaml b/helm/knowledge-tree/templates/secret.yaml index 4742124c..ee565754 100644 --- a/helm/knowledge-tree/templates/secret.yaml +++ b/helm/knowledge-tree/templates/secret.yaml @@ -7,9 +7,6 @@ metadata: {{- include "knowledge-tree.labels" . | nindent 4 }} type: Opaque stringData: - graph-db-password: {{ .Values.secrets.graphDbPassword | quote }} - write-db-password: {{ .Values.secrets.writeDbPassword | quote }} - hatchet-db-password: {{ .Values.secrets.hatchetDbPassword | quote }} openrouter-api-key: {{ .Values.secrets.openrouterApiKey | quote }} openai-api-key: {{ .Values.secrets.openaiApiKey | quote }} brave-key: {{ .Values.secrets.braveKey | quote }} diff --git a/helm/knowledge-tree/values.yaml b/helm/knowledge-tree/values.yaml index a15b8d62..4928a578 100644 --- a/helm/knowledge-tree/values.yaml +++ b/helm/knowledge-tree/values.yaml @@ -34,6 +34,7 @@ secrets: # CloudNativePG Databases # ============================================================================= graphDb: + credentialsSecret: "" # if empty, uses CNPG-generated secret instances: 1 image: ghcr.io/cloudnative-pg/postgresql:16.8 storage: @@ -51,6 +52,7 @@ graphDb: memory: 2Gi writeDb: + credentialsSecret: "" # if empty, uses CNPG-generated secret instances: 1 image: ghcr.io/cloudnative-pg/postgresql:16 storage: @@ -66,6 +68,7 @@ writeDb: memory: 2Gi hatchetDb: + credentialsSecret: "" # if empty, uses CNPG-generated secret instances: 1 image: ghcr.io/cloudnative-pg/postgresql:16 storage: