apache · catpineapple · Nov 10, 2025 · Nov 6, 2025 · Nov 7, 2025
diff --git a/helm-charts/doris-operator/templates/deployment.yaml b/helm-charts/doris-operator/templates/deployment.yaml
@@ -141,3 +141,7 @@ spec:
       nodeSelector:
         {{- toYaml .Values.dorisOperator.nodeSelector | nindent 8 }}
       {{- end }}
+      {{- if .Values.dorisOperator.tolerations }}
+      tolerations:
+        {{- toYaml .Values.dorisOperator.tolerations | nindent 8 }}
+      {{- end }}
diff --git a/helm-charts/doris-operator/values.yaml b/helm-charts/doris-operator/values.yaml
@@ -31,6 +31,12 @@ dorisOperator:
     # kubernetes.io/arch: amd64
     # kubernetes.io/os: linux
     # app.kubernetes.node.name: "k8s-node1"
+  tolerations: []
+    # tolerations for operator pod assignment
+    # - key: "example-key"
+    #   operator: "Equal"
+    #   value: "example-value"
+    #   effect: "NoSchedule"
   resources: {}
   # resources used to specify compute resources, default is 2c 4Gi, the resource follow k8s requests and limits config.(https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits)
   # requests:

diff --git a/helm-charts/doris/README.md b/helm-charts/doris/README.md
@@ -55,6 +55,26 @@ Observe that the Pod of `doriscluster` is in the `Running` state and all contain
     doriscluster-helm-be-2   1/1     Running   0          16s
    ```
 
+## Authentication Options
+
+The chart supports three authentication methods (in order of precedence):
+1. `adminUser` - Plain text credentials (not recommended)
+2. `authSecret` - Helm creates a secret from base64 values
+3. `authSecretName` - Reference an existing secret (recommended)
+
+### Using External Secret (Recommended)
+```bash
+# Create secret
+kubectl create secret generic doris-auth \
+  --type=kubernetes.io/basic-auth \
+  --from-literal=username=root \
+  --from-literal=password='your-password'
+
+# Reference in values.yaml
+dorisCluster:
+  authSecretName: "doris-auth"
+```
+
 ## Uninstall doriscluster
 Please confirm the Doris is not used, when using next command to uninstall `doriscluster`.
 ```bash

diff --git a/helm-charts/doris/templates/doriscluster.yaml b/helm-charts/doris/templates/doriscluster.yaml
@@ -36,6 +36,9 @@ spec:
     {{- toYaml .Values.dorisCluster.adminUser | nindent 4 }}
   {{- else if .Values.dorisCluster.authSecret }}
   authSecret: {{ template "doriscluster.secret.name" . }}
+  {{- else if .Values.dorisCluster.authSecretName }}
+  # Reference an existing secret
+  authSecret: {{ .Values.dorisCluster.authSecretName }}
   {{- end }}
   feSpec:
     {{- if .Values.feSpec.annotations }}

diff --git a/helm-charts/doris/values.yaml b/helm-charts/doris/values.yaml
@@ -34,7 +34,13 @@ dorisCluster:
   adminUser: {}
   # name: root
   # password: "12345"
-  # use authSecret can encrypt and save passwords, recommend this method
+  # Option 1: Reference an existing secret
+  # Use this when you have created a secret outside of this Helm chart
+  # Example: kubectl create secret generic doris-auth --type=kubernetes.io/basic-auth --from-literal=username=root --from-literal=password='your-password'
+  authSecretName: ""
+  # Example: authSecretName: "doris-auth"
+
+  # Option 2: use authSecret can encrypt and save passwords
   # 1. run shell:  echo -n '{your_password}' | base64    to get password base64 string
   # 2. run shell:  echo -n '{your_user}' | base64        to get user base64 string
   # 3. Fill the encrypted string into the corresponding position