refactor deployment templates to properly handle Azure AKS secrets provider configuration

emmanuelmathot · emmanuelmathot · commit d8c244023e2c · 2025-03-13T11:22:11.000+01:00
diff --git a/helm-chart/eoapi/templates/db/deployment.yaml b/helm-chart/eoapi/templates/db/deployment.yaml
@@ -73,12 +73,4 @@ spec:
         - name: initdb-sh-volume-{{ $.Release.Name }}
           configMap:
             name: initdb-sh-config-{{ $.Release.Name }}
-        {{- if .Values.azure.aksSecretsProviderAvailable }}
-        - name: pgstac-secrets-{{ $.Release.Name }}
-          csi:
-            driver: secrets-store.csi.k8s.io
-            readOnly: true
-            volumeAttributes:
-              secretProviderClass: azure-secret-provider-{{ $.Release.Name }}
-        {{- end }}
 {{- end }}
diff --git a/helm-chart/eoapi/templates/services/deployment.yaml b/helm-chart/eoapi/templates/services/deployment.yaml
@@ -87,12 +87,26 @@ spec:
         - secretRef:
             name: pgstac-secrets-{{ $.Release.Name }}
         {{- end }}
+        # TODO (emmanuel): choose another name to not mix up with the db secret if internal DB
+        {{- if .Values.azure.aksSecretsProviderAvailable }}
+         - secretRef:
+            name: pgstac-secrets-{{ $.Release.Name }}
+        {{- end }}
         {{- if index $v "settings" "envSecrets" }}
         {{- range $secret := index $v "settings" "envSecrets" }}
         - secretRef:
             name: {{ $secret }}
         {{- end }}
         {{- end }}
+      volumes:
+        {{- if .Values.azure.aksSecretsProviderAvailable }}
+        - name: pgstac-secrets-{{ $.Release.Name }}
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: azure-secret-provider-{{ $.Release.Name }}
+        {{- end }}
       {{- with index $v "settings" "affinity" }}
       affinity:
         {{- toYaml . | nindent 8 }}
