Moved pgstac secrets to proper values section.

Author: pantierra

helm-chart/eoapi-notifier/README.md

@@ -20,13 +20,17 @@ helm install eoapi-notifier oci://ghcr.io/developmentseed/charts/eoapi-notifier
 ```yaml
 config:
   sources:
-    - type: postgres
+    - type: pgstac
       config:
-        host: postgresql
-        port: 5432
-        database: postgis
-        username: postgres
-        password: password
+        connection:
+          existingSecret:
+            name: "postgresql-credentials"
+            keys:
+              username: "user"
+              password: "password"
+              host: "host"
+              port: "port"
+              database: "dbname"
 
   outputs:
     - type: mqtt
@@ -45,11 +49,8 @@ config:
             name: my-channel-1
             namespace: serverless
 
-secrets:
-  postgresql:
-    create: true
-    username: postgres
-    password: password
+# Connection credentials should be provided via existing Kubernetes secrets
+# Referenced in sources[].config.connection.existingSecret
 
 resources:
   limits:

helm-chart/eoapi-notifier/templates/configmap.yaml

@@ -12,7 +12,16 @@ data:
     {{- range .Values.config.sources}}
       - type: {{.type}}
         config:
+          {{- if eq .type "pgstac"}}
+          # Connection details provided via environment variables
+          host: localhost
+          port: 5432
+          database: postgis
+          user: postgres
+          password: password
+          {{- else}}
           {{- toYaml .config | nindent 10}}
+          {{- end}}
     {{- end}}
 
     outputs:

helm-chart/eoapi-notifier/templates/deployment.yaml

@@ -13,7 +13,7 @@ spec:
     metadata:
       annotations:
         checksum/config: {{include (print $.Template.BasePath "/configmap.yaml") . | sha256sum}}
-        checksum/secret: {{include (print $.Template.BasePath "/secret-postgresql.yaml") . | sha256sum}}
+
       labels:
         {{- include "eoapi-notifier.selectorLabels" . | nindent 8}}
     spec:
@@ -38,17 +38,35 @@ spec:
           env:
             - name: UV_CACHE_DIR
               value: "/tmp"
-            {{- if .Values.secrets.postgresql.create }}
-            - name: POSTGRES_USERNAME
+            {{- range $source := .Values.config.sources }}
+            {{- if and (eq $source.type "pgstac") $source.config.connection.existingSecret.name }}
+            {{- $secret := $source.config.connection.existingSecret }}
+            - name: PGSTAC_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secret.name }}
+                  key: {{ $secret.keys.host }}
+            - name: PGSTAC_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secret.name }}
+                  key: {{ $secret.keys.port }}
+            - name: PGSTAC_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $secret.name }}
+                  key: {{ $secret.keys.database }}
+            - name: PGSTAC_USER
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "eoapi-notifier.fullname" . }}-postgresql
-                  key: username
-            - name: POSTGRES_PASSWORD
+                  name: {{ $secret.name }}
+                  key: {{ $secret.keys.username }}
+            - name: PGSTAC_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "eoapi-notifier.fullname" . }}-postgresql
-                  key: password
+                  name: {{ $secret.name }}
+                  key: {{ $secret.keys.password }}
+            {{- end }}
             {{- end }}
             {{- range $key, $value := .Values.env }}
             - name: {{ $key }}

helm-chart/eoapi-notifier/templates/secret-postgresql.yaml

@@ -45,12 +45,12 @@ spec:
       fi
       echo "✅ Config file accessible"
 
-      # Test environment variables are set
-      if [ -z "$POSTGRES_USERNAME" ] || [ -z "$POSTGRES_PASSWORD" ]; then
-        echo "❌ Database credentials not available"
-        exit 1
+      # Test environment variables are set (if secret is configured)
+      if [ -n "$PGSTAC_USER" ] && [ -n "$PGSTAC_PASSWORD" ]; then
+        echo "✅ Database credentials available"
+      else
+        echo "⚠️  Database credentials not configured (this may be expected)"
       fi
-      echo "✅ Environment variables set"
 
       # Test app starts (will fail to connect but shouldn't crash)
       echo "Testing app startup..."
@@ -60,16 +60,36 @@ spec:
 
       echo "✅ Application functionality test passed"
     env:
-    - name: POSTGRES_USERNAME
+    {{- range $source := .Values.config.sources }}
+    {{- if and (eq $source.type "pgstac") $source.config.connection.existingSecret.name }}
+    {{- $secret := $source.config.connection.existingSecret }}
+    - name: PGSTAC_HOST
+      valueFrom:
+        secretKeyRef:
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.host }}
+    - name: PGSTAC_PORT
+      valueFrom:
+        secretKeyRef:
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.port }}
+    - name: PGSTAC_DATABASE
+      valueFrom:
+        secretKeyRef:
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.database }}
+    - name: PGSTAC_USER
       valueFrom:
         secretKeyRef:
-          name: {{ include "eoapi-notifier.fullname" . }}-postgresql
-          key: username
-    - name: POSTGRES_PASSWORD
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.username }}
+    - name: PGSTAC_PASSWORD
       valueFrom:
         secretKeyRef:
-          name: {{ include "eoapi-notifier.fullname" . }}-postgresql
-          key: password
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.password }}
+    {{- end }}
+    {{- end }}
     - name: UV_CACHE_DIR
       value: "/tmp"
     volumeMounts:

helm-chart/eoapi-notifier/templates/tests/app-test.yaml

@@ -41,42 +41,49 @@ spec:
       fi
       echo "✅ Outputs section found"
 
-      # Test that environment variables from secret are available
-      if [ -z "$POSTGRES_USERNAME" ]; then
-        echo "❌ POSTGRES_USERNAME not set"
-        exit 1
-      fi
-      echo "✅ PostgreSQL username available"
-
-      if [ -z "$POSTGRES_PASSWORD" ]; then
-        echo "❌ POSTGRES_PASSWORD not set"
-        exit 1
-      fi
-      echo "✅ PostgreSQL password available"
-
-      # Test that environment variables work (they should override config)
-      echo "Testing environment variable override capability..."
-      if [ "$POSTGRES_USERNAME" != "postgres" ] || [ "$POSTGRES_PASSWORD" != "password" ]; then
+      # Test that environment variables from secret are available (if configured)
+      if [ -n "$PGSTAC_USER" ] && [ -n "$PGSTAC_PASSWORD" ]; then
+        echo "✅ PostgreSQL credentials available via environment variables"
         echo "✅ Environment variables are being used for secrets"
       else
-        echo "⚠️  Using default values (this may be expected in some environments)"
+        echo "⚠️  PostgreSQL credentials not configured via environment (this may be expected)"
       fi
 
       # Test config file format
       cat /app/config/config.yaml | head -20
 
       echo "✅ Configuration test passed"
     env:
-    - name: POSTGRES_USERNAME
+    {{- range $source := .Values.config.sources }}
+    {{- if and (eq $source.type "pgstac") $source.config.connection.existingSecret.name }}
+    {{- $secret := $source.config.connection.existingSecret }}
+    - name: PGSTAC_HOST
+      valueFrom:
+        secretKeyRef:
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.host }}
+    - name: PGSTAC_PORT
+      valueFrom:
+        secretKeyRef:
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.port }}
+    - name: PGSTAC_DATABASE
+      valueFrom:
+        secretKeyRef:
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.database }}
+    - name: PGSTAC_USER
       valueFrom:
         secretKeyRef:
-          name: {{ include "eoapi-notifier.fullname" . }}-postgresql
-          key: username
-    - name: POSTGRES_PASSWORD
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.username }}
+    - name: PGSTAC_PASSWORD
       valueFrom:
         secretKeyRef:
-          name: {{ include "eoapi-notifier.fullname" . }}-postgresql
-          key: password
+          name: {{ $secret.name }}
+          key: {{ $secret.keys.password }}
+    {{- end }}
+    {{- end }}
     volumeMounts:
     - name: config
       mountPath: /app/config

helm-chart/eoapi-notifier/templates/tests/config-test.yaml

@@ -42,58 +42,49 @@ affinity: {}
 # Application configuration
 config:
   logLevel: INFO
+
+  # Sources: Define where notifications come from
   sources:
-    - type: postgres
+    - type: pgstac
       config:
-        host: postgresql
-        port: 5432
-        database: postgis
-        username: postgres
-        password: password
+        # Database connection from existing Kubernetes secret
+        connection:
+          existingSecret:
+            name: ""
+            keys:
+              username: "user"
+              password: "password"
+              host: "host"
+              port: "port"
+              database: "dbname"
+        # Optional pgSTAC settings:
+        # tables: ["items", "collections"]
+        # min_connections: 1
+        # max_connections: 10
+        # enable_correlation: true
 
+  # Outputs: Define where notifications are sent
   outputs:
     - type: mqtt
       config:
         broker_host: mqtt-broker
         broker_port: 1883
+        # Optional: username, password, use_tls, topic, qos
 
     - type: cloudevents
       config:
         source: /eoapi/pgstac
         event_type: org.eoapi.stac.item
+        # For KNative SinkBinding:
         destination:
           ref:
             apiVersion: messaging.knative.dev/v1
             kind: Broker
             name: my-channel-1
             namespace: serverless
+        # For HTTP endpoints, use: endpoint: https://webhook.example.com
 
-# Secrets
-secrets:
-  postgresql:
-    create: true
-    username: postgres
-    password: password
-
-# Environment variables
-# These will be injected as environment variables and automatically override config values
-# Use plugin-prefixed variables: PGSTAC_PASSWORD, MQTT_USERNAME, CLOUDEVENTS_ENDPOINT, etc
-#
-# KNative Support:
-# The cloudevents plugin supports K_SINK variables for KNative SinkBinding:
-# - K_SINK: Overrides CLOUDEVENTS_ENDPOINT (automatically set by SinkBinding)
-# - K_CE_OVERRIDE: A JSON object that specifies overrides to the outbound event.
+# Environment variables override config values with plugin prefixes
+# Examples: PGSTAC_PASSWORD, MQTT_USERNAME, CLOUDEVENTS_ENDPOINT
+# KNative: K_SINK automatically overrides CLOUDEVENTS_ENDPOINT
 env: {}
-  # Examples - Standard environment variables:
-  # PGSTAC_HOST: postgresql-service
-  # PGSTAC_PORT: "5432"
-  # PGSTAC_PASSWORD: secret-password
-  # MQTT_BROKER_HOST: mqtt-broker-service
-  # MQTT_USE_TLS: "true"
-  #
-  # CloudEvents examples:
-  # CLOUDEVENTS_ENDPOINT: https://my-webhook-url
-  # CLOUDEVENTS_SOURCE: /eoapi/stac/production
-  # CLOUDEVENTS_EVENT_TYPE: org.eoapi.stac.item
-  #
-  # KNative SinkBinding automatically sets K_SINK environment variable