Support for external secrets (#299)

## Description

Supports mixing secrets in values.yaml and in external secrets, and
allows a optional value ({chart}exportarr, eg "sonarrexportarr" that if
set contains the name of the key to use for the API in the exportarr
deployment. If that key is not set, it uses the default "apiKey" that
was used before. When defining secrets in values.yaml, you can either
provide a value, or a reference to an external secret. Adds capability
requested in #285

```
secrets:
  - name: 'sonarr-apikey'
    value: '12345'
  - name: 'sonarrexportarr'
    value: 'sonarr-apikey'
  - name: 'externalSecret'
    ref: 'mysecret'
```

When "ref" is defined, it will (in the example above) look for a secret
with the name 'mysecret' and then pull the value from the key
'externalSecret'.

This increments the base chart, but does not break any of the existing
charts and defaults, and will not break existing deployments. Given that
it is difficult to insert comments in the template files, there are
none. Was not sure the right place to document this, as it is
technically available to all charts. If desired, I can add to the base
values.yaml for the main template chart.

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] Non-breaking change which adds functionality
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update

## Checklist

- [ ] I have updated the chart version in `Chart.yaml` according to
[semantic versioning](https://semver.org/).
- [ ] I have included any new or changed values in the `values.yaml`
file and documented them in the README if applicable.
- [x] My changes are tested and proven to work.
- [x] I have performed a self-review of my own code.
- [ ] I have commented my code, particularly in hard-to-understand
areas.
- [ ] I have made corresponding changes to the documentation.
- [x] My changes generate no new warnings.

## Testing

Please describe the tests that you ran to verify your changes. Provide
instructions so reviewers can reproduce the testing. Also, list any
relevant details for your test configuration.

- Deployed and confirmed working in my test kubernetes cluster.

## Additional Information

I've tested this pretty hard, but would recommend a close review before
accepting the PR.

Author: drinkataco

Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: 'v2'
 name: 'media-servarr-base'
 description: 'Base chart for media-servarr charts'
 type: 'application'
-version: 0.10.0
+version: 0.11.0
 icon: 'https://github.com/drinkataco/media-servarr/blob/main/icon.png'

charts/bazarr/Chart.yaml

@@ -13,12 +13,12 @@ keywords:
   - 'bazarr'
 kubeversion: ">=1.24.0-0"
 type: 'application'
-version: 0.9.2
+version: 0.10.0
 appVersion: 1.5.5
 icon: 'https://github.com/drinkataco/media-servarr/blob/main/charts/bazarr/icon.png'
 dependencies:
   - name: 'media-servarr-base'
-    version: 0.10.0
+    version: 0.11.0
     repository: "file://../.."
 maintainers:
   - name: 'media-servarr'

charts/bazarr/README.md

@@ -44,14 +44,19 @@ Use `openssl rand -hex 16` to generate a key and replace the default value. If u
 
 ```yaml
 secrets:
+  # inline value
   - name: 'apiKey'
     value: 'your-api-key-here'
+
+  # reference pre-existing Secret
   - name: 'sonarrApiKey'
-    value: ''
+    ref: 'sonarr-api-key'
   - name: 'radarrApiKey'
-    value: ''
+    ref: 'radarr-api-key'
 ```
 
+When `ref` is set, the chart reads key `name` from the Secret named by `ref` in the same namespace.
+
 By not setting this value, and leaving it blank, Bazarr will automatically generate a new key on start.
 
 ### Application Configuration
@@ -144,9 +149,14 @@ ingress:
 
 Enabling metrics enables a sidecar container being attached for [exportarr](https://github.com/onedr0p/exportarr/) - and a ServiceMonitor CRD to be consumed by the [kube-prometheus](https://github.com/prometheus-operator/kube-prometheus) package.
 
+By default, Exportarr reads the `apiKey` from this chart's Secret. If you need Exportarr to read a different Secret/key, set `metrics.apiref`.
+
 ```yaml
 metrics:
   enabled: true
+  apiref:
+    secret: 'my-existing-secret'
+    keyname: 'apiKey'
   env: []
 ```
 

charts/bazarr/values.yaml

@@ -8,10 +8,13 @@ fullnameOverride: ''
 secrets:
   - name: 'apiKey'
     value: ''
+    # ref: 'my-existing-secret' # existing secret
   # - name: 'sonarrApiKey'
   #   value: ''
+  #   # ref: 'sonarr-api-secret' # existing secret
   # - name: 'radarrApiKey'
   #   value: ''
+  #   # ref: 'radarr-api-secret' # existing secret
 
 #
 # Application Config

charts/cleanuparr/Chart.yaml

@@ -12,12 +12,12 @@ keywords:
   - 'whisparr'
 kubeversion: ">=1.24.0-0"
 type: 'application'
-version: 0.7.0
+version: 0.8.0
 appVersion: 2.6.3
 icon: 'https://github.com/drinkataco/media-servarr/blob/main/charts/cleanuparr/icon.png'
 dependencies:
   - name: 'media-servarr-base'
-    version: 0.10.0
+    version: 0.11.0
     repository: "file://../.."
 maintainers:
   - name: 'media-servarr'

charts/cleanuparr/README.md

@@ -36,6 +36,27 @@ Pointing the host `media-servarr.local` to your kubernetes cluster will then all
 
 Here is some example of some configuration you may want to override (and include in installation with `-f myvalues.yaml`
 
+### Secrets
+
+Cleanuparr defines `apiKey` by default, and you can optionally define integration keys such as `sonarrApiKey` and `radarrApiKey`.
+
+You can either define secret values directly in your chart values, or reference keys from an existing Secret.
+
+```yaml
+secrets:
+  # inline value
+  - name: 'apiKey'
+    value: 'your-api-key-here'
+
+  # reference pre-existing Secret
+  - name: 'sonarrApiKey'
+    ref: 'sonarr-api-secret'
+  - name: 'radarrApiKey'
+    ref: 'radarr-api-secret'
+```
+
+When `ref` is set, the chart reads key `name` from the Secret named by `ref` in the same namespace.
+
 ### Application Configuration
 
 Application configuration is managed via the GUI and stored in the application database.

charts/cleanuparr/values.yaml

@@ -8,10 +8,13 @@ fullnameOverride: ''
 secrets:
   - name: 'apiKey'
     value: ''
+    # ref: 'my-existing-secret' # existing secret
   # - name: 'sonarrApiKey'
   #   value: ''
+  #   # ref: 'sonarr-api-secret' # existing secret
   # - name: 'radarrApiKey'
   #   value: ''
+  #   # ref: 'radarr-api-secret' # existing secret
 
 #
 # Application Config
@@ -67,4 +70,3 @@ persistentVolumeClaims:
 
 ingress:
   enabled: true
-

charts/flaresolverr/Chart.yaml

@@ -9,12 +9,12 @@ keywords:
   - 'bypass'
 kubeVersion: ">=1.24.0-0"
 type: 'application'
-version: 0.9.1
+version: 0.10.0
 appVersion: v3.4.6
 icon: 'https://github.com/drinkataco/media-servarr/blob/main/charts/flaresolverr/icon.png'
 dependencies:
   - name: 'media-servarr-base'
-    version: 0.10.0
+    version: 0.11.0
     repository: "file://../.."
 maintainers:
   - name: 'media-servarr'

charts/homarr/Chart.yaml

@@ -7,12 +7,12 @@ keywords:
   - 'homarr'
 kubeversion: ">=1.24.0-0"
 type: 'application'
-version: 0.27.0
+version: 0.28.0
 appVersion: v1.53.1
 icon: 'https://github.com/drinkataco/media-servarr/blob/main/charts/homarr/icon.png'
 dependencies:
   - name: 'media-servarr-base'
-    version: 0.10.0
+    version: 0.11.0
     repository: "file://../.."
 maintainers:
   - name: 'media-servarr'

charts/huntarr/Chart.yaml

@@ -13,12 +13,12 @@ keywords:
   - 'whisparr'
 kubeversion: ">=1.24.0-0"
 type: 'application'
-version: 1.2.0
+version: 1.3.0
 appVersion: 9.3.7
 icon: 'https://github.com/drinkataco/media-servarr/blob/main/charts/huntarr/icon.png'
 dependencies:
   - name: 'media-servarr-base'
-    version: 0.10.0
+    version: 0.11.0
     repository: "file://../.."
 maintainers:
   - name: 'media-servarr'