feat(drupal): Proper secret handling

sylus · sylus · commit 90a196b98b9e · 2026-03-22T17:43:53.000-04:00
diff --git a/charts/drupal/Chart.yaml b/charts/drupal/Chart.yaml
@@ -1,7 +1,7 @@
 name: drupal
 apiVersion: v2
 type: application
-version: 2.0.0-beta6
+version: 2.0.0-beta7
 appVersion: 6.1.4
 description: Helm Chart for deploying an enterprise-grade Drupal environment.
 keywords:
diff --git a/charts/drupal/templates/_helpers.tpl b/charts/drupal/templates/_helpers.tpl
@@ -78,7 +78,7 @@ Create common environment variables for Drupal
 - name: EXTERNAL_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ template "drupal.fullname" . }}
+      name: {{ default (include "drupal.fullname" .) .Values.drupal.existingSecret }}
       key: databasePassword
 {{- else if and .Values.mysql.enabled }}
 - name: MYSQL_PASSWORD
@@ -101,10 +101,15 @@ Create common environment variables for Drupal
       key: default-password
 {{- end }}
 {{- if not .Values.drupal.usePasswordFiles }}
+- name: DRUPAL_ADMIN
+  valueFrom:
+    secretKeyRef:
+      name: {{ default (include "drupal.fullname" .) .Values.drupal.existingSecret }}
+      key: username
 - name: DRUPAL_ADMIN_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ include "drupal.fullname" . }}
+      name: {{ default (include "drupal.fullname" .) .Values.drupal.existingSecret }}
       key: password
 {{- end }}
 {{- end -}}
diff --git a/charts/drupal/templates/secret/drupal.yaml b/charts/drupal/templates/secret/drupal.yaml
@@ -1,20 +1,18 @@
-{{- if not .Values.drupal.usePasswordFiles }}
-{{- $name := include "drupal.fullname" . -}}
-{{- $existing := lookup "v1" "Secret" .Release.Namespace $name -}}
+{{- if and (not .Values.drupal.usePasswordFiles) (not .Values.drupal.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ $name }}
+  name: {{ include "drupal.fullname" . }}
   labels:
     app.kubernetes.io/name: {{ include "drupal.name" . }}
     helm.sh/chart: {{ include "drupal.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 type: Opaque
 data:
-  username: {{ if and $existing (hasKey $existing.data "username") }}{{ index $existing.data "username" | quote }}{{ else if .Values.drupal.username }}{{ .Values.drupal.username | b64enc | quote }}{{ else }}{{ "admin" | b64enc | quote }}{{ end }}
-  password: {{ if and $existing (hasKey $existing.data "password") }}{{ index $existing.data "password" | quote }}{{ else if .Values.drupal.password }}{{ .Values.drupal.password | b64enc | quote }}{{ else }}{{ randAlphaNum 10 | b64enc | quote }}{{ end }}
+  username: {{ default "admin" .Values.drupal.username | b64enc | quote }}
+  password: {{ default (randAlphaNum 10) .Values.drupal.password | b64enc | quote }}
   {{- if .Values.external.enabled }}
-  databasePassword: {{ if and $existing (hasKey $existing.data "databasePassword") }}{{ index $existing.data "databasePassword" | quote }}{{ else }}{{ .Values.external.password | b64enc | quote }}{{ end }}
+  databasePassword: {{ .Values.external.password | b64enc | quote }}
   {{- end }}
 {{- end }}
diff --git a/charts/drupal/values.yaml b/charts/drupal/values.yaml
@@ -62,6 +62,7 @@ drupal:
 
   ## User of the application
   ##
+  existingSecret: ""
   username: admin
 
   ## Application password
