Support save password to secret (#1258)

<!--
### Contribution Checklist
  
- Name the pull request in the form "[charts/<chart-name>] Title of the
pull request".
Skip *[charts/<chart-name>]* if the PR doesn't change a specific chart.
E.g. `[docs] Fix typo in README`.

- Fill out the template below to describe the changes contributed by the
pull request. That will give reviewers the context they need to do the
review.
  
- Each pull request should address only one issue, not mix up code from
multiple issues.
  
  - Each commit in the pull request has a meaningful commit message

- Once all items of the checklist are addressed, remove the above text
and this checklist, leaving only the filled out template below.

**(The sections below can be removed for hotfixes of typos)**
-->

*(If this PR fixes a github issue, please add `Fixes #<xyz>`.)*

Fixes #<xyz>

*(or if this PR is one task of a github issue, please add `Master Issue:
#<xyz>` to link to the master issue.)*

Master Issue: #<xyz>

### Motivation

*Explain here the context, and why you're making that change. What is
the problem you're trying to solve.*

### Modifications

*Describe the modifications you've done.*

### Verifying this change

- [ ] Make sure that the change passes the CI checks.

*(Please pick either of the following options)*

This change is a trivial rework / code cleanup without any test
coverage.

*(or)*

This change is already covered by existing tests, such as *(please
describe tests)*.

*(or)*

This change added tests and can be verified as follows:

*(example:)*
- *Added integration tests for end-to-end deployment with large payloads
(10MB)*
  - *Extended integration test for recovery after broker failure*

### Documentation

Check the box below.

Need to update docs? 

- [ ] `doc-required` 
  
  (If you need help on updating docs, create a doc issue)
  
- [ ] `no-need-doc` 
  
  (Please explain why)
  
- [ ] `doc` 
  
  (If this PR contains doc changes)

Author: tuteng

charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml

@@ -134,6 +134,12 @@ spec:
               if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then
                 export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN)
               fi
+              if [ -f "/pulsar-manager/secrets/db-password/DB_PASSWORD" ]; then
+                export DB_PASSWORD=$(cat /pulsar-manager/secrets/db-password/DB_PASSWORD)
+              fi
+              if [ -f "/pulsar-manager/secrets/db-password/NEW_PASSWORD" ]; then
+                export NEW_PASSWORD=$(cat /pulsar-manager/secrets/db-password/NEW_PASSWORD)
+              fi
               /pulsar-manager/entrypoint.sh
           env:
           - name: SPRING_CONFIGURATION_FILE
@@ -148,18 +154,10 @@ spec:
           - name: GLOBAL_RESOURCE_READ_ONLY
             value: "true"
           {{- end }}
-          {{- if .Values.streamnative_console.configData.DB_PASSWORD }}
-          - name: DB_PASSWORD
-            value: {{ .Values.streamnative_console.configData.DB_PASSWORD | b64dec | quote }}
-          {{- end }}
           {{- if hasSuffix "-all" .Values.images.streamnative_console.tag }}
           - name: DB_BASE
             value: sqlite
           {{- end }}
-          {{- if .Values.streamnative_console.configData.NEW_PASSWORD }}
-          - name: NEW_PASSWORD
-            value: {{ .Values.streamnative_console.configData.NEW_PASSWORD | b64dec | quote }}
-          {{- end }}
           - name: CONNECTOR_ENABLED
             value: "{{ .Values.streamnative_console.configData.CONNECTOR_ENABLED | default "true" }}"
           {{- with .Values.streamnative_console.extraEnv }}
@@ -299,6 +297,11 @@ spec:
             mountPath: /pulsar-manager/secrets/pulsar-jwt
             readOnly: true
           {{- end }}
+          {{- if .Values.streamnative_console.dbPasswordSecret }}
+          - name: db-password-secret
+            mountPath: /pulsar-manager/secrets/db-password
+            readOnly: true
+          {{- end }}
         - name: "{{ template "pulsar.fullname" . }}-{{ .Values.streamnative_console.component }}-gateway"
           image: "{{ .Values.images.streamnative_console.repository }}:{{ .Values.images.streamnative_console.tag }}"
           imagePullPolicy: {{ .Values.images.streamnative_console.pullPolicy }}
@@ -437,6 +440,12 @@ spec:
           secretName: {{ .Values.streamnative_console.login.sso.pulsarJwt.config.SERVICE_ACCOUNT_SUPER_TOKEN_SECRET }}
           defaultMode: 0440
       {{- end }}
+      {{- if .Values.streamnative_console.dbPasswordSecret }}
+      - name: db-password-secret
+        secret:
+          secretName: {{ .Values.streamnative_console.dbPasswordSecret }}
+          defaultMode: 0440
+      {{- end }}
       {{- if .Values.streamnative_console.securityContext }}
       securityContext: {{- toYaml .Values.streamnative_console.securityContext | nindent 8 }}
       {{- end }}

charts/sn-platform-slim/values.yaml

@@ -2396,10 +2396,20 @@ streamnative_console:
     GRAFANA_AUTH_PROXY_USER: ""
     CONNECTOR_ENABLED: true
     OPENAPI_ENABLED: false
-    # please use base64 encoded your password
-    DB_PASSWORD: ""
   # Extra environment variables for streamnative-console container
   extraEnv: []
+  # Secret name containing DB_PASSWORD and NEW_PASSWORD keys
+  # The secret should have two keys: DB_PASSWORD and NEW_PASSWORD
+  # Example command to create the secret:
+  # kubectl create secret generic my-db-password-secret \
+  #   --from-literal=DB_PASSWORD=your-db-password \
+  #   --from-literal=NEW_PASSWORD=your-new-password
+  # Example command to update the secret:
+  # kubectl create secret generic my-db-password-secret \
+  #   --from-literal=DB_PASSWORD=your-new-db-password \
+  #   --from-literal=NEW_PASSWORD=your-new-password \
+  #   --dry-run=client -o yaml | kubectl apply -f -
+  dbPasswordSecret: ""
 
   login:
     sso:

charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml

@@ -176,6 +176,12 @@ spec:
               if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then
                 export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN)
               fi
+              if [ -f "/pulsar-manager/secrets/db-password/DB_PASSWORD" ]; then
+                export DB_PASSWORD=$(cat /pulsar-manager/secrets/db-password/DB_PASSWORD)
+              fi
+              if [ -f "/pulsar-manager/secrets/db-password/NEW_PASSWORD" ]; then
+                export NEW_PASSWORD=$(cat /pulsar-manager/secrets/db-password/NEW_PASSWORD)
+              fi
               /pulsar-manager/entrypoint.sh
           env:
           - name: SPRING_CONFIGURATION_FILE
@@ -192,18 +198,10 @@ spec:
           - name: GLOBAL_RESOURCE_READ_ONLY
             value: "true"
           {{- end }}
-          {{- if .Values.streamnative_console.configData.DB_PASSWORD }}
-          - name: DB_PASSWORD
-            value: {{ .Values.streamnative_console.configData.DB_PASSWORD | b64dec | quote }}
-          {{- end }}
           {{- if hasSuffix "-all" .Values.images.streamnative_console.tag }}
           - name: DB_BASE
             value: sqlite
           {{- end }}
-          {{- if .Values.streamnative_console.configData.NEW_PASSWORD }}
-          - name: NEW_PASSWORD
-            value: {{ .Values.streamnative_console.configData.NEW_PASSWORD | b64dec | quote }}
-          {{- end }}
           - name: CONNECTOR_ENABLED
             value: "{{ .Values.streamnative_console.configData.CONNECTOR_ENABLED | default "true" }}"
           {{- with .Values.streamnative_console.extraEnv }}
@@ -352,6 +350,11 @@ spec:
             mountPath: /pulsar-manager/secrets/pulsar-jwt
             readOnly: true
           {{- end }}
+          {{- if .Values.streamnative_console.dbPasswordSecret }}
+          - name: db-password-secret
+            mountPath: /pulsar-manager/secrets/db-password
+            readOnly: true
+          {{- end }}
         - name: "{{ template "pulsar.fullname" . }}-{{ .Values.streamnative_console.component }}-gateway"
           image: "{{ .Values.images.streamnative_console.repository }}:{{ .Values.images.streamnative_console.tag }}"
           {{- if .Values.streamnative_console.securityContext }}
@@ -496,6 +499,12 @@ spec:
           secretName: {{ .Values.streamnative_console.login.sso.pulsarJwt.config.SERVICE_ACCOUNT_SUPER_TOKEN_SECRET }}
           defaultMode: 0440
       {{- end }}
+      {{- if .Values.streamnative_console.dbPasswordSecret }}
+      - name: db-password-secret
+        secret:
+          secretName: {{ .Values.streamnative_console.dbPasswordSecret }}
+          defaultMode: 0440
+      {{- end }}
       {{- if .Values.streamnative_console.securityContext }}
       securityContext: {{- toYaml .Values.streamnative_console.securityContext | nindent 8 }}
       {{- end }}

charts/sn-platform/values.yaml

@@ -2487,10 +2487,20 @@ streamnative_console:
     CONNECTOR_ENABLED: true
     CUSTOM_PAYLOAD_ENABLED: false
     OPENAPI_ENABLED: false
-    # please use base64 encoded your password
-    DB_PASSWORD: ""
   # Extra environment variables for streamnative-console container
   extraEnv: []
+  # Secret name containing DB_PASSWORD and NEW_PASSWORD keys
+  # The secret should have two keys: DB_PASSWORD and NEW_PASSWORD
+  # Example command to create the secret:
+  # kubectl create secret generic my-db-password-secret \
+  #   --from-literal=DB_PASSWORD=your-db-password \
+  #   --from-literal=NEW_PASSWORD=your-new-password
+  # Example command to update the secret:
+  # kubectl create secret generic my-db-password-secret \
+  #   --from-literal=DB_PASSWORD=your-new-db-password \
+  #   --from-literal=NEW_PASSWORD=your-new-password \
+  #   --dry-run=client -o yaml | kubectl apply -f -
+  dbPasswordSecret: ""
 
   login:
     sso: