fix(helm): external config and secret support

hosting/k8s/helm/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: trigger
 description: The official Trigger.dev Helm chart
 type: application
-version: 4.0.0-beta.16
+version: 4.0.0-beta.17
 appVersion: v4.0.0-v4-beta.22
 home: https://trigger.dev
 sources:

hosting/k8s/helm/templates/_helpers.tpl

@@ -96,33 +96,40 @@ Get the full image name for supervisor
 {{- end }}
 
 {{/*
-PostgreSQL hostname
+PostgreSQL hostname (deprecated - used only for legacy DATABASE_HOST env var)
 */}}
 {{- define "trigger-v4.postgres.hostname" -}}
-{{- if .Values.postgres.host }}
-{{- .Values.postgres.host }}
-{{- else if .Values.postgres.deploy }}
+{{- if .Values.postgres.deploy }}
 {{- printf "%s-postgres" .Release.Name }}
+{{- else }}
+{{- "external-postgres" }}
 {{- end }}
 {{- end }}
 
 {{/*
-PostgreSQL connection string
+PostgreSQL connection string (fallback when not using secrets)
 */}}
 {{- define "trigger-v4.postgres.connectionString" -}}
-{{- if .Values.postgres.host -}}
-postgresql://{{ .Values.postgres.username }}:{{ .Values.postgres.password }}@{{ .Values.postgres.host }}:{{ .Values.postgres.port | default 5432 }}/{{ .Values.postgres.database }}?schema={{ .Values.postgres.schema | default "public" }}&sslmode={{ .Values.postgres.sslMode | default "prefer" }}
+{{- if .Values.postgres.external.databaseUrl -}}
+{{ .Values.postgres.external.databaseUrl }}
 {{- else if .Values.postgres.deploy -}}
 postgresql://{{ .Values.postgres.auth.username }}:{{ .Values.postgres.auth.password }}@{{ include "trigger-v4.postgres.hostname" . }}:5432/{{ .Values.postgres.auth.database }}?schema={{ .Values.postgres.connection.schema | default "public" }}&sslmode={{ .Values.postgres.connection.sslMode | default "prefer" }}
 {{- end -}}
 {{- end }}
 
+{{/*
+Check if we should use DATABASE_URL from secret
+*/}}
+{{- define "trigger-v4.postgres.useSecretUrl" -}}
+{{- or (and .Values.postgres.external.databaseUrl .Values.postgres.external.existingSecret) (and .Values.postgres.external.existingSecret) -}}
+{{- end }}
+
 {{/*
 Redis hostname
 */}}
 {{- define "trigger-v4.redis.hostname" -}}
-{{- if .Values.redis.host }}
-{{- .Values.redis.host }}
+{{- if .Values.redis.external.host }}
+{{- .Values.redis.external.host }}
 {{- else if .Values.redis.deploy }}
 {{- printf "%s-redis-master" .Release.Name }}
 {{- end }}
@@ -136,13 +143,211 @@ Redis connection details
 {{- end }}
 
 {{- define "trigger-v4.redis.port" -}}
-{{- if .Values.redis.host -}}
-{{ .Values.redis.port | default 6379 }}
+{{- if .Values.redis.external.host -}}
+{{ .Values.redis.external.port | default 6379 }}
 {{- else if .Values.redis.deploy -}}
 6379
 {{- end -}}
 {{- end }}
 
+{{/*
+Redis password
+*/}}
+{{- define "trigger-v4.redis.password" -}}
+{{- if .Values.redis.external.host -}}
+{{ .Values.redis.external.password }}
+{{- else if .Values.redis.deploy -}}
+{{ .Values.redis.auth.password }}
+{{- end -}}
+{{- end }}
+
+{{/*
+Redis TLS disabled setting
+*/}}
+{{- define "trigger-v4.redis.tlsDisabled" -}}
+{{- if .Values.redis.external.host -}}
+{{ not (.Values.redis.external.tls.enabled | default false) }}
+{{- else -}}
+{{- true -}}
+{{- end -}}
+{{- end }}
+
+{{/*
+PostgreSQL external secret name
+*/}}
+{{- define "trigger-v4.postgres.external.secretName" -}}
+{{- if .Values.postgres.external.existingSecret -}}
+{{ .Values.postgres.external.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+PostgreSQL external secret database URL key
+*/}}
+{{- define "trigger-v4.postgres.external.databaseUrlKey" -}}
+{{- if .Values.postgres.external.existingSecret -}}
+{{ .Values.postgres.external.secretKeys.databaseUrlKey }}
+{{- else -}}
+postgres-database-url
+{{- end -}}
+{{- end }}
+
+{{/*
+PostgreSQL external secret direct URL key
+*/}}
+{{- define "trigger-v4.postgres.external.directUrlKey" -}}
+{{- if .Values.postgres.external.existingSecret -}}
+{{ .Values.postgres.external.secretKeys.directUrlKey | default .Values.postgres.external.secretKeys.databaseUrlKey }}
+{{- else -}}
+postgres-direct-url
+{{- end -}}
+{{- end }}
+
+{{/*
+PostgreSQL direct URL (fallback to database URL if not set)
+*/}}
+{{- define "trigger-v4.postgres.directUrl" -}}
+{{- if .Values.postgres.external.directUrl -}}
+{{ .Values.postgres.external.directUrl }}
+{{- else -}}
+{{ include "trigger-v4.postgres.connectionString" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+Redis external secret name
+*/}}
+{{- define "trigger-v4.redis.external.secretName" -}}
+{{- if .Values.redis.external.existingSecret -}}
+{{ .Values.redis.external.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+Redis external secret password key
+*/}}
+{{- define "trigger-v4.redis.external.passwordKey" -}}
+{{- if .Values.redis.external.existingSecret -}}
+{{ .Values.redis.external.existingSecretPasswordKey }}
+{{- else -}}
+redis-password
+{{- end -}}
+{{- end }}
+
+{{/*
+ClickHouse external secret name
+*/}}
+{{- define "trigger-v4.clickhouse.external.secretName" -}}
+{{- if .Values.clickhouse.external.existingSecret -}}
+{{ .Values.clickhouse.external.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+ClickHouse external secret password key
+*/}}
+{{- define "trigger-v4.clickhouse.external.passwordKey" -}}
+{{- if .Values.clickhouse.external.existingSecret -}}
+{{ .Values.clickhouse.external.existingSecretKey }}
+{{- else -}}
+clickhouse-password
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 external secret name
+*/}}
+{{- define "trigger-v4.s3.external.secretName" -}}
+{{- if .Values.s3.external.existingSecret -}}
+{{ .Values.s3.external.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 external secret access key ID key
+*/}}
+{{- define "trigger-v4.s3.external.accessKeyIdKey" -}}
+{{- if .Values.s3.external.existingSecret -}}
+{{ .Values.s3.external.existingSecretAccessKeyIdKey }}
+{{- else -}}
+s3-access-key-id
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 external secret secret access key key
+*/}}
+{{- define "trigger-v4.s3.external.secretAccessKeyKey" -}}
+{{- if .Values.s3.external.existingSecret -}}
+{{ .Values.s3.external.existingSecretSecretAccessKeyKey }}
+{{- else -}}
+s3-secret-access-key
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth secret name
+*/}}
+{{- define "trigger-v4.s3.auth.secretName" -}}
+{{- if .Values.s3.auth.existingSecret -}}
+{{ .Values.s3.auth.existingSecret }}
+{{- else -}}
+{{ include "trigger-v4.secretsName" . }}
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth secret access key ID key
+*/}}
+{{- define "trigger-v4.s3.auth.accessKeyIdKey" -}}
+{{- if .Values.s3.auth.existingSecret -}}
+{{ .Values.s3.auth.accessKeyIdSecretKey }}
+{{- else -}}
+s3-auth-access-key-id
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth secret secret access key key
+*/}}
+{{- define "trigger-v4.s3.auth.secretAccessKeyKey" -}}
+{{- if .Values.s3.auth.existingSecret -}}
+{{ .Values.s3.auth.secretAccessKeySecretKey }}
+{{- else -}}
+s3-auth-secret-access-key
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth effective access key ID (with fallback to rootUser)
+*/}}
+{{- define "trigger-v4.s3.auth.effectiveAccessKeyId" -}}
+{{- if .Values.s3.auth.accessKeyId -}}
+{{ .Values.s3.auth.accessKeyId }}
+{{- else -}}
+{{ .Values.s3.auth.rootUser }}
+{{- end -}}
+{{- end }}
+
+{{/*
+S3 auth effective secret access key (with fallback to rootPassword)
+*/}}
+{{- define "trigger-v4.s3.auth.effectiveSecretAccessKey" -}}
+{{- if .Values.s3.auth.secretAccessKey -}}
+{{ .Values.s3.auth.secretAccessKey }}
+{{- else -}}
+{{ .Values.s3.auth.rootPassword }}
+{{- end -}}
+{{- end }}
+
 {{/*
 Electric service URL
 */}}
@@ -176,8 +381,12 @@ ClickHouse URL for application (with secure parameter)
 {{- else if .Values.clickhouse.external.host -}}
 {{- $protocol := ternary "https" "http" .Values.clickhouse.external.secure -}}
 {{- $secure := ternary "true" "false" .Values.clickhouse.external.secure -}}
+{{- if .Values.clickhouse.external.existingSecret -}}
+{{ $protocol }}://{{ .Values.clickhouse.external.username }}:${CLICKHOUSE_PASSWORD}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}?secure={{ $secure }}
+{{- else -}}
 {{ $protocol }}://{{ .Values.clickhouse.external.username }}:{{ .Values.clickhouse.external.password }}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}?secure={{ $secure }}
 {{- end -}}
+{{- end -}}
 {{- end }}
 
 {{/*
@@ -189,8 +398,12 @@ ClickHouse URL for replication (without secure parameter)
 {{ $protocol }}://{{ .Values.clickhouse.auth.username }}:{{ .Values.clickhouse.auth.password }}@{{ include "trigger-v4.clickhouse.hostname" . }}:8123
 {{- else if .Values.clickhouse.external.host -}}
 {{- $protocol := ternary "https" "http" .Values.clickhouse.external.secure -}}
+{{- if .Values.clickhouse.external.existingSecret -}}
+{{ $protocol }}://{{ .Values.clickhouse.external.username }}:${CLICKHOUSE_PASSWORD}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}
+{{- else -}}
 {{ $protocol }}://{{ .Values.clickhouse.external.username }}:{{ .Values.clickhouse.external.password }}@{{ .Values.clickhouse.external.host }}:{{ .Values.clickhouse.external.httpPort | default 8123 }}
 {{- end -}}
+{{- end -}}
 {{- end }}
 
 {{/*
@@ -244,14 +457,27 @@ Registry connection details
 {{- end -}}
 {{- end }}
 
+{{/*
+Webapp connectivity check enabled
+*/}}
+{{- define "trigger-v4.webapp.connectivityCheckEnabled" -}}
+{{- $connectivityCheckEnabled := true -}}
+{{- if hasKey .Values.webapp "connectivityCheck" -}}
+{{- if hasKey .Values.webapp.connectivityCheck "postgres" -}}
+{{- $connectivityCheckEnabled = .Values.webapp.connectivityCheck.postgres -}}
+{{- end -}}
+{{- end -}}
+{{- $connectivityCheckEnabled -}}
+{{- end }}
+
 {{/*
 PostgreSQL host (for wait-for-it script)
 */}}
 {{- define "trigger-v4.postgres.host" -}}
-{{- if .Values.postgres.host -}}
-{{ .Values.postgres.host }}:{{ .Values.postgres.port | default 5432 }}
-{{- else if .Values.postgres.deploy -}}
+{{- if .Values.postgres.deploy -}}
 {{ include "trigger-v4.postgres.hostname" . }}:5432
+{{- else if .Values.postgres.external.connectivityCheck.host -}}
+{{ .Values.postgres.external.connectivityCheck.host }}
 {{- end -}}
 {{- end }}
 

hosting/k8s/helm/templates/secrets.yaml

@@ -11,8 +11,28 @@ data:
   MAGIC_LINK_SECRET: {{ .Values.secrets.magicLinkSecret | b64enc | quote }}
   ENCRYPTION_KEY: {{ .Values.secrets.encryptionKey | b64enc | quote }}
   MANAGED_WORKER_SECRET: {{ .Values.secrets.managedWorkerSecret | b64enc | quote }}
-  OBJECT_STORE_ACCESS_KEY_ID: {{ .Values.secrets.objectStore.accessKeyId | b64enc | quote }}
-  OBJECT_STORE_SECRET_ACCESS_KEY: {{ .Values.secrets.objectStore.secretAccessKey | b64enc | quote }}
+  {{- if and .Values.s3.external.accessKeyId (not .Values.s3.external.existingSecret) }}
+  s3-access-key-id: {{ .Values.s3.external.accessKeyId | b64enc | quote }}
+  s3-secret-access-key: {{ .Values.s3.external.secretAccessKey | b64enc | quote }}
+  {{- end }}
+  {{- if and .Values.s3.deploy (not .Values.s3.auth.existingSecret) }}
+  s3-auth-access-key-id: {{ include "trigger-v4.s3.auth.effectiveAccessKeyId" . | b64enc | quote }}
+  s3-auth-secret-access-key: {{ include "trigger-v4.s3.auth.effectiveSecretAccessKey" . | b64enc | quote }}
+  {{- end }}
+  {{- if and .Values.postgres.external.databaseUrl (not .Values.postgres.external.existingSecret) }}
+  postgres-database-url: {{ .Values.postgres.external.databaseUrl | b64enc | quote }}
+  {{- if .Values.postgres.external.directUrl }}
+  postgres-direct-url: {{ .Values.postgres.external.directUrl | b64enc | quote }}
+  {{- else }}
+  postgres-direct-url: {{ .Values.postgres.external.databaseUrl | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+  {{- if and .Values.redis.external.host (not .Values.redis.external.existingSecret) .Values.redis.external.password }}
+  redis-password: {{ .Values.redis.external.password | b64enc | quote }}
+  {{- end }}
+  {{- if and .Values.clickhouse.external.host (not .Values.clickhouse.external.existingSecret) .Values.clickhouse.external.password }}
+  clickhouse-password: {{ .Values.clickhouse.external.password | b64enc | quote }}
+  {{- end }}
 {{- end }}
 ---
 {{- if and .Values.registry.deploy .Values.registry.auth.enabled }}

hosting/k8s/helm/templates/validate-external-config.yaml

@@ -3,8 +3,8 @@ Validation template to ensure external service configurations are provided when
 This template will fail the Helm deployment if external config is missing for required services
 */}}
 {{- if not .Values.postgres.deploy }}
-{{- if or (not .Values.postgres.external.host) (not .Values.postgres.external.database) (not .Values.postgres.external.username) }}
-{{- fail "PostgreSQL external configuration is required when postgres.deploy=false. Please provide postgres.external.host, postgres.external.database, and postgres.external.username" }}
+{{- if and (not .Values.postgres.external.databaseUrl) (not .Values.postgres.external.existingSecret) }}
+{{- fail "PostgreSQL external configuration is required when postgres.deploy=false. Please provide either postgres.external.databaseUrl or postgres.external.existingSecret" }}
 {{- end }}
 {{- end }}
 
@@ -20,9 +20,16 @@ This template will fail the Helm deployment if external config is missing for re
 {{- end }}
 {{- end }}
 
-{{- if not .Values.s3.deploy }}
-{{- if or (not .Values.s3.external.endpoint) (not .Values.s3.external.accessKeyId) }}
-{{- fail "S3 external configuration is required when s3.deploy=false. Please provide s3.external.endpoint and s3.external.accessKeyId" }}
+{{- if .Values.s3.deploy }}
+{{- if and (not .Values.s3.auth.existingSecret) (not .Values.s3.auth.accessKeyId) (not .Values.s3.auth.rootUser) }}
+{{- fail "S3 auth credentials are required when s3.deploy=true. Please provide either s3.auth.accessKeyId, s3.auth.existingSecret, or s3.auth.rootUser" }}
+{{- end }}
+{{- else }}
+{{- if not .Values.s3.external.endpoint }}
+{{- fail "S3 external configuration is required when s3.deploy=false. Please provide s3.external.endpoint" }}
+{{- end }}
+{{- if and (not .Values.s3.external.existingSecret) (not .Values.s3.external.accessKeyId) }}
+{{- fail "S3 credentials are required when s3.deploy=false. Please provide either s3.external.accessKeyId or s3.external.existingSecret" }}
 {{- end }}
 {{- end }}