allow external secrets to potentially clobber other secrets if opted in

retool-bot · retool-bot · commit 6d7ddf26cc3c · 2025-01-24T20:12:15.000-08:00
diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 6.3.2
+version: 6.3.3
 maintainers:
   - name: Retool Engineering
     email: engineering+helm@retool.com
diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl
@@ -351,3 +351,10 @@ Usage: (template "retool.codeExecutor.image.tag" .)
 {{- end -}}
 {{- $output -}}
 {{- end -}}
+
+{{/*
+Checks whether or not ExternalSecret definitions are enabled and can potentially clobber secrets or explicitly allow additional direct secret refs.
+*/}}
+{{- define "checkExternalSecretsClobbering" -}}
+{{- or (not (or (.Values.externalSecrets.enabled) (.Values.externalSecrets.externalSecretsOperator.enabled))) .Values.allowOtherSecrets -}}
+{{- end -}}
diff --git a/charts/retool/templates/deployment_backend.yaml b/charts/retool/templates/deployment_backend.yaml
@@ -153,7 +153,7 @@ spec:
 
           {{- include "retool.telemetry.includeEnvVars" . | nindent 10 }}
 
-          {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }}
+          {{- if (include "checkExternalSecretsClobbering" .) }}
           - name: LICENSE_KEY
             valueFrom:
               secretKeyRef:
diff --git a/charts/retool/templates/deployment_jobs.yaml b/charts/retool/templates/deployment_jobs.yaml
@@ -91,7 +91,7 @@ spec:
 
           {{- include "retool.telemetry.includeEnvVars" . | nindent 10 }}
 
-          {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }}
+          {{- if (include "checkExternalSecretsClobbering" .) }}
           - name: LICENSE_KEY
             valueFrom:
               secretKeyRef:
diff --git a/charts/retool/templates/deployment_telemetry.yaml b/charts/retool/templates/deployment_telemetry.yaml
@@ -52,7 +52,7 @@ spec:
             value: "/host/proc"
           - name: SYSFS_ROOT
             value: "/host/sys"
-          {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }}
+          {{- if (include "checkExternalSecretsClobbering" .) }}
           - name: LICENSE_KEY
             valueFrom:
               secretKeyRef:
diff --git a/charts/retool/templates/deployment_workflows.yaml b/charts/retool/templates/deployment_workflows.yaml
@@ -141,7 +141,7 @@ spec:
           - name: CODE_EXECUTOR_INGRESS_DOMAIN
             value: http://{{ template "retool.codeExecutor.name" . }}
           {{- end }}
-          {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }}
+          {{- if (include "checkExternalSecretsClobbering" .) }}
           - name: LICENSE_KEY
             valueFrom:
               secretKeyRef:
diff --git a/charts/retool/templates/deployment_workflows_worker.yaml b/charts/retool/templates/deployment_workflows_worker.yaml
@@ -150,7 +150,7 @@ spec:
           - name: OTEL_EXPORTER_OTLP_ENDPOINT
             value: "http://$(HOST_IP):4317"
           {{- end }}
-          {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }}
+          {{- if (include "checkExternalSecretsClobbering" .) }}
           - name: LICENSE_KEY
             valueFrom:
               secretKeyRef:
diff --git a/charts/retool/templates/secret.yaml b/charts/retool/templates/secret.yaml
@@ -1,4 +1,4 @@
-{{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }}
+{{- if (include "checkExternalSecretsClobbering" .) }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/charts/retool/values.yaml b/charts/retool/values.yaml
@@ -95,6 +95,9 @@ externalSecrets:
   # Support for legacy external secrets, note this is deprecated in favour of External Secrets Operator: https://github.com/godaddy/kubernetes-external-secrets
   # This mode only allows a single secret name to be provided.
   enabled: false
+  # If external secrets are currently enabled, it is disallowed to specify regular configuration secrets as a safeguard from clobbering.
+  # This flag allows bypassing that check and specifying both an ExternalSecret and a regular secret for different secrets.
+  allowOtherSecrets: false
   name: retool-config
   # Array of secrets to be use as env variables. (Optional)
   secrets:
diff --git a/values.yaml b/values.yaml
@@ -95,6 +95,9 @@ externalSecrets:
   # Support for legacy external secrets, note this is deprecated in favour of External Secrets Operator: https://github.com/godaddy/kubernetes-external-secrets
   # This mode only allows a single secret name to be provided.
   enabled: false
+  # If external secrets are currently enabled, it is disallowed to specify regular configuration secrets as a safeguard from clobbering.
+  # This flag allows bypassing that check and specifying both an ExternalSecret and a regular secret for different secrets.
+  allowOtherSecrets: false
   name: retool-config
   # Array of secrets to be use as env variables. (Optional)
   secrets:

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-{{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }}`
	`1`	`+{{- if (include "checkExternalSecretsClobbering" .) }}`
`2`	`2`	`apiVersion: v1`
`3`	`3`	`kind: Secret`
`4`	`4`	`metadata:`