The values.yaml file's k8s secret references are not respected in the secret template

[nbenmoody-tesouro]

Scenario

When I follow this values reference for the helm chart (v6.4.11), there are several values that are simple disregarded by the actual template:

licenseKeySecretName / licenseKeySecretKey

values.yaml has:

config:
  licenseKey: "EXPIRED-LICENSE-KEY-TRIAL"
  # licenseKeySecretName is the name of the secret where the Retool license key is stored (can be used instead of licenseKey)
  # licenseKeySecretName:
  # licenseKeySecretKey is the key in the k8s secret, default: license-key
  # licenseKeySecretKey:

...but the secret template just has this, which results in the default value being used instead:

data:
  license-key: {{ .Values.config.licenseKey | default "" | b64enc | quote }}

clientSecretSecretName / clientSecretSecretKey

values.yaml has:

  auth:
    google:
      clientId:
      clientSecret:
      # clientSecretSecretName is the name of the secret where the google client secret is stored (can be used instead of clientSecret)
      # clientSecretSecretName:
      # clientSecretSecretKey is the key in the k8s secret, default: google-client-secret
      # clientSecretSecretKey:

...but the secret template just has this, which results in the default value being used, also:

  {{ if .Values.config.auth.google.clientSecret }}
  google-client-secret: {{ .Values.config.auth.google.clientSecret | b64enc | quote }}
  {{ else  }}
  google-client-secret: ""
  {{ end }}

Postgres config's passwordSecretName / passwordSecretKey

values.yaml has:

    # passwordSecretName is the name of the secret where the pg password is stored (can be used instead of password)
    # passwordSecretName:
    # passwordSecretKey is the key in the k8s secret, default: postgresql-password
    # passwordSecretKey:

...but the secret template just has this, with the same issue:

  {{ if not .Values.postgresql.enabled }}
  postgresql-password: {{ .Values.config.postgresql.password | default "" | b64enc | quote }}
  {{ end }}

---

This is pretty easy to spot, if you look at the templates on artifact.hub.

Suggestion:

Looks like this template just needs to be updated, to follow the pattern that is already in there for other K8s Secret references. Like this one, for encryption-key:

  {{ if not .Values.config.encryptionKeySecretName }}
  {{ if .Values.config.encryptionKey }}
  encryption-key: {{ .Values.config.encryptionKey | b64enc | quote }}
  {{ else if (get $secretData "encryption-key") }}
  encryption-key: {{ get $secretData "encryption-key" }}
  {{ else }}
  encryption-key: {{ required "Please set a value for .Values.config.encryptionKey" .Values.config.encryptionKey }}
  {{ end }}
  {{ end }}

[nbenmoody-tesouro]

I BELIEVE that something like this should do the trick, for the secret.yaml template. I linted/tested it locally, but lack permissions to open a PR here, so just posting it for posterity:

{{- if include "shouldIncludeConfigSecretsEnvVars" . }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "retool.fullname" . }}
{{- if or (not .Values.retoolJwtSecret) (not .Values.config.encryptionKey) }}
  labels:
    {{- include "retool.labels" . | nindent 4 }}
  annotations:
    "helm.sh/resource-policy": no-upgrade-existing
{{- end }}
type: Opaque
{{- $secretName := (include "retool.fullname" .) }}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName | default dict }}
{{- $secretData := (get $secret "data") | default dict }}
data:
  {{ if not .Values.config.licenseKeySecretName }}
  {{ if .Values.config.licenseKey }}
  license-key: {{ .Values.config.licenseKey | b64enc | quote }}
  {{ else if (get $secretData "license-key") }}
  license-key: {{ (get $secretData "license-key") }}
  {{ else }}
  license-key: {{ required "Please set a value for .Values.config.licenseKey" .Values.config.licenseKey }}
  {{ end }}
  {{ end }}

  {{ if not .Values.config.jwtSecretSecretName }}
  {{ if .Values.config.jwtSecret }}
  jwt-secret: {{ .Values.config.jwtSecret | b64enc | quote }}
  {{ else if (get $secretData "jwt-secret") }}
  jwt-secret: {{ (get $secretData "jwt-secret") }}
  {{ else }}
  jwt-secret: {{ randAlphaNum 20 | b64enc | quote }}
  {{ end }}
  {{ end }}

  {{ if not .Values.config.encryptionKeySecretName }}
  {{ if .Values.config.encryptionKey }}
  encryption-key: {{ .Values.config.encryptionKey | b64enc | quote }}
  {{ else if (get $secretData "encryption-key") }}
  encryption-key: {{ get $secretData "encryption-key" }}
  {{ else }}
  encryption-key: {{ required "Please set a value for .Values.config.encryptionKey" .Values.config.encryptionKey }}
  {{ end }}
  {{ end }}

  {{ if not .Values.config.auth.google.clientSecretSecretName }}
  {{ if .Values.config.auth.google.clientSecret }}
  google-client-secret: {{ .Values.config.auth.google.clientSecret | b64enc | quote }}
  {{ else if (get $secretData "google-client-secret") }}
  google-client-secret: {{ (get $secretData "google-client-secret") }}
  {{ else }}
  google-client-secret: ""
  {{ end }}
  {{ end }}

  {{ if not .Values.config.postgresql.passwordSecretName }}
  {{ if not .Values.postgresql.enabled }}
  {{ if .Values.config.postgresql.password }}
  postgresql-password: {{ .Values.config.postgresql.password | b64enc | quote }}
  {{ else if (get $secretData "postgresql-password") }}
  postgresql-password: {{ (get $secretData "postgresql-password") }}
  {{ else }}
  postgresql-password: ""
  {{ end }}
  {{ end }}
  {{ end }}

  {{ if not .Values.workflows.temporal.sslKeySecretName }}
  {{ if .Values.workflows.temporal.sslKey }}
  temporal-tls-key: {{ .Values.workflows.temporal.sslKey | default "" | b64enc | quote }}
  {{ else if (get $secretData "temporal-tls-key") }}
  temporal-tls-key: {{ (get $secretData "temporal-tls-key") }}
  {{ else }}
  temporal-tls-key: ""
  {{ end }}
  {{ end }}
{{- end }}

[pdesantis]

I'm also experiencing this issue. Thanks for filing!