diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml index 8d168389..4945797d 100644 --- a/charts/retool/Chart.yaml +++ b/charts/retool/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: retool description: A Helm chart for Kubernetes type: application -version: 6.3.2 +version: 6.3.3 maintainers: - name: Retool Engineering email: engineering+helm@retool.com diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl index c01896aa..19ba43f6 100644 --- a/charts/retool/templates/_helpers.tpl +++ b/charts/retool/templates/_helpers.tpl @@ -351,3 +351,10 @@ Usage: (template "retool.codeExecutor.image.tag" .) {{- end -}} {{- $output -}} {{- end -}} + +{{/* +Checks whether or not ExternalSecret definitions are enabled and can potentially clobber secrets or explicitly allow additional direct secret refs. +*/}} +{{- define "shouldIncludeConfigSecretsEnvVars" -}} +{{- or (not (or (.Values.externalSecrets.enabled) (.Values.externalSecrets.externalSecretsOperator.enabled))) .Values.includeConfigSecrets -}} +{{- end -}} diff --git a/charts/retool/templates/deployment_backend.yaml b/charts/retool/templates/deployment_backend.yaml index ed5c2507..65aa63ab 100644 --- a/charts/retool/templates/deployment_backend.yaml +++ b/charts/retool/templates/deployment_backend.yaml @@ -153,7 +153,7 @@ spec: {{- include "retool.telemetry.includeEnvVars" . | nindent 10 }} - {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }} + {{- if (include "shouldIncludeConfigSecretsEnvVars" .) }} - name: LICENSE_KEY valueFrom: secretKeyRef: diff --git a/charts/retool/templates/deployment_jobs.yaml b/charts/retool/templates/deployment_jobs.yaml index 736b478c..a2b92de1 100644 --- a/charts/retool/templates/deployment_jobs.yaml +++ b/charts/retool/templates/deployment_jobs.yaml @@ -91,7 +91,7 @@ spec: {{- include "retool.telemetry.includeEnvVars" . | nindent 10 }} - {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }} + {{- if (include "shouldIncludeConfigSecretsEnvVars" .) }} - name: LICENSE_KEY valueFrom: secretKeyRef: diff --git a/charts/retool/templates/deployment_telemetry.yaml b/charts/retool/templates/deployment_telemetry.yaml index 9ab42c2e..709fbb6f 100644 --- a/charts/retool/templates/deployment_telemetry.yaml +++ b/charts/retool/templates/deployment_telemetry.yaml @@ -52,7 +52,7 @@ spec: value: "/host/proc" - name: SYSFS_ROOT value: "/host/sys" - {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }} + {{- if (include "shouldIncludeConfigSecretsEnvVars" .) }} - name: LICENSE_KEY valueFrom: secretKeyRef: diff --git a/charts/retool/templates/deployment_workflows.yaml b/charts/retool/templates/deployment_workflows.yaml index 717460f9..61d40ea5 100644 --- a/charts/retool/templates/deployment_workflows.yaml +++ b/charts/retool/templates/deployment_workflows.yaml @@ -141,7 +141,7 @@ spec: - name: CODE_EXECUTOR_INGRESS_DOMAIN value: http://{{ template "retool.codeExecutor.name" . }} {{- end }} - {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }} + {{- if (include "shouldIncludeConfigSecretsEnvVars" .) }} - name: LICENSE_KEY valueFrom: secretKeyRef: diff --git a/charts/retool/templates/deployment_workflows_worker.yaml b/charts/retool/templates/deployment_workflows_worker.yaml index 6973ce8b..bce3cd9b 100644 --- a/charts/retool/templates/deployment_workflows_worker.yaml +++ b/charts/retool/templates/deployment_workflows_worker.yaml @@ -150,7 +150,7 @@ spec: - name: OTEL_EXPORTER_OTLP_ENDPOINT value: "http://$(HOST_IP):4317" {{- end }} - {{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }} + {{- if (include "shouldIncludeConfigSecretsEnvVars" .) }} - name: LICENSE_KEY valueFrom: secretKeyRef: diff --git a/charts/retool/templates/secret.yaml b/charts/retool/templates/secret.yaml index c9f2649d..98dafb57 100644 --- a/charts/retool/templates/secret.yaml +++ b/charts/retool/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.externalSecrets.enabled) (not .Values.externalSecrets.externalSecretsOperator.enabled) }} +{{- if (include "shouldIncludeConfigSecretsEnvVars" .) }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/retool/values.yaml b/charts/retool/values.yaml index f9a4839b..12612cd6 100644 --- a/charts/retool/values.yaml +++ b/charts/retool/values.yaml @@ -95,6 +95,9 @@ externalSecrets: # Support for legacy external secrets, note this is deprecated in favour of External Secrets Operator: https://github.com/godaddy/kubernetes-external-secrets # This mode only allows a single secret name to be provided. enabled: false + # If external secrets are currently enabled, it is disallowed to specify regular configuration secrets as a safeguard from clobbering. + # This flag allows bypassing that check and specifying both an ExternalSecret and a regular secret for different secrets. + includeConfigSecrets: false name: retool-config # Array of secrets to be use as env variables. (Optional) secrets: diff --git a/values.yaml b/values.yaml index f9a4839b..12612cd6 100644 --- a/values.yaml +++ b/values.yaml @@ -95,6 +95,9 @@ externalSecrets: # Support for legacy external secrets, note this is deprecated in favour of External Secrets Operator: https://github.com/godaddy/kubernetes-external-secrets # This mode only allows a single secret name to be provided. enabled: false + # If external secrets are currently enabled, it is disallowed to specify regular configuration secrets as a safeguard from clobbering. + # This flag allows bypassing that check and specifying both an ExternalSecret and a regular secret for different secrets. + includeConfigSecrets: false name: retool-config # Array of secrets to be use as env variables. (Optional) secrets: