From 06e0b50516dfb5e477bef60a60741e036967f00b Mon Sep 17 00:00:00 2001
From: Richard Moe <richard.moe@nrk.no>
Date: Sat, 30 Aug 2025 23:48:29 +0200
Subject: [PATCH] feat: existing secret support

---
 Chart.yaml                | 12 ++++++------
 README.md                 |  1 +
 templates/NOTES.txt       |  6 ++++++
 templates/_helpers.tpl    | 30 +++++++++++++++++++-----------
 templates/cronjob.yaml    |  2 ++
 templates/deployment.yaml |  2 ++
 templates/secret.yaml     |  2 ++
 values.yaml               |  5 +++++
 8 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index 07887125..c7b09bd6 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,13 +1,13 @@
 apiVersion: v1
 description: A Helm chart for Docker Registry
 name: docker-registry
-version: 3.0.0
-appVersion: 3.0.0
+version: 3.1.0
+appVersion: 3.1.0
 home: https://hub.docker.com/_/registry/
 icon: https://helm.twun.io/docker-registry.png
 maintainers:
-- email: devin@canterberry.cc
-  name: Devin Canterberry
-  url: https://canterberry.cc/
+  - email: devin@canterberry.cc
+    name: Devin Canterberry
+    url: https://canterberry.cc/
 sources:
-- https://github.com/docker/distribution-library-image
+  - https://github.com/docker/distribution-library-image
diff --git a/README.md b/README.md
index 6dd113bc..2b388f6f 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,7 @@ their default values.
 | `priorityClassName      `   | priorityClassName                                                                          | `""`            |
 | `storage`                   | Storage system to use                                                                      | `filesystem`    |
 | `tlsSecretName`             | Name of secret for TLS certs                                                               | `nil`           |
+| `existingSecret`            | Name of an existing secret to use instead of creating one                                  | `""`            |
 | `secrets.htpasswd`          | Htpasswd authentication                                                                    | `nil`           |
 | `secrets.s3.accessKey`      | Access Key for S3 configuration                                                            | `nil`           |
 | `secrets.s3.secretKey`      | Secret Key for S3 configuration                                                            | `nil`           |
diff --git a/templates/NOTES.txt b/templates/NOTES.txt
index 4a9152b5..c2c608fe 100644
--- a/templates/NOTES.txt
+++ b/templates/NOTES.txt
@@ -17,3 +17,9 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8080:5000
 {{- end }}
+
+{{- if .Values.existingSecret }}
+
+NOTE: You are using an existing secret "{{ .Values.existingSecret }}" for registry credentials.
+Ensure it contains required keys for your chosen auth/storage/proxy configuration.
+{{- end }}
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 1547d1d2..c1e46f7d 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -23,11 +23,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 {{- end -}}
 
+{{- define "docker-registry.secretName" -}}
+{{- if .Values.existingSecret -}}
+{{- .Values.existingSecret -}}
+{{- else -}}
+{{- template "docker-registry.fullname" . }}-secret
+{{- end -}}
+{{- end -}}
+
 {{- define "docker-registry.envs" -}}
 - name: REGISTRY_HTTP_SECRET
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: haSharedSecret
 
 {{- if .Values.secrets.htpasswd }}
@@ -53,17 +61,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_AZURE_ACCOUNTNAME
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: azureAccountName
 - name: REGISTRY_STORAGE_AZURE_ACCOUNTKEY
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: azureAccountKey
 - name: REGISTRY_STORAGE_AZURE_CONTAINER
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: azureContainer
 {{- else if eq .Values.storage "s3" }}
 - name: REGISTRY_STORAGE_S3_REGION
@@ -74,12 +82,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_S3_ACCESSKEY
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: s3AccessKey
 - name: REGISTRY_STORAGE_S3_SECRETKEY
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: s3SecretKey
 {{- end -}}
 
@@ -119,12 +127,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_STORAGE_SWIFT_USERNAME
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: swiftUsername
 - name: REGISTRY_STORAGE_SWIFT_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ template "docker-registry.fullname" . }}-secret
+      name: {{ template "docker-registry.secretName" . }}
       key: swiftPassword
 - name: REGISTRY_STORAGE_SWIFT_CONTAINER
   value: {{ required ".Values.swift.container is required" .Values.swift.container }}
@@ -136,12 +144,12 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 - name: REGISTRY_PROXY_USERNAME
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: proxyUsername
 - name: REGISTRY_PROXY_PASSWORD
   valueFrom:
     secretKeyRef:
-      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
+      name: {{ if .Values.proxy.secretRef }}{{ .Values.proxy.secretRef }}{{ else }}{{ template "docker-registry.secretName" . }}{{ end }}
       key: proxyPassword
 {{- end -}}
 
@@ -191,7 +199,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- if .Values.secrets.htpasswd }}
 - name: auth
   secret:
-    secretName: {{ template "docker-registry.fullname" . }}-secret
+    secretName: {{ template "docker-registry.secretName" . }}
     items:
     - key: htpasswd
       path: htpasswd
diff --git a/templates/cronjob.yaml b/templates/cronjob.yaml
index a5419590..fbbdd472 100644
--- a/templates/cronjob.yaml
+++ b/templates/cronjob.yaml
@@ -21,7 +21,9 @@ spec:
         {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if not .Values.existingSecret }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- if .Values.podAnnotations }}
         {{- toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index a8ef2fca..0c417091 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -32,7 +32,9 @@ spec:
         {{- end }}
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if not .Values.existingSecret }}
         checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- if .Values.podAnnotations }}
         {{ toYaml .Values.podAnnotations | nindent 8 }}
         {{- end }}
diff --git a/templates/secret.yaml b/templates/secret.yaml
index 6265dc84..c0a0b2e4 100644
--- a/templates/secret.yaml
+++ b/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -38,3 +39,4 @@ data:
   {{- end }}
   proxyUsername: {{ .Values.proxy.username | default "" | b64enc | quote }}
   proxyPassword: {{ .Values.proxy.password | default "" | b64enc | quote }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
index e3e74125..2781f85c 100644
--- a/values.yaml
+++ b/values.yaml
@@ -1,6 +1,11 @@
 # Default values for docker-registry.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
+
+# If set, use an existing Secret instead of creating one
+# The existing secret must contain the expected keys (haSharedSecret, htpasswd, storage/provider keys, proxy credentials as applicable)
+# existingSecret: ""
+
 replicaCount: 1
 
 updateStrategy: {}