Skip to content

feat(statefulset): add support for valueFrom in env#417

Merged
xoxys merged 4 commits intowoodpecker-ci:mainfrom
baprx:feat/env-valueFrom
Nov 30, 2025
Merged

feat(statefulset): add support for valueFrom in env#417
xoxys merged 4 commits intowoodpecker-ci:mainfrom
baprx:feat/env-valueFrom

Conversation

@baprx
Copy link
Contributor

@baprx baprx commented Oct 21, 2025

Hi, this PR adds support for adding single env variable from a secret key:

[...]
server:
  env:
    WOODPECKER_DATABASE_DRIVER: postgres
    WOODPECKER_DATABASE_DATASOURCE:
      valueFrom:
        secretKeyRef:
          name: postgres-credentials-woodpecker
          key: uri
[...]

@baprx baprx requested review from anbraten and xoxys as code owners October 21, 2025 11:22
@6543 6543 added the feature 🚀️ Add new feature label Oct 21, 2025
@psych0d0g
Copy link

yes please, in the mean-time im using a hacky workaround involving externalsecrets operator:

---
# eso-service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: eso-k8s-store-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: eso-k8s-store-role
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - authorization.k8s.io
  resources:
  - selfsubjectrulesreviews
  verbs:
  - create
---
# eso-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: eso-k8s-store-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: eso-k8s-store-role
subjects:
- kind: ServiceAccount
  name: eso-k8s-store-sa
  namespace: cicd
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: k8s-secret-store
spec:
  provider:
    kubernetes:
      remoteNamespace: cicd
      # We use the 'server' block to get access to the caProvider field
      server:
        caProvider:
          type: ConfigMap
          name: kube-root-ca.crt
          key: ca.crt
      auth:
        serviceAccount:
          name: "eso-k8s-store-sa"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: woodpecker-db-secret-translator
spec:
  secretStoreRef:
    name: k8s-secret-store  # <-- Matches the SecretStore you just created
    kind: SecretStore
  # This is the name of the new secret ESO will create
  target:
    name: woodpecker-db-secret 
    template:
      type: Opaque

  data:
    # This creates a new key in the target secret
    - secretKey: WOODPECKER_DATABASE_DATASOURCE
      # This points to the source secret and key
      remoteRef:
        key: woodpecker-psql-pguser-woodpecker  # <-- The PGO-generated secret
        property: uri              # <-- The key *inside* the PGO secret

@marcusramberg
Copy link
Contributor

I'm simply using extraSecretNamesForEnvFrom for this, and have a secret with WOODPECKER_DATABASE_DATASOURCE set from externalsecrets

@baprx
Copy link
Contributor Author

baprx commented Nov 7, 2025

I'm simply using extraSecretNamesForEnvFrom for this, and have a secret with WOODPECKER_DATABASE_DATASOURCE set from externalsecrets

I created this PR because the secret is managed by another component (the DB operator) which doesn't allow custom secret keys, so I can't just load the secret as env vars.

@xoxys
Copy link
Member

xoxys commented Nov 8, 2025

Fine for me to add. Will take a closer look today. Thank you all and sorry for the delay.

@xoxys
Copy link
Member

xoxys commented Nov 8, 2025

Personally, I would prefer to change the syntax to something like this:

  {{- range $value := .Values.env }}
    - name: {{ $value.name }}
      {{- if $value.value }}
      value: {{ $value.value | quote }}
      {{- else if $value.valueFrom }}
      valueFrom: {{ toYaml $value.valueFrom | nindent 8 }}
      {{- end }}
  {{- end }}

The current syntax is already a bit uncommon and gets even more weird with this proposed changed. However, this would be a breaking change for the chart, but that would be fine for me. From user perspective, @baprx @psych0d0g @marcusramberg what do you think?

baprx added 2 commits November 8, 2025 20:04
Signed-off-by: Baptiste Roux <arte.but.posix@gmail.com>
Signed-off-by: Baptiste Roux <arte.but.posix@gmail.com>
@baprx baprx force-pushed the feat/env-valueFrom branch from 917bc20 to c849c9e Compare November 8, 2025 19:12
@xoxys xoxys merged commit e4cec36 into woodpecker-ci:main Nov 30, 2025
4 checks passed
@woodpecker-bot woodpecker-bot mentioned this pull request Nov 30, 2025
1 task
@marcusramberg
Copy link
Contributor

@xoxys ironically I find myself in need of this functionality too now. Any chance we could get a release of the chart?

@xoxys
Copy link
Member

xoxys commented Jan 7, 2026

Sorry, release triggered right now.

@c58
Copy link

c58 commented Jan 7, 2026

fyi guys I had the WOODPECKER_GITHUB env value as boolean, not as string, which was not fully correct i guess, but it worked with the previous version of the chart

env: 
  WOODPECKER_GITHUB: true

and after the upgrade the boolean env value is rendered to an empty value and my woodpecker server crushed because no forges configured. I guess the same would happen with number values, such as WOODPECKER_MAX_WORKFLOWS: 2, so probably some better primitive type handling is necessary to have

@xoxys
Copy link
Member

xoxys commented Jan 8, 2026

Sorry about that. Can take a look next week. If someone wants to provide a PR in the meantime, it would be very welcome.

@c58
Copy link

c58 commented Jan 9, 2026

@xoxys here we go #441

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

feature 🚀️ Add new feature

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants