address findings from code review

overheadhunter · overheadhunter · commit 5590460d9339 · 2026-05-01T22:03:43.000+02:00
diff --git a/charts/cryptomator-hub/templates/NOTES.txt b/charts/cryptomator-hub/templates/NOTES.txt
@@ -46,7 +46,7 @@ Ingress is disabled. Configure ingress manually to the services above.
 
 {{ if .Values.hub.metrics.enabled }}
 {{ printf "%s📈 Telemetry%s" $cSection $cReset }}
-- Exporting OTLP/gRPC to `{{ .Values.hub.metrics.endpoint }}` (metrics, traces, logs).
+- Exporting to `{{ .Values.hub.metrics.endpoint }}` (metrics, traces, logs).
 {{ end }}
 
 {{ if not .Values.keycloak.enabled }}
diff --git a/charts/cryptomator-hub/templates/hub-metrics-secret.yaml b/charts/cryptomator-hub/templates/hub-metrics-secret.yaml
@@ -7,8 +7,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  {{- if .Values.secrets.keepOnUninstall }}
   annotations:
     helm.sh/resource-policy: keep
+  {{- end }}
 type: kubernetes.io/basic-auth
 stringData:
   username: {{ .Values.hub.metrics.otlp.username | quote }}
diff --git a/charts/cryptomator-hub/templates/hub-secret.yaml b/charts/cryptomator-hub/templates/hub-secret.yaml
@@ -6,8 +6,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  {{- if .Values.secrets.keepOnUninstall }}
   annotations:
     helm.sh/resource-policy: keep
+  {{- end }}
 type: Opaque
 stringData:
   hub_system_client_secret: {{ include "cryptomator-hub.resolvedSystemClientSecret" . | quote }}
diff --git a/charts/cryptomator-hub/templates/keycloak-secret.yaml b/charts/cryptomator-hub/templates/keycloak-secret.yaml
@@ -5,8 +5,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  {{- if .Values.secrets.keepOnUninstall }}
   annotations:
     helm.sh/resource-policy: keep
+  {{- end }}
 type: Opaque
 stringData:
   {{- if .Values.keycloak.enabled }}
diff --git a/charts/cryptomator-hub/templates/postgres-secret.yaml b/charts/cryptomator-hub/templates/postgres-secret.yaml
@@ -6,8 +6,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "cryptomator-hub.labels" . | nindent 4 }}
+  {{- if .Values.secrets.keepOnUninstall }}
   annotations:
     helm.sh/resource-policy: keep
+  {{- end }}
 type: Opaque
 stringData:
   pg_admin_password: {{ include "cryptomator-hub.resolvedPostgresAdminPassword" . | quote }}
diff --git a/charts/cryptomator-hub/values-dev.yaml b/charts/cryptomator-hub/values-dev.yaml
@@ -1,6 +1,9 @@
 global:
   host: ""
 
+secrets:
+  keepOnUninstall: true
+
 hub:
   database:
     password: top-secret
diff --git a/charts/cryptomator-hub/values.yaml b/charts/cryptomator-hub/values.yaml
@@ -10,6 +10,11 @@ urls:
 notes:
   useColor: true
 
+secrets:
+  # When true, all chart-managed Secrets are annotated `helm.sh/resource-policy: keep` so they survive `helm uninstall`.
+  # Convenient for development (passwords stay stable across reinstalls) but a security risk in production
+  keepOnUninstall: false
+
 ingress:
   # supported: nginx, traefik, contour
   controller: ""
