feat(chart): support github.existingSecret for GITHUB_TOKEN

decobot · claude · decobot · commit 52a7f54212b5 · 2026-04-24T00:21:20.000-03:00
Reads token from a K8s Secret (via ExternalSecret) instead of
hardcoding in values. Falls back to github.token if set.
Safe: if github key is absent in values, no change to deployment.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/chart/templates/deployment-operator-controller-manager.yaml b/chart/templates/deployment-operator-controller-manager.yaml
@@ -31,9 +31,15 @@ spec:
         command:
         - /manager
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-        {{- if or .Values.github.token (and .Values.valkey (get .Values.valkey "sentinelUrls")) }}
+        {{- if or (and .Values.github (or .Values.github.token .Values.github.existingSecret)) (and .Values.valkey (get .Values.valkey "sentinelUrls")) }}
         env:
-        {{- if .Values.github.token }}
+        {{- if and .Values.github .Values.github.existingSecret }}
+        - name: GITHUB_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.github.existingSecret | quote }}
+              key: {{ .Values.github.existingSecretKey | default "token" | quote }}
+        {{- else if and .Values.github .Values.github.token }}
         - name: GITHUB_TOKEN
           value: {{ .Values.github.token | quote }}
         {{- end }}
