feat (chart): add support for existing usecase secret (#235)

a-klos · web-flow · commit 84d33789444f · 2026-02-04T14:42:57.000+01:00
This pull request introduces support for referencing an externally
managed Kubernetes Secret for usecase credentials, allowing teams to use
the External Secrets Operator (ESO) or other solutions to manage secrets
outside of Helm chart deployments. The chart will now use an existing
Secret if specified, rather than creating a new one.

**Support for externally managed usecase secrets:**

* Added documentation in `infrastructure/README.md` explaining how to
configure the chart to use an externally managed Secret via the new
`usecaseExistingSecretName` value.
* Updated `infrastructure/rag/values.yaml` to include the new
`usecaseExistingSecretName` field under `shared.secrets`, with
instructions for its usage.

**Chart logic updates for conditional Secret creation:**

* Modified `_helpers.tpl` to resolve the usecase Secret name to either
the existing Secret or a generated name, depending on whether
`usecaseExistingSecretName` is set.
* Updated `secrets.yaml` to only create a new usecase Secret if
`usecaseExistingSecretName` is not set, ensuring the chart does not
overwrite externally managed secrets.
[[1]](diffhunk://#diff-9e2edcc6f0d9600113b5f37de42319e2fa5290a228da6ef9d2f6dbcb7bb19014R12)
[[2]](diffhunk://#diff-9e2edcc6f0d9600113b5f37de42319e2fa5290a228da6ef9d2f6dbcb7bb19014R22)
diff --git a/infrastructure/README.md b/infrastructure/README.md
@@ -459,6 +459,16 @@ shared:
       USECASE_SECRET_ENV_VAR: ...
 ```
 
+If you manage the usecase secret via External Secrets Operator, create the Secret in the target namespace and point the chart to it:
+
+```yaml
+shared:
+  secrets:
+    usecaseExistingSecretName: "my-usecase-secret"
+```
+
+When `usecaseExistingSecretName` is set, the chart will not create the usecase secret and will reference the existing one instead.
+
 ## 2. Requirements and Setup Instructions
 
 The following section describes the requirements for the infrastructure setup and provides instructions for the local and production setup.
diff --git a/infrastructure/rag/templates/_helpers.tpl b/infrastructure/rag/templates/_helpers.tpl
@@ -15,8 +15,12 @@
 {{- end -}}
 
 {{- define "secret.usecaseName" -}}
+{{- if .Values.shared.secrets.usecaseExistingSecretName -}}
+{{- .Values.shared.secrets.usecaseExistingSecretName | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
 {{- printf "%s-usecase-secret" .Release.Name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+{{- end -}}
 
 {{/* Resolve basic auth credentials from inline values or referenced secrets. */}}
 {{- define "rag.basicAuthCredentials" -}}
diff --git a/infrastructure/rag/templates/secrets.yaml b/infrastructure/rag/templates/secrets.yaml
@@ -9,6 +9,7 @@ data:
   S3_SECRET_ACCESS_KEY: {{ .Values.shared.secrets.s3.secretKey.value | b64enc }}
 {{- end }}
 ---
+{{- if not .Values.shared.secrets.usecaseExistingSecretName }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,3 +19,4 @@ data:
   {{- range $key, $value := .Values.shared.secrets.usecase }}
   {{ $key }}: {{ $value | b64enc }}
   {{- end }}
+{{- end }}
diff --git a/infrastructure/rag/values.yaml b/infrastructure/rag/values.yaml
@@ -531,6 +531,7 @@ shared:
         secretKeyRef:
           name: ""
           key: "S3_SECRET_ACCESS_KEY"
+    usecaseExistingSecretName: "" # Optional: existing Secret name (e.g., from ESO). If set, chart will not create usecase secret.
     usecase: {}
 
 
