feat: enable secret injection by sidecar

Author: tkarger

valkey/templates/_helpers.tpl

@@ -136,7 +136,7 @@ Validate auth configuration
 */}}
 {{- define "valkey.validateAuthConfig" -}}
 {{- if .Values.auth.enabled }}
-  {{- if not (or .Values.auth.aclUsers .Values.auth.aclConfig) }}
+  {{- if not (or .Values.auth.aclUsers .Values.auth.aclConfig .Values.auth.injectSecret.enabled) }}
     {{- fail "auth.enabled is true but no authentication method is configured. Please provide auth.aclUsers or auth.aclConfig" }}
   {{- end }}
   {{- if .Values.auth.aclUsers }}
@@ -156,6 +156,17 @@ Validate auth configuration
       {{- end }}
     {{- end }}
   {{- end }}
+  {{- if .Values.auth.injectSecret.enabled }}
+    {{- if not .Values.auth.injectSecret.permissions }}
+        {{- fail "auth.injectSecret.enabled is true but no permissions is configured." }}
+    {{- end }}
+    {{- if not .Values.auth.injectSecret.username }}
+        {{- fail "auth.injectSecret.enabled is true but no username is configured." }}
+    {{- end }}
+    {{- if not .Values.auth.injectSecret.mountPath }}
+        {{- fail "auth.injectSecret.enabled is true but no mountPath is configured." }}
+    {{- end }}
+  {{- end }}
 {{- end }}
 {{- end -}}
 
@@ -181,7 +192,7 @@ Validate replica persistence configuration
 Validate replica authentication configuration
 */}}
 {{- define "valkey.validateReplicaAuth" -}}
-{{- if and .Values.replica.enabled .Values.auth.enabled }}
+{{- if and .Values.replica.enabled .Values.auth.enabled (not .Values.auth.injectSecret.enabled)}}
   {{- if not (hasKey .Values.auth.aclUsers .Values.replica.replicationUser) }}
     {{- fail (printf "Replication user '%s' (replica.replicationUser) must be defined in auth.aclUsers. The chart requires this to retrieve the password for replica authentication." .Values.replica.replicationUser) }}
   {{- end }}

valkey/templates/deploy_valkey.yaml

@@ -82,6 +82,11 @@ spec:
               mountPath: /valkey-auth-secret
               readOnly: true
             {{- end }}
+            {{- if .Values.auth.injectSecret.enabled }}
+              {{ $dir := regexReplaceAll "/[^/]+$" .Values.auth.injectSecret.mountPath "/" }}
+            - name: inject-secret
+              mountPath: "{{ $dir }}"
+            {{- end }}
             {{- end }}
             {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
@@ -141,6 +146,11 @@ spec:
             {{- if .Values.auth.enabled }}
             - name: valkey-acl
               mountPath: /etc/valkey
+            {{- if and .Values.auth.injectSecret.enabled }}
+              {{ $dir := regexReplaceAll "/[^/]+$" .Values.auth.injectSecret.mountPath "/" }}
+            - name: inject-secret
+              mountPath: "{{ $dir }}"
+            {{- end }}
             {{- end }}
             {{- range $secret := .Values.extraValkeySecrets }}
             - name: {{ $secret.name }}-valkey
@@ -252,6 +262,10 @@ spec:
             secretName: {{ include "valkey.fullname" . }}-auth
             defaultMode: 0400
         {{- end }}
+        {{- if .Values.auth.injectSecret.enabled }}
+        - name: inject-secret
+          emptyDir: {}
+        {{- end }}
         {{- end }}
         - name: {{ $storage.volumeName }}
         {{- if $storage.persistentVolumeClaimName }}

valkey/templates/init_config.yaml

@@ -138,6 +138,14 @@ data:
     fi
     {{- end }}
 
+    # Set user from injected secret with permissions
+    {{- if and .Values.auth.injectSecret.enabled .Values.auth.injectSecret.mountPath }}
+    INJECTED_PASSWORD=$(cat {{ .Values.auth.injectSecret.mountPath }})
+    PASSHASH=$(echo -n "$INJECTED_PASSWORD" | sha256sum | cut -f 1 -d " ")
+    echo "user {{ .Values.auth.injectSecret.username }} on #$PASSHASH {{ .Values.auth.injectSecret.permissions }}" >> /etc/valkey/users.acl
+    log "Set user {{ .Values.auth.injectSecret.username }} by injected secret"
+    {{- end }}
+
     # Set final permissions
     chmod 0400 /etc/valkey/users.acl
     log "ACL file created with 0400 permissions"
@@ -185,10 +193,16 @@ data:
 
       {{- if .Values.auth.enabled }}
       # Get the password for the replication user
-      {{- $replUsername := .Values.replica.replicationUser }}
+      {{- $replUsername := ""}}
+      {{- if .Values.auth.injectSecret.enabled }}
+      {{- $replUsername = .Values.auth.injectSecret.username }}
+      REPL_PASSWORD=$(cat {{ .Values.auth.injectSecret.mountPath }})
+      {{- else }}
+      {{- $replUsername = .Values.replica.replicationUser }}
       {{- $replUser := index .Values.auth.aclUsers $replUsername }}
       {{- $replPasswordKey := $replUser.passwordKey | default $replUsername }}
       REPL_PASSWORD=$(get_user_password "{{ $replUsername }}" "{{ $replPasswordKey }}") || exit 1
+      {{- end }}
 
       # Write masterauth configuration
       echo "masterauth $REPL_PASSWORD" >>"$VALKEY_CONFIG"

valkey/templates/statefulset.yaml

@@ -98,6 +98,11 @@ spec:
               mountPath: /valkey-auth-secret
               readOnly: true
             {{- end }}
+            {{- if .Values.auth.injectSecret.enabled }}
+              {{ $dir := regexReplaceAll "/[^/]+$" .Values.auth.injectSecret.mountPath "/" }}
+            - name: inject-secret
+              mountPath: "{{ $dir }}"
+            {{- end }}
             {{- end }}
           {{- with .Values.initResources }}
           resources:
@@ -155,6 +160,11 @@ spec:
             {{- if .Values.auth.enabled }}
             - name: valkey-acl
               mountPath: /etc/valkey
+            {{- if and .Values.auth.injectSecret.enabled }}
+              {{ $dir := regexReplaceAll "/[^/]+$" .Values.auth.injectSecret.mountPath "/" }}
+            - name: inject-secret
+              mountPath: "{{ $dir }}"
+            {{- end }}
             {{- end }}
             {{- range $secret := .Values.extraValkeySecrets }}
             - name: {{ $secret.name }}-valkey
@@ -266,6 +276,10 @@ spec:
             secretName: {{ include "valkey.fullname" . }}-auth
             defaultMode: 0400
         {{- end }}
+        {{- if .Values.auth.injectSecret.enabled }}
+        - name: inject-secret
+          emptyDir: {}
+        {{- end }}
         {{- end }}
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}

valkey/tests/deployment_test.yaml

@@ -18,6 +18,8 @@ tests:
           path: spec.template.spec.initContainers[0].volumeMounts[?(@.name == "valkey-users-secret")]
       - notExists:
           path: spec.template.spec.initContainers[0].volumeMounts[?(@.name == "valkey-auth-secret")]
+      - notExists:
+          path: spec.template.spec.initContainers[0].volumeMounts[?(@.name == "inject-secret")]
 
   - it: should have generated volume with inline passwords
     set:
@@ -114,6 +116,33 @@ tests:
               secretName: RELEASE-NAME-valkey-auth
               defaultMode: 0400
 
+  - it: should have generated a volume with emptyDir and mount it
+    set:
+      auth.enabled: true
+      auth.injectSecret.enabled: true
+      auth.injectSecret.username: default
+      auth.injectSecret.permissions: "~* &* +@all"
+      auth.injectSecret.mountPath: "/test/path"
+    template: templates/deploy_valkey.yaml
+    asserts:
+      - isKind:
+          of: Deployment
+      - contains:
+          path: spec.template.spec.initContainers[0].volumeMounts
+          content:
+            name: inject-secret
+            mountPath: "/test/"
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: inject-secret
+            mountPath: "/test/"
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: inject-secret
+            emptyDir: { }
+
   - it: should use custom image
     set:
       image.registry: custom-registry

valkey/tests/init_config_test.yaml

@@ -138,10 +138,43 @@ tests:
           path: data["init.sh"]
           pattern: 'REPL_PASSWORD=\$\(get_user_password "default" "default"\)'
 
+  - it: should use injected secret for replica authentication
+    set:
+      replica.enabled: true
+      replica.persistence.size: "5Gi"
+      replica.replicationUser: "default"
+      auth:
+        enabled: true
+        injectSecret:
+          enabled: true
+          username: default
+          permissions: "~* &* +@all"
+          mountPath: "/test/path"
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - matchRegex:
+          path: data["init.sh"]
+          pattern: 'REPL_PASSWORD=\$\(cat /test/path\)'
+
   - it: should have correct metadata
     asserts:
       - isKind:
           of: ConfigMap
       - equal:
           path: metadata.labels["app.kubernetes.io/name"]
           value: valkey
+
+  - it: should use password of injected secret
+    set:
+      auth.enabled: true
+      auth.injectSecret.enabled: true
+      auth.injectSecret.username: default
+      auth.injectSecret.permissions: "~* &* +@all"
+      auth.injectSecret.mountPath: "/test/path"
+    asserts:
+      - isKind:
+          of: ConfigMap
+      - matchRegex:
+          path: data["init.sh"]
+          pattern: 'INJECTED_PASSWORD=\$\(cat /test/path\)'

valkey/tests/statefulset_test.yaml

@@ -237,6 +237,35 @@ tests:
             mountPath: /extra-config
             readOnly: true
 
+  - it: should have generated a volume with emptyDir and mount it
+    set:
+      replica.enabled: true
+      replica.persistence.size: "5Gi"
+      auth.enabled: true
+      auth.injectSecret.enabled: true
+      auth.injectSecret.username: default
+      auth.injectSecret.permissions: "~* &* +@all"
+      auth.injectSecret.mountPath: "/test/path"
+    template: templates/statefulset.yaml
+    asserts:
+      - isKind:
+          of: StatefulSet
+      - contains:
+          path: spec.template.spec.initContainers[0].volumeMounts
+          content:
+            name: inject-secret
+            mountPath: "/test/"
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: inject-secret
+            mountPath: "/test/"
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: inject-secret
+            emptyDir: {}
+
   - it: should include persistentVolumeClaimRetentionPolicy when configured
     set:
       replica.enabled: true

valkey/values.schema.json

@@ -19,6 +19,23 @@
                 },
                 "usersExistingSecret": {
                     "type": "string"
+                },
+                "injectSecret": {
+                  "type": "object",
+                  "properties": {
+                    "enabled": {
+                      "type": "boolean"
+                    },
+                    "username": {
+                      "type": "string"
+                    },
+                    "permissions": {
+                      "type": "string"
+                    },
+                    "mountPath": {
+                      "type": "string"
+                    }
+                  }
                 }
             }
         },

valkey/values.yaml

@@ -172,6 +172,16 @@ auth:
   # Use an existing secret for user passwords. Key defaults to username.
   usersExistingSecret: ""
 
+  # Enable the secret injection by another container
+  injectSecret:
+    enabled: false
+    # IMPORTANT: A duplication of a user would overwrite the definition of aclUsers or aclConfig
+    username: ""
+    # Same permission syntax as aclUsers
+    permissions: ""
+    # Path to secret e.g "/path/secret"
+    mountPath: ""
+
   # Map of users to create with ACL permissions.
   # If usersExistingSecret is set, passwords from the secret take priority over inline passwords.
   # NOTE: If using aclUsers, the 'default' user must be included here.
@@ -202,6 +212,7 @@ replica:
   # IMPORTANT: When auth.enabled is true, this user MUST be defined in auth.aclUsers.
   # The chart requires this to retrieve the password for replica authentication.
   # The user must have appropriate replication permissions: +psync +replconf +ping
+  # When auth.injectSecret.enabled is true, the replicationUser gets ignored and the auth.injectSecret.username gets set.
   replicationUser: "default"
 
   # Replication settings