feat: add support for extraEnvFrom to main, worker and webhook

[jcconnects]

Description

This pull request introduces support for extraEnvFrom to the main, worker, and webhook deployments, as requested in issue #139.

This feature allows for more flexible and secure configuration by enabling the injection of environment variables from external ConfigMaps and Secrets directly into the pods. This is particularly useful for managing sensitive information like credentials or API keys without hardcoding them into the values.yaml file.

The implementation is consistent with existing patterns in the chart and adds the extraEnvFrom parameter under the main, worker, and webhook sections in values.yaml.

How to Use

To use this feature, you can now specify ConfigMap or Secret references in your values.yaml file as follows:

main:
  extraEnvFrom:
    - secretRef:
        name: my-n8n-secrets
    - configMapRef:
        name: my-n8n-config

worker:
  extraEnvFrom:
    - secretRef:
        name: my-worker-secrets
    - configMapRef:
        name: my-worker-config

webhook:
  extraEnvFrom:
    - secretRef:
        name: my-webhook-secrets
    - configMapRef:
        name: my-webhook-config

Changes Included

• values.yaml: Added a new extraEnvFrom: [] field to the main, worker, and webhook sections.
• templates/deployment.yaml: Updated the main deployment to include the envFrom block if .Values.main.extraEnvFrom is set.
• templates/deployment.worker.yaml: Updated the worker deployment to include the envFrom block.
• templates/deployment.webhook.yaml: Updated the webhook deployment to include the envFrom block.
• Chart.yaml: Bumped the chart version to 1.0.15 to reflect the new feature.

Testing

I have tested this feature locally with two scenarios to ensure correctness and robustness.

1. Failure Case (Invalid Configuration): I first ran a deployment with an incorrect field inside extraEnvFrom (e.g., error: instead of secretRef:). The deployment correctly failed with a validation error, confirming that Kubernetes' native validation is enforced through the chart.

2. Success Case (Valid Configuration): I then ran helm install using a test-values.yaml file that configured both a ConfigMap and a Secret for extraEnvFrom. The installation was successful, and I verified with kubectl get pod -o yaml that the envFrom sections were correctly added to the running n8n and n8n-worker pods.

This PR resolves #139.

Summary by CodeRabbit

• New Features
  • Support for extraEnvFrom on main, worker, and webhook to add additional environment sources (e.g., ConfigMaps/Secrets) alongside existing entries.
• Documentation
  • Added commented examples for configMapRef/secretRef in values and minor comment cleanup.
• Chores
  • Bumped chart version to 1.0.15 and updated release annotations.

[coderabbitai]

Walkthrough

Adds an optional extraEnvFrom array to main, worker, and webhook in values.yaml and conditionally renders them into the envFrom sections of the corresponding Deployment templates. Bumps chart version to 1.0.15 and updates the Artifact Hub changes annotation.

Changes

Cohort / File(s)	Summary
Chart metadata charts/n8n/Chart.yaml	Bumped chart version 1.0.14 → 1.0.15 and updated artifacthub.io/changes description.
Values: extraEnvFrom additions charts/n8n/values.yaml	Added extraEnvFrom: [] under main, worker, and webhook (with commented examples).
Main deployment template charts/n8n/templates/deployment.yaml	Conditionally renders .Values.main.extraEnvFrom into container envFrom using toYaml + nindent 12.
Worker deployment template charts/n8n/templates/deployment.worker.yaml	Conditionally renders .Values.worker.extraEnvFrom into container envFrom using toYaml + nindent 12.
Webhook deployment template charts/n8n/templates/deployment.webhook.yaml	Conditionally renders .Values.webhook.extraEnvFrom into container envFrom using toYaml + nindent 12.

Sequence Diagram(s)

sequenceDiagram
  participant User as User (values.yaml)
  participant Helm as Helm Template Engine
  participant K8s as Kubernetes API

  rect rgba(230,245,255,0.5)
  note over User,Helm: Install/Upgrade with values
  User->>Helm: Provide .Values.main/worker/webhook.extraEnvFrom
  Helm->>Helm: Render deployment templates (main, worker, webhook)
  alt extraEnvFrom defined
    Helm->>Helm: Append extraEnvFrom entries to each container envFrom
  else not defined
    Helm->>Helm: Render existing envFrom only
  end
  end

  Helm->>K8s: Apply Deployments
  K8s-->>User: Pods with merged envFrom sources

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Add new option .Values.main.extraEnvFrom in values.yaml (#139)	✅
Reference .Values.main.extraEnvFrom under deployment.yaml spec.containers.envFrom (#139)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Added .Values.worker.extraEnvFrom and rendered it into charts/n8n/templates/deployment.worker.yaml (charts/n8n/templates/deployment.worker.yaml)	Issue #139 requested only .Values.main.extraEnvFrom; worker addition is beyond the stated objective.
Added .Values.webhook.extraEnvFrom and rendered it into charts/n8n/templates/deployment.webhook.yaml (charts/n8n/templates/deployment.webhook.yaml)	Issue #139 did not mention webhook; webhook addition is beyond the stated objective.

Possibly related PRs

• feat: Add environment settings to worker deployment #143 — Modifies worker environment handling; closely related to worker envFrom changes in this PR.
• FIX: deployment.yaml - error converting YAML to JSON: yaml: line 46: could not find expected ':' #177 — Adjusts env value formatting in deployment templates; related to how extra env/envFrom blocks are rendered.

Suggested reviewers

• Vad1mo

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

charts/n8n/templates/deployment.yaml (1)

67-79: Guard envFrom to avoid emitting an empty/null list.

envFrom is always rendered, but all inner branches can be false, yielding an empty/null value and invalid manifest. Wrap the whole block in a conditional.

Apply this diff:

-          envFrom:
-            {{- if .Values.main.config }}
-            - configMapRef:
-                name: {{ include "n8n.fullname" . }}-app-config
-            {{- end }}
-           {{- if .Values.main.secret }}
-            - secretRef:
-                name: {{ include "n8n.fullname" . }}-app-secret
-            {{- end }}
-            {{- if .Values.main.extraEnvFrom }}
-            {{- toYaml .Values.main.extraEnvFrom | nindent 12 }}
-            {{- end }}
+          {{- if or .Values.main.config .Values.main.secret .Values.main.extraEnvFrom }}
+          envFrom:
+            {{- if .Values.main.config }}
+            - configMapRef:
+                name: {{ include "n8n.fullname" . }}-app-config
+            {{- end }}
+            {{- if .Values.main.secret }}
+            - secretRef:
+                name: {{ include "n8n.fullname" . }}-app-secret
+            {{- end }}
+            {{- if .Values.main.extraEnvFrom }}
+            {{- toYaml .Values.main.extraEnvFrom | nindent 12 }}
+            {{- end }}
+          {{- end }}

charts/n8n/templates/deployment.webhook.yaml (1)

87-106: Same guard needed here to prevent empty envFrom.

If none of the referenced maps/secrets/extraEnvFrom are set, this renders an empty envFrom. Wrap the entire section.

Apply this diff:

-          envFrom:
+          {{- if or .Values.main.config .Values.main.secret .Values.webhook.config .Values.webhook.secret .Values.webhook.extraEnvFrom }}
+          envFrom:
             {{- if .Values.main.config }}
             - configMapRef:
                 name: {{ include "n8n.fullname" . }}-app-config
             {{- end }}
            {{- if .Values.main.secret }}
             - secretRef:
                 name: {{ include "n8n.fullname" . }}-app-secret
             {{- end }}
             {{- if .Values.webhook.config }}
             - configMapRef:
                 name: {{ include "n8n.fullname" . }}-webhook-config
             {{- end }}
            {{- if .Values.webhook.secret }}
             - secretRef:
                 name: {{ include "n8n.fullname" . }}-webhook-secret
             {{- end }}
             {{- if .Values.webhook.extraEnvFrom }}
             {{- toYaml .Values.webhook.extraEnvFrom | nindent 12 }}
             {{- end }}
+          {{- end }}

charts/n8n/templates/deployment.worker.yaml (1)

62-82: Guard worker envFrom to avoid emitting an empty/null list.

Same issue as main/webhook. Wrap envFrom with a combined conditional.

Apply this diff:

-          envFrom:
+          {{- if or .Values.main.config .Values.main.secret .Values.worker.config .Values.worker.secret .Values.worker.extraEnvFrom }}
+          envFrom:
             {{- if .Values.main.config }}
             - configMapRef:
                 name: {{ include "n8n.fullname" . }}-app-config
             {{- end }}
            {{- if .Values.main.secret }}
             - secretRef:
                 name: {{ include "n8n.fullname" . }}-app-secret
             {{- end }}
             {{- if .Values.worker.config }}
             - configMapRef:
                 name: {{ include "n8n.fullname" . }}-worker-config
             {{- end }}
            {{- if .Values.worker.secret }}
             - secretRef:
                 name: {{ include "n8n.fullname" . }}-worker-secret
             {{- end }}
             {{- if .Values.worker.extraEnvFrom }}
             {{- toYaml .Values.worker.extraEnvFrom | nindent 12 }}
             {{- end }}
+          {{- end }}

🧹 Nitpick comments (2)

charts/n8n/Chart.yaml (1)

3-3: Consider using "added" change kind and a minor version bump for a new feature.

• Artifact Hub "changes" kind could be "added" rather than "changed" for the new extraEnvFrom capability.
• Since this is a backward-compatible feature, consider bumping the chart minor version (e.g., 1.1.0) instead of a patch. Non-blocking if your project’s policy treats this as patch-level.

Also applies to: 38-38

charts/n8n/values.yaml (1)

86-90: LGTM; add a brief note about the optional prefix field.

The new extraEnvFrom defaults and examples look good. For completeness, consider documenting that each item can also include a top-level prefix to namespace imported vars, e.g.:

• • configMapRef: { name: my-config }
    prefix: MY_

This helps avoid collisions when sourcing from multiple refs.

Also applies to: 296-300, 480-484

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d06fe8b and 53eb840.

📒 Files selected for processing (5)

• charts/n8n/Chart.yaml (2 hunks)
• charts/n8n/templates/deployment.webhook.yaml (1 hunks)
• charts/n8n/templates/deployment.worker.yaml (1 hunks)
• charts/n8n/templates/deployment.yaml (1 hunks)
• charts/n8n/values.yaml (3 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-02T08:05:39.337Z

Learnt from: tsch157
PR: 8gears/n8n-helm-chart#239
File: charts/n8n/Chart.yaml:3-4
Timestamp: 2025-09-02T08:05:39.337Z
Learning: n8n 1.110.0 is a pre-release version and should not be used in production deployments. Always verify if a version is stable before recommending upgrades in the n8n Helm chart.

Applied to files:

• charts/n8n/Chart.yaml

[RoseSecurity]

Testing this today. Thank you!

[PhillypHenning]

Really nice stuff @jcconnects
Tested locally and everything works as expected 👍🏻

Please remove lines that are just whitespace to ensure clean manifest generation, otherwise LGTM

[jcconnects]

Hey @PhillypHenning , thanks for the catch on the whitespaces! I have just fixed it 🤗

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

charts/n8n/templates/deployment.webhook.yaml (1)

104-106: Enable templating in extraEnvFrom for parity and flexibility.

Use tpl around toYaml so values can reference release/name/etc., matching how initContainers are handled.

-            {{- toYaml .Values.webhook.extraEnvFrom | nindent 12 }}
+            {{- tpl (toYaml .Values.webhook.extraEnvFrom) . | nindent 12 }}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 53eb840 and e2a7d7c.

📒 Files selected for processing (3)

• charts/n8n/templates/deployment.webhook.yaml (1 hunks)
• charts/n8n/templates/deployment.worker.yaml (1 hunks)
• charts/n8n/templates/deployment.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• charts/n8n/templates/deployment.yaml
• charts/n8n/templates/deployment.worker.yaml

🔇 Additional comments (1)

charts/n8n/templates/deployment.webhook.yaml (1)

87-106: Confirm extraEnvFrom envFrom ordering in webhook deployment
extraEnvFrom is appended after built-in configMapRef/secretRef entries—later envFrom entries win on duplicate keys. This placement matches main and worker templates; verify this ordering aligns with your intended override behavior.

[ocraviotto]

Happy to have found this.
I came here after searching for this option in the templates and trying to see if someone had already created a PR with something similar, so 👍

As a small note, perhaps it would make sense to mention somewhere that any variables defined in env take precedence over the ones in envFrom, and that when there are duplicates in different envFrom sources, the last defined envFrom takes precedence as well:

[...] When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
(https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#container-v1-core)

[jcconnects]

Happy to have found this. I came here after searching for this option in the templates and trying to see if someone had already created a PR with something similar, so 👍

As a small note, perhaps it would make sense to mention somewhere that any variables defined in env take precedence over the ones in envFrom, and that when there are duplicates in different envFrom sources, the last defined envFrom takes precedence as well:

[...] When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.
(https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#container-v1-core)

Hey @ocraviotto , that is a nice information I had not noticed before! Where do you suggest to insert it? Feel free to add another commit to this PR. 😊