Skip to content

feat: Add optional DB secret volume mount in Helm Chart #260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lachen-nv merged 3 commits into from
Mar 17, 2026
Merged

feat: Add optional DB secret volume mount in Helm Chart #260

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6e2bef5
feat(helm): Add optional secret volume mount DB cred support to carbi…
lachen-nv Mar 16, 2026
b0c0fb0
fix: add missing newline
lachen-nv Mar 17, 2026
f421126
Merge branch 'main' into feat/helm-secret
lachen-nv Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion helm/charts/carbide-rest/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: carbide-rest
description: Umbrella chart for the Carbide REST API platform
type: application
version: 0.1.2
version: 0.1.3
appVersion: "1.0.6"
keywords:
- carbide
Expand Down
7 changes: 7 additions & 0 deletions helm/charts/carbide-rest/charts/carbide-rest-api/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,11 @@ metadata:
{{- include "carbide-rest-api.labels" . | nindent 4 }}
data:
config.yaml: |
{{- if .Values.secrets.dbCreds }}
{{- $config := deepCopy .Values.config -}}
{{- $_ := set $config.db "passwordPath" "/var/secrets/db/password" -}}
{{- $_ := unset $config.db "password" -}}
{{- $config | toYaml | nindent 4 }}
{{- else }}
{{- .Values.config | toYaml | nindent 4 }}
{{- end }}
13 changes: 13 additions & 0 deletions helm/charts/carbide-rest/charts/carbide-rest-api/templates/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@ spec:
- name: temporal-tls-certs
mountPath: /var/secrets/temporal/certs
readOnly: true
{{- if .Values.secrets.dbCreds }}
- name: db-creds
mountPath: /var/secrets/db
readOnly: true
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
readinessProbe:
Expand Down Expand Up @@ -81,3 +86,11 @@ spec:
- name: temporal-tls-certs
secret:
secretName: {{ .Values.secrets.temporalClientCerts }}
{{- if .Values.secrets.dbCreds }}
- name: db-creds
secret:
secretName: {{ .Values.secrets.dbCreds }}
items:
- key: password
path: password
{{- end }}
4 changes: 4 additions & 0 deletions helm/charts/carbide-rest/charts/carbide-rest-api/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ secrets:
temporalClientCerts: temporal-client-cloud-certs
# -- Only required when keycloak is enabled
keycloakClientSecret: keycloak-client-secret
# -- Secret containing DB password at key "password". When set, db.password is ignored
# and the password is read from /var/secrets/db/password (supports live rotation).
dbCreds: ""

config:
env:
Expand All @@ -46,6 +49,7 @@ config:
port: 5432
name: forge
user: forge
# -- Plain-text password. Ignored when secrets.dbCreds is set.
password: forge
temporal:
host: temporal-frontend.temporal
Expand Down
19 changes: 19 additions & 0 deletions helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,22 @@ app.kubernetes.io/name: carbide-rest-workflow
{{- define "carbide-rest-workflow.image" -}}
{{ .Values.global.image.repository }}/{{ .Values.image.name }}:{{ .Values.global.image.tag }}
{{- end }}

{{- define "carbide-rest-workflow.dbCredsVolumeMount" -}}
{{- if .Values.secrets.dbCreds }}
- name: db-creds
mountPath: /var/secrets/db
readOnly: true
{{- end }}
{{- end }}

{{- define "carbide-rest-workflow.dbCredsVolume" -}}
{{- if .Values.secrets.dbCreds }}
- name: db-creds
secret:
secretName: {{ .Values.secrets.dbCreds }}
items:
- key: password
path: password
{{- end }}
{{- end }}
7 changes: 7 additions & 0 deletions helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,11 @@ metadata:
{{- include "carbide-rest-workflow.labels" . | nindent 4 }}
data:
config.yaml: |
{{- if .Values.secrets.dbCreds }}
{{- $config := deepCopy .Values.config -}}
{{- $_ := set $config.db "passwordPath" "/var/secrets/db/password" -}}
{{- $_ := unset $config.db "password" -}}
{{- $config | toYaml | nindent 4 }}
{{- else }}
{{- .Values.config | toYaml | nindent 4 }}
{{- end }}
2 changes: 2 additions & 0 deletions helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/deployment-cloud-worker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ spec:
- name: temporal-tls-certs
mountPath: /var/secrets/temporal/certs
readOnly: true
{{- include "carbide-rest-workflow.dbCredsVolumeMount" . | nindent 12 }}
livenessProbe:
httpGet:
path: /healthz
Expand Down Expand Up @@ -87,3 +88,4 @@ spec:
- name: temporal-tls-certs
secret:
secretName: {{ .Values.secrets.temporalClientCerts }}
{{- include "carbide-rest-workflow.dbCredsVolume" . | nindent 8 }}
2 changes: 2 additions & 0 deletions helm/charts/carbide-rest/charts/carbide-rest-workflow/templates/deployment-site-worker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ spec:
- name: temporal-tls-certs
mountPath: /var/secrets/temporal/certs
readOnly: true
{{- include "carbide-rest-workflow.dbCredsVolumeMount" . | nindent 12 }}
livenessProbe:
httpGet:
path: /healthz
Expand Down Expand Up @@ -87,3 +88,4 @@ spec:
- name: temporal-tls-certs
secret:
secretName: {{ .Values.secrets.temporalClientCerts }}
{{- include "carbide-rest-workflow.dbCredsVolume" . | nindent 8 }}
4 changes: 4 additions & 0 deletions helm/charts/carbide-rest/charts/carbide-rest-workflow/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ siteWorker:
secrets:
temporalEncryptionKey: temporal-encryption-key
temporalClientCerts: temporal-client-cloud-certs
# -- Secret containing DB password at key "password". When set, db.password is ignored
# and the password is read from /var/secrets/db/password (supports live rotation).
dbCreds: ""

config:
env:
Expand All @@ -38,6 +41,7 @@ config:
port: 5432
name: forge
user: forge
# -- Plain-text password. Ignored when secrets.dbCreds is set.
password: forge
Copy link
Contributor

@thossain-nv thossain-nv Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably remove this altogether?

Copy link
Contributor Author

@lachen-nv lachen-nv Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @thossain-nv , I will check the scope for this change and send another PR.

temporal:
host: temporal-frontend.temporal
Expand Down
Loading