feat(charts): add extra Secrets support for ENV

[holysoles]

Similar to #689. this PR adds the ability to pass additional env variables from a secret to deployments.

A use case for this is providing API tokens for self-hosted repositories to later reference in config.js

---

Note

Adds extraEnvFromSecrets to inject env vars from Kubernetes Secrets and renders envFrom when ConfigMaps or Secrets are provided for CE and EE (server/worker).

• Helm charts:
  • Env vars from Secrets:
    • Add extraEnvFromSecrets values and conditional rendering of envFrom to include secretRef alongside existing configMapRef.
    • Applies to mend-renovate-ce (templates/deployment.yaml, values.yaml) and mend-renovate-ee server/worker (templates/server-deployment.yaml, templates/worker-deployment.yaml, values.yaml).
  • Values docs:
    • Document usage with Kubernetes refs in values.yaml for both charts.

^{Written by Cursor Bugbot for commit 3bd9f03. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• New Features
  • Added support for loading environment variables from Kubernetes Secrets across all deployment types, enabling more flexible secret management alongside existing ConfigMap support.
  • Environment variable configuration now renders conditionally for optimized resource handling.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This pull request extends Helm chart configuration for both Community Edition (mend-renovate-ce) and Enterprise Edition (mend-renovate-ee) deployments to support loading environment variables from Kubernetes Secrets. The changes add conditional rendering of the envFrom block in deployment templates when either extraEnvFromConfigMaps or extraEnvFromSecrets is provided, and introduce new extraEnvFromSecrets configuration keys in the values files for all relevant components (CE deployment, EE server, and EE worker).

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Homogeneous, repetitive pattern applied consistently across multiple template files
• Simple conditional logic with no complex business logic
• Additive changes with low risk of breaking existing functionality
• All changes follow established Helm templating conventions

Possibly Related PRs

• feat: add extra ConfigMap support for file mounts and env #689: Introduced the initial extraEnvFromConfigMaps pattern for the envFrom block; this PR extends that pattern to include extraEnvFromSecrets support

Suggested Reviewers

• nabeelsaabna

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(charts): add extra Secrets support for ENV' clearly summarizes the main change: adding support for loading environment variables from Kubernetes Secrets in Helm charts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d7ee1f7 and 3bd9f03.

📒 Files selected for processing (5)

• helm-charts/mend-renovate-ce/templates/deployment.yaml (1 hunks)
• helm-charts/mend-renovate-ce/values.yaml (1 hunks)
• helm-charts/mend-renovate-ee/templates/server-deployment.yaml (1 hunks)
• helm-charts/mend-renovate-ee/templates/worker-deployment.yaml (1 hunks)
• helm-charts/mend-renovate-ee/values.yaml (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*

⚙️ CodeRabbit configuration file

**/*: - Feedback will only be given on issues that could cause bugs or involve very bad practices.

• Comments will be kept concise and focused on critical areas.

Files:

• helm-charts/mend-renovate-ce/templates/deployment.yaml
• helm-charts/mend-renovate-ee/templates/worker-deployment.yaml
• helm-charts/mend-renovate-ee/values.yaml
• helm-charts/mend-renovate-ce/values.yaml
• helm-charts/mend-renovate-ee/templates/server-deployment.yaml

🔇 Additional comments (5)

helm-charts/mend-renovate-ee/values.yaml (1)

304-312: LGTM!

The configuration additions are properly scoped under renovateServer and renovateWorker, with helpful documentation references. These align correctly with the corresponding template changes.

Also applies to: 509-515

helm-charts/mend-renovate-ce/values.yaml (1)

377-383: LGTM!

The root-level placement is consistent with the CE chart's existing extraEnvFromConfigMaps pattern, and documentation references are included.

helm-charts/mend-renovate-ee/templates/server-deployment.yaml (1)

57-71: LGTM!

The previous scope issue has been corrected. The template properly references .Values.renovateServer for both configMaps and secrets, and the conditional block correctly gates the envFrom section.

helm-charts/mend-renovate-ce/templates/deployment.yaml (1)

54-68: LGTM!

The root-level scope is correct for the CE chart structure, and the conditional properly gates the envFrom block based on the presence of either ConfigMap or Secret environment sources.

helm-charts/mend-renovate-ee/templates/worker-deployment.yaml (1)

58-72: LGTM!

The previous scope issue has been corrected. The template properly references .Values.renovateWorker for both configMaps and secrets, maintaining consistency with the server-deployment changes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}