feat: add support for pre-created Kubernetes secrets in Helm chart

Allow users to install the chart with externally managed secrets via customSecretName and customSecretKey values. This enables integration with secret management tools like External Secrets Operator, Sealed Secrets, and Vault.

- Add customSecretName and customSecretKey chart values
- Make secret creation conditional based on customSecretName
- Add helper functions for secret resolution
- Update deployment to use configurable secret references
- Add documentation and usage examples

Also removes deprecated engine: gotpl field from Chart.yaml for Helm v3 compliance.

Bump chart version to 1.18.0 (minor version for new feature).

Author: dpacheconr

CHANGELOG.md

@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### Enhancements
+- Add support for using pre-created Kubernetes secrets in the Helm chart via `customSecretName` and `customSecretKey` values
+
+### Fixes
+- Remove deprecated `engine: gotpl` field from Chart.yaml for Helm v3 compliance
+
 ## v0.19.6 - 2026-01-12
 
 ### dependency

charts/newrelic-k8s-metrics-adapter/Chart.yaml

@@ -1,13 +1,12 @@
 apiVersion: v2
 description: A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 name: newrelic-k8s-metrics-adapter
-version: 1.17.6
+version: 1.18.0
 appVersion: 0.19.6
 home: https://hub.docker.com/r/newrelic/newrelic-k8s-metrics-adapter
 sources:
   - https://github.com/newrelic/newrelic-k8s-metrics-adapter
   - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter
-engine: gotpl
 icon: https://newrelic.com/assets/newrelic/source/NewRelic-logo-square.svg
 dependencies:
   - name: common-library

charts/newrelic-k8s-metrics-adapter/README.md

@@ -32,6 +32,8 @@ A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 | config.nrdbClientTimeoutSeconds | int | 30 | Defines the NRDB client timeout. The maximum allowed value is 120. |
 | config.region | string | Automatically detected from `licenseKey`. | New Relic account region. If not set, it will be automatically derived from the License Key. |
 | containerSecurityContext | string | `nil` | Configure containerSecurityContext |
+| customSecretKey | string | `personalAPIKey` | The key in the `customSecretName` secret that contains the New Relic Personal API Key. Only used when `customSecretName` is set. |
+| customSecretName | string | `""` | Name of a pre-created secret containing the New Relic Personal API Key. When set, the chart will not create a secret and will use this one instead. The secret must exist in the same namespace and contain the key specified by `customSecretKey`. When set, the `personalAPIKey` value is ignored. |
 | extraEnv | list | `[]` | Array to add extra environment variables |
 | extraEnvFrom | list | `[]` | Array to add extra envFrom |
 | extraVolumeMounts | list | `[]` | Add extra volume mounts |
@@ -40,7 +42,7 @@ A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 | image | object | See `values.yaml`. | Registry, repository, tag, and pull policy for the container image. |
 | image.pullSecrets | list | `[]` | The image pull secrets. |
 | nodeSelector | object | `{}` | Node label to use for scheduling. |
-| personalAPIKey | string | `nil` | New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required**) |
+| personalAPIKey | string | `nil` | New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required when `customSecretName` is not set**) |
 | podAnnotations | string | `nil` | Additional annotations to apply to the pod(s). |
 | podSecurityContext | string | `nil` | Configure podSecurityContext |
 | proxy | string | `nil` | Configure proxy for the metrics-adapter. |
@@ -74,6 +76,43 @@ Then, to install this chart, run the following command:
 helm upgrade --install [release-name] newrelic-k8s-metrics-adapter/newrelic-k8s-metrics-adapter --values [values file path]
 ```
 
+### Using a Pre-Created Secret
+
+Instead of providing the API key directly in the values file, you can use a pre-created Kubernetes Secret. This is useful when using secret management tools like:
+
+- [External Secrets Operator](https://external-secrets.io/)
+- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
+- [Vault](https://www.vaultproject.io/)
+- Manual secret creation
+
+To use a pre-created secret, first create it in your Kubernetes cluster:
+
+```sh
+kubectl create secret generic newrelic-api-key \
+  --from-literal=personalAPIKey=<your-api-key> \
+  --namespace=<your-namespace>
+```
+
+Then, configure the chart to use this secret by setting `customSecretName`:
+
+```yaml
+customSecretName: newrelic-api-key
+customSecretKey: personalAPIKey
+config:
+  accountID: <Account ID>
+  externalMetrics:
+    nginx_average_requests:
+      query: "FROM Metric SELECT average(nginx.server.net.requestsPerSecond) SINCE 2 MINUTES AGO"
+```
+
+And install the chart:
+
+```sh
+helm upgrade --install [release-name] newrelic-k8s-metrics-adapter/newrelic-k8s-metrics-adapter --values [values file path]
+```
+
+**Note:** When using `customSecretName`, you must ensure the secret exists in the target namespace before installing the Helm chart.
+
 Once deployed the metric `nginx_average_requests` will be available to use by any HPA. This is and example of an HPA yaml using this metric:
 
 ```yaml

charts/newrelic-k8s-metrics-adapter/templates/_helpers.tpl

@@ -55,3 +55,36 @@ Naming helpers
 {{- define "newrelic-k8s-metrics-adapter.name.hpa-controller" -}}
 {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "hpa-controller") }}
 {{- end -}}
+
+{{/*
+Determine the secret name to use - either custom or generated
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.secretName" -}}
+{{- if .Values.customSecretName -}}
+  {{- .Values.customSecretName -}}
+{{- else -}}
+  {{- include "newrelic.common.naming.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine the secret key to use - custom or default
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.secretKey" -}}
+{{- if .Values.customSecretKey -}}
+  {{- .Values.customSecretKey -}}
+{{- else -}}
+  {{- "personalAPIKey" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine whether to create the secret - false if customSecretName is set
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.createSecret" -}}
+{{- if .Values.customSecretName -}}
+  {{- false -}}
+{{- else -}}
+  {{- true -}}
+{{- end -}}
+{{- end -}}

charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml

@@ -62,8 +62,8 @@ spec:
         - name: NEWRELIC_API_KEY
           valueFrom:
             secretKeyRef:
-              name: {{ include "newrelic.common.naming.fullname" . }}
-              key: personalAPIKey
+              name: {{ include "newrelic-k8s-metrics-adapter.secretName" . }}
+              key: {{ include "newrelic-k8s-metrics-adapter.secretKey" . }}
         {{- with (include "newrelic.common.proxy" .) }}
         - name: HTTPS_PROXY
           value: {{ . }}

charts/newrelic-k8s-metrics-adapter/templates/secret.yaml

@@ -1,3 +1,7 @@
+{{- if not .Values.customSecretName }}
+{{- if not .Values.personalAPIKey }}
+  {{ fail "personalAPIKey must be set when customSecretName is not provided" }}
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,4 +11,5 @@ metadata:
     {{- include "newrelic.common.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  personalAPIKey: {{ .Values.personalAPIKey | required "personalAPIKey must be set" | quote }}
+  personalAPIKey: {{ .Values.personalAPIKey | quote }}
+{{- end }}

charts/newrelic-k8s-metrics-adapter/values.yaml

@@ -11,9 +11,20 @@
 #   cluster:
 #   nrStaging:
 
-# -- New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required**)
+# -- New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required when `customSecretName` is not set**)
 personalAPIKey:
 
+# -- Name of a pre-created secret containing the New Relic Personal API Key. When set, the chart will not create a secret and will use this one instead.
+# The secret must exist in the same namespace and contain the key specified by `customSecretKey`.
+# When set, the `personalAPIKey` value is ignored.
+# @default -- `""`
+customSecretName: ""
+
+# -- The key in the `customSecretName` secret that contains the New Relic Personal API Key.
+# Only used when `customSecretName` is set.
+# @default -- `personalAPIKey`
+customSecretKey: personalAPIKey
+
 # -- Enable metrics adapter verbose logs.
 verboseLog: false