From 483eb07dcf5b249b7fea9aa2b7bc54d657d67234 Mon Sep 17 00:00:00 2001
From: Diogo Pacheco <100862257+dpacheconr@users.noreply.github.com>
Date: Mon, 26 Jan 2026 09:58:27 +0000
Subject: [PATCH] feat: add support for pre-created Kubernetes secrets in Helm
 chart

Allow users to install the chart with externally managed secrets via customSecretName and customSecretKey values. This enables integration with secret management tools like External Secrets Operator, Sealed Secrets, and Vault.

- Add customSecretName and customSecretKey chart values
- Make secret creation conditional based on customSecretName
- Add helper functions for secret resolution
- Update deployment to use configurable secret references
- Add documentation and usage examples

Also removes deprecated engine: gotpl field from Chart.yaml for Helm v3 compliance.

Bump chart version to 1.18.0 (minor version for new feature).
---
 CHANGELOG.md                                  |  6 +++
 .../newrelic-k8s-metrics-adapter/Chart.yaml   |  3 +-
 charts/newrelic-k8s-metrics-adapter/README.md | 41 ++++++++++++++++++-
 .../templates/_helpers.tpl                    | 33 +++++++++++++++
 .../templates/deployment.yaml                 |  4 +-
 .../templates/secret.yaml                     |  7 +++-
 .../newrelic-k8s-metrics-adapter/values.yaml  | 13 +++++-
 7 files changed, 100 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 147e8773..f48ca8e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### Enhancements
+- Add support for using pre-created Kubernetes secrets in the Helm chart via `customSecretName` and `customSecretKey` values
+
+### Fixes
+- Remove deprecated `engine: gotpl` field from Chart.yaml for Helm v3 compliance
+
 ## v0.19.6 - 2026-01-12
 
 ### dependency
diff --git a/charts/newrelic-k8s-metrics-adapter/Chart.yaml b/charts/newrelic-k8s-metrics-adapter/Chart.yaml
index 25ef8226..1995c317 100644
--- a/charts/newrelic-k8s-metrics-adapter/Chart.yaml
+++ b/charts/newrelic-k8s-metrics-adapter/Chart.yaml
@@ -1,13 +1,12 @@
 apiVersion: v2
 description: A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 name: newrelic-k8s-metrics-adapter
-version: 1.17.6
+version: 1.18.0
 appVersion: 0.19.6
 home: https://hub.docker.com/r/newrelic/newrelic-k8s-metrics-adapter
 sources:
   - https://github.com/newrelic/newrelic-k8s-metrics-adapter
   - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter
-engine: gotpl
 icon: https://newrelic.com/assets/newrelic/source/NewRelic-logo-square.svg
 dependencies:
   - name: common-library
diff --git a/charts/newrelic-k8s-metrics-adapter/README.md b/charts/newrelic-k8s-metrics-adapter/README.md
index 61dbca3d..b17e7c55 100644
--- a/charts/newrelic-k8s-metrics-adapter/README.md
+++ b/charts/newrelic-k8s-metrics-adapter/README.md
@@ -32,6 +32,8 @@ A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 | config.nrdbClientTimeoutSeconds | int | 30 | Defines the NRDB client timeout. The maximum allowed value is 120. |
 | config.region | string | Automatically detected from `licenseKey`. | New Relic account region. If not set, it will be automatically derived from the License Key. |
 | containerSecurityContext | string | `nil` | Configure containerSecurityContext |
+| customSecretKey | string | `personalAPIKey` | The key in the `customSecretName` secret that contains the New Relic Personal API Key. Only used when `customSecretName` is set. |
+| customSecretName | string | `""` | Name of a pre-created secret containing the New Relic Personal API Key. When set, the chart will not create a secret and will use this one instead. The secret must exist in the same namespace and contain the key specified by `customSecretKey`. When set, the `personalAPIKey` value is ignored. |
 | extraEnv | list | `[]` | Array to add extra environment variables |
 | extraEnvFrom | list | `[]` | Array to add extra envFrom |
 | extraVolumeMounts | list | `[]` | Add extra volume mounts |
@@ -40,7 +42,7 @@ A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 | image | object | See `values.yaml`. | Registry, repository, tag, and pull policy for the container image. |
 | image.pullSecrets | list | `[]` | The image pull secrets. |
 | nodeSelector | object | `{}` | Node label to use for scheduling. |
-| personalAPIKey | string | `nil` | New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required**) |
+| personalAPIKey | string | `nil` | New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required when `customSecretName` is not set**) |
 | podAnnotations | string | `nil` | Additional annotations to apply to the pod(s). |
 | podSecurityContext | string | `nil` | Configure podSecurityContext |
 | proxy | string | `nil` | Configure proxy for the metrics-adapter. |
@@ -74,6 +76,43 @@ Then, to install this chart, run the following command:
 helm upgrade --install [release-name] newrelic-k8s-metrics-adapter/newrelic-k8s-metrics-adapter --values [values file path]
 ```
 
+### Using a Pre-Created Secret
+
+Instead of providing the API key directly in the values file, you can use a pre-created Kubernetes Secret. This is useful when using secret management tools like:
+
+- [External Secrets Operator](https://external-secrets.io/)
+- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
+- [Vault](https://www.vaultproject.io/)
+- Manual secret creation
+
+To use a pre-created secret, first create it in your Kubernetes cluster:
+
+```sh
+kubectl create secret generic newrelic-api-key \
+  --from-literal=personalAPIKey=<your-api-key> \
+  --namespace=<your-namespace>
+```
+
+Then, configure the chart to use this secret by setting `customSecretName`:
+
+```yaml
+customSecretName: newrelic-api-key
+customSecretKey: personalAPIKey
+config:
+  accountID: <Account ID>
+  externalMetrics:
+    nginx_average_requests:
+      query: "FROM Metric SELECT average(nginx.server.net.requestsPerSecond) SINCE 2 MINUTES AGO"
+```
+
+And install the chart:
+
+```sh
+helm upgrade --install [release-name] newrelic-k8s-metrics-adapter/newrelic-k8s-metrics-adapter --values [values file path]
+```
+
+**Note:** When using `customSecretName`, you must ensure the secret exists in the target namespace before installing the Helm chart.
+
 Once deployed the metric `nginx_average_requests` will be available to use by any HPA. This is and example of an HPA yaml using this metric:
 
 ```yaml
diff --git a/charts/newrelic-k8s-metrics-adapter/templates/_helpers.tpl b/charts/newrelic-k8s-metrics-adapter/templates/_helpers.tpl
index 6a5f7650..a783bbe3 100644
--- a/charts/newrelic-k8s-metrics-adapter/templates/_helpers.tpl
+++ b/charts/newrelic-k8s-metrics-adapter/templates/_helpers.tpl
@@ -55,3 +55,36 @@ Naming helpers
 {{- define "newrelic-k8s-metrics-adapter.name.hpa-controller" -}}
 {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "hpa-controller") }}
 {{- end -}}
+
+{{/*
+Determine the secret name to use - either custom or generated
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.secretName" -}}
+{{- if .Values.customSecretName -}}
+  {{- .Values.customSecretName -}}
+{{- else -}}
+  {{- include "newrelic.common.naming.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine the secret key to use - custom or default
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.secretKey" -}}
+{{- if .Values.customSecretKey -}}
+  {{- .Values.customSecretKey -}}
+{{- else -}}
+  {{- "personalAPIKey" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine whether to create the secret - false if customSecretName is set
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.createSecret" -}}
+{{- if .Values.customSecretName -}}
+  {{- false -}}
+{{- else -}}
+  {{- true -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml b/charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml
index 1b96459a..aff09e24 100644
--- a/charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml
+++ b/charts/newrelic-k8s-metrics-adapter/templates/deployment.yaml
@@ -62,8 +62,8 @@ spec:
         - name: NEWRELIC_API_KEY
           valueFrom:
             secretKeyRef:
-              name: {{ include "newrelic.common.naming.fullname" . }}
-              key: personalAPIKey
+              name: {{ include "newrelic-k8s-metrics-adapter.secretName" . }}
+              key: {{ include "newrelic-k8s-metrics-adapter.secretKey" . }}
         {{- with (include "newrelic.common.proxy" .) }}
         - name: HTTPS_PROXY
           value: {{ . }}
diff --git a/charts/newrelic-k8s-metrics-adapter/templates/secret.yaml b/charts/newrelic-k8s-metrics-adapter/templates/secret.yaml
index 09a70ab6..c6886bb9 100644
--- a/charts/newrelic-k8s-metrics-adapter/templates/secret.yaml
+++ b/charts/newrelic-k8s-metrics-adapter/templates/secret.yaml
@@ -1,3 +1,7 @@
+{{- if not .Values.customSecretName }}
+{{- if not .Values.personalAPIKey }}
+  {{ fail "personalAPIKey must be set when customSecretName is not provided" }}
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,4 +11,5 @@ metadata:
     {{- include "newrelic.common.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  personalAPIKey: {{ .Values.personalAPIKey | required "personalAPIKey must be set" | quote }}
+  personalAPIKey: {{ .Values.personalAPIKey | quote }}
+{{- end }}
diff --git a/charts/newrelic-k8s-metrics-adapter/values.yaml b/charts/newrelic-k8s-metrics-adapter/values.yaml
index 5c610f79..42c93b7c 100644
--- a/charts/newrelic-k8s-metrics-adapter/values.yaml
+++ b/charts/newrelic-k8s-metrics-adapter/values.yaml
@@ -11,9 +11,20 @@
 #   cluster:
 #   nrStaging:
 
-# -- New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required**)
+# -- New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required when `customSecretName` is not set**)
 personalAPIKey:
 
+# -- Name of a pre-created secret containing the New Relic Personal API Key. When set, the chart will not create a secret and will use this one instead.
+# The secret must exist in the same namespace and contain the key specified by `customSecretKey`.
+# When set, the `personalAPIKey` value is ignored.
+# @default -- `""`
+customSecretName: ""
+
+# -- The key in the `customSecretName` secret that contains the New Relic Personal API Key.
+# Only used when `customSecretName` is set.
+# @default -- `personalAPIKey`
+customSecretKey: personalAPIKey
+
 # -- Enable metrics adapter verbose logs.
 verboseLog: false