newrelic · dpacheconr · Jan 26, 2026
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### Enhancements
+- Add support for using pre-created Kubernetes secrets in the Helm chart via `customSecretName` and `customSecretKey` values
+
+### Fixes
+- Remove deprecated `engine: gotpl` field from Chart.yaml for Helm v3 compliance
+
 ## v0.19.6 - 2026-01-12
 
 ### dependency

@@ -1,13 +1,12 @@
 apiVersion: v2
 description: A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 name: newrelic-k8s-metrics-adapter
-version: 1.17.6
+version: 1.18.0
 appVersion: 0.19.6
 home: https://hub.docker.com/r/newrelic/newrelic-k8s-metrics-adapter
 sources:
   - https://github.com/newrelic/newrelic-k8s-metrics-adapter
   - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter
-engine: gotpl
 icon: https://newrelic.com/assets/newrelic/source/NewRelic-logo-square.svg
 dependencies:
   - name: common-library

@@ -32,6 +32,8 @@ A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 | config.nrdbClientTimeoutSeconds | int | 30 | Defines the NRDB client timeout. The maximum allowed value is 120. |
 | config.region | string | Automatically detected from `licenseKey`. | New Relic account region. If not set, it will be automatically derived from the License Key. |
 | containerSecurityContext | string | `nil` | Configure containerSecurityContext |
+| customSecretKey | string | `personalAPIKey` | The key in the `customSecretName` secret that contains the New Relic Personal API Key. Only used when `customSecretName` is set. |
+| customSecretName | string | `""` | Name of a pre-created secret containing the New Relic Personal API Key. When set, the chart will not create a secret and will use this one instead. The secret must exist in the same namespace and contain the key specified by `customSecretKey`. When set, the `personalAPIKey` value is ignored. |
 | extraEnv | list | `[]` | Array to add extra environment variables |
 | extraEnvFrom | list | `[]` | Array to add extra envFrom |
 | extraVolumeMounts | list | `[]` | Add extra volume mounts |
@@ -40,7 +42,7 @@ A Helm chart to deploy the New Relic Kubernetes Metrics Adapter.
 | image | object | See `values.yaml`. | Registry, repository, tag, and pull policy for the container image. |
 | image.pullSecrets | list | `[]` | The image pull secrets. |
 | nodeSelector | object | `{}` | Node label to use for scheduling. |
-| personalAPIKey | string | `nil` | New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required**) |
+| personalAPIKey | string | `nil` | New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required when `customSecretName` is not set**) |
 | podAnnotations | string | `nil` | Additional annotations to apply to the pod(s). |
 | podSecurityContext | string | `nil` | Configure podSecurityContext |
 | proxy | string | `nil` | Configure proxy for the metrics-adapter. |
@@ -74,6 +76,43 @@ Then, to install this chart, run the following command:
 helm upgrade --install [release-name] newrelic-k8s-metrics-adapter/newrelic-k8s-metrics-adapter --values [values file path]
 ```
 
+### Using a Pre-Created Secret
+
+Instead of providing the API key directly in the values file, you can use a pre-created Kubernetes Secret. This is useful when using secret management tools like:
+
+- [External Secrets Operator](https://external-secrets.io/)
+- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
+- [Vault](https://www.vaultproject.io/)
+- Manual secret creation
+
+To use a pre-created secret, first create it in your Kubernetes cluster:
+
+```sh
+kubectl create secret generic newrelic-api-key \
+  --from-literal=personalAPIKey=<your-api-key> \
+  --namespace=<your-namespace>
+```
+
+Then, configure the chart to use this secret by setting `customSecretName`:
+
+```yaml
+customSecretName: newrelic-api-key
+customSecretKey: personalAPIKey
+config:
+  accountID: <Account ID>
+  externalMetrics:
+    nginx_average_requests:
+      query: "FROM Metric SELECT average(nginx.server.net.requestsPerSecond) SINCE 2 MINUTES AGO"
+```
+
+And install the chart:
+
+```sh
+helm upgrade --install [release-name] newrelic-k8s-metrics-adapter/newrelic-k8s-metrics-adapter --values [values file path]
+```
+
+**Note:** When using `customSecretName`, you must ensure the secret exists in the target namespace before installing the Helm chart.
+
 Once deployed the metric `nginx_average_requests` will be available to use by any HPA. This is and example of an HPA yaml using this metric:
 
 ```yaml

@@ -55,3 +55,36 @@ Naming helpers
 {{- define "newrelic-k8s-metrics-adapter.name.hpa-controller" -}}
 {{ include "newrelic.common.naming.truncateToDNSWithSuffix" (dict "name" (include "newrelic.common.naming.fullname" .) "suffix" "hpa-controller") }}
 {{- end -}}
+
+{{/*
+Determine the secret name to use - either custom or generated
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.secretName" -}}
+{{- if .Values.customSecretName -}}
+  {{- .Values.customSecretName -}}
+{{- else -}}
+  {{- include "newrelic.common.naming.fullname" . -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine the secret key to use - custom or default
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.secretKey" -}}
+{{- if .Values.customSecretKey -}}
+  {{- .Values.customSecretKey -}}
+{{- else -}}
+  {{- "personalAPIKey" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Determine whether to create the secret - false if customSecretName is set
+*/}}
+{{- define "newrelic-k8s-metrics-adapter.createSecret" -}}
+{{- if .Values.customSecretName -}}
+  {{- false -}}
+{{- else -}}
+  {{- true -}}
+{{- end -}}
+{{- end -}}
@@ -62,8 +62,8 @@ spec:
         - name: NEWRELIC_API_KEY
           valueFrom:
             secretKeyRef:
-              name: {{ include "newrelic.common.naming.fullname" . }}
-              key: personalAPIKey
+              name: {{ include "newrelic-k8s-metrics-adapter.secretName" . }}
+              key: {{ include "newrelic-k8s-metrics-adapter.secretKey" . }}
         {{- with (include "newrelic.common.proxy" .) }}
         - name: HTTPS_PROXY
           value: {{ . }}

@@ -1,3 +1,7 @@
+{{- if not .Values.customSecretName }}
+{{- if not .Values.personalAPIKey }}
+  {{ fail "personalAPIKey must be set when customSecretName is not provided" }}
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,4 +11,5 @@ metadata:
     {{- include "newrelic.common.labels" . | nindent 4 }}
 type: Opaque
 stringData:
-  personalAPIKey: {{ .Values.personalAPIKey | required "personalAPIKey must be set" | quote }}
+  personalAPIKey: {{ .Values.personalAPIKey | quote }}
+{{- end }}
@@ -11,9 +11,20 @@
 #   cluster:
 #   nrStaging:
 
-# -- New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required**)
+# -- New Relic [Personal API Key](https://docs.newrelic.com/docs/apis/intro-apis/new-relic-api-keys/#user-api-key) (stored in a secret). Used to connect to NerdGraph in order to fetch the configured metrics. (**Required when `customSecretName` is not set**)
 personalAPIKey:
 
+# -- Name of a pre-created secret containing the New Relic Personal API Key. When set, the chart will not create a secret and will use this one instead.
+# The secret must exist in the same namespace and contain the key specified by `customSecretKey`.
+# When set, the `personalAPIKey` value is ignored.
+# @default -- `""`
+customSecretName: ""
+
+# -- The key in the `customSecretName` secret that contains the New Relic Personal API Key.
+# Only used when `customSecretName` is set.
+# @default -- `personalAPIKey`
+customSecretKey: personalAPIKey
+
 # -- Enable metrics adapter verbose logs.
 verboseLog: false