Add option to provide admin user password as an external secret (#176)

SiMaHer · oliverguenther · commit 1f9a03f08d04 · 2025-03-11T10:20:49.000+01:00
diff --git a/.changeset/dry-ducks-pull.md b/.changeset/dry-ducks-pull.md
@@ -0,0 +1,5 @@
+---
+"@openproject/helm-charts": minor
+---
+
+Allow passing existing secret for admin user
diff --git a/charts/openproject/templates/secret_core.yaml b/charts/openproject/templates/secret_core.yaml
@@ -73,7 +73,8 @@ stringData:
   {{- if .Values.postgresql.options.sslMinProtocolVersion }}
   OPENPROJECT_DB_SSL_MIN_PROTOCOL_VERSION: {{ .Values.postgresql.options.sslMinProtocolVersion | toString }}
   {{- end }}
-  OPENPROJECT_SEED_ADMIN_USER_PASSWORD: {{ .Values.openproject.admin_user.password | quote }}
+  {{ $secret := (lookup "v1" "Secret" .Release.Namespace (default "_" .Values.openproject.admin_user.secret)) | default (dict "data" dict) -}}
+  OPENPROJECT_SEED_ADMIN_USER_PASSWORD: {{ default .Values.openproject.admin_user.password (get $secret.data .Values.openproject.admin_user.secretKeys.password | b64dec) | quote }}
   OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: {{ .Values.openproject.admin_user.password_reset | quote }}
   OPENPROJECT_SEED_ADMIN_USER_NAME: {{ .Values.openproject.admin_user.name | quote }}
   OPENPROJECT_SEED_ADMIN_USER_MAIL: {{ .Values.openproject.admin_user.mail | quote }}
diff --git a/charts/openproject/values.yaml b/charts/openproject/values.yaml
@@ -345,6 +345,12 @@ openproject:
     password_reset: "true"
     name: "OpenProject Admin"
     mail: "admin@example.net"
+
+    secret: ""
+
+    ## In case your secret does not use the default key in the secret, you can adjust it here
+    secretKeys:
+      password: ""
     # Uncomment if you want to lock the user after creation
     # Relevant for automated deployments that seed LDAP or SSO
     # locked: true

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@openproject/helm-charts": minor
 +---
++
 +Allow passing existing secret for admin user