feat(helm): add extraObjects support

[ralf157]

Add extraObjects support for external secret management

Problem

Temporal Helm charts currently create Kubernetes Secrets inline with base64-encoded sensitive data directly in chart templates. While this works for basic deployments, it creates significant challenges in GitOps workflows where sensitive data like database passwords are stored as base64-encoded strings in Git repositories, providing minimal security since base64 is easily reversible.

Solution

Add support for extraObjects configuration to allow injecting additional Kubernetes manifests, enabling external secret management solutions like ExternalSecretOperator or SealedSecrets.

Changes

Configuration (values.yaml)

• Added extraObjects field as an array of Kubernetes resource definitions
• Defaults to empty array for backward compatibility

Template (templates/extra-objects.yaml)

• New template that renders all objects from extraObjects array
• Supports both list and map formats
• Uses --- document separators for multi-document YAML

Documentation (README.md)

• Added new section "Install with extraObjects for external secret management"
• Includes examples for ExternalSecretOperator and SealedSecrets
• Provides clear installation instructions

Tests (tests/extra_objects_test.yaml)

• Added automated tests using helm-unittest framework
• Tests empty extraObjects (no output)
• Tests rendering of ConfigMap and ExternalSecret resources

Usage Examples

ExternalSecretOperator

extraObjects:
  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: temporal-db-secret
    spec:
      secretStoreRef:
        name: aws-secretsmanager
        kind: SecretStore
      target:
        name: temporal-default-store
        creationPolicy: Owner
      data:
      - secretKey: password
        remoteRef:
          key: prod/temporal/db
          property: password

SealedSecrets

extraObjects:
  - apiVersion: bitnami.com/v1alpha1
    kind: SealedSecret
    metadata:
      name: temporal-db-secret
    spec:
      encryptedData:
        password: <encrypted-password>
      template:
        metadata:
          name: temporal-default-store

Benefits

• Enhanced Security: Secrets can be properly encrypted or managed externally
• GitOps Compatibility: Supports encrypted secrets in Git repositories
• Flexibility: Works with various secret management solutions
• Centralized Management: Keeps secret generation logic within Helm chart context
• Backward Compatibility: Existing deployments continue to work unchanged

Testing

• Added automated tests covering various scenarios
• Manual validation of template rendering
• Verified compatibility with existing chart functionality

Related Issues

Closes #780 (GitOps secret management support)

Checklist

• Changes follow Helm chart best practices
• Documentation updated with examples
• Automated tests added
• Backward compatibility maintained
• Security considerations addressed

[CLAassistant]

All committers have signed the CLA.

[siennathesane]

I desperately need this lol

[robholland]

Don't really like the name, but it seems that's the consensus. I agree with others that this should be a helm feature, but until then...

[Ray-Barker]

Can we add concise version mentioned by @robholland?

{{ range .Values.extraObjects }}
---
{{ tpl . $ }}
{{ end }}

What's the state of this PR? I really don't want to make a wrapper chart only to create additional secrets. Should I make another PR maybe?

[robholland]

@Ray-Barker Perhaps create a new PR as we've not heard back.

[ralf157]

Sorry for the long wait, @Ray-Barker and @robholland!
I just tried to implement the templating according to your feedback.

Please have a look again.

[robholland]

Looks great, thanks.