feat(helm): add extraObjects support

README.md

@@ -117,6 +117,53 @@ For an example, review the values for Google's `cloud sql proxy` in the `values/
 helm install --repo https://go.temporal.io/helm-charts -f values/values.cloudsqlproxy.yaml temporal temporal --timeout 900s
 ```
 
+### Install with extraObjects for external secret management
+
+You can inject additional Kubernetes manifests using the `extraObjects` configuration. This is particularly useful for GitOps scenarios where you want to manage secrets externally using tools like ExternalSecretOperator or SealedSecrets.
+
+The `extraObjects` field accepts an array of raw YAML strings rendered alongside the Temporal chart. Each entry supports Go templating (e.g. `{{ .Release.Name }}`).
+
+#### Example with ExternalSecretOperator
+
+```yaml
+extraObjects:
+  - |
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: {{ .Release.Name }}-db-secret
+    spec:
+      secretStoreRef:
+        name: aws-secretsmanager
+        kind: SecretStore
+      target:
+        name: {{ .Release.Name }}-db-secret
+        creationPolicy: Owner
+      data:
+      - secretKey: password
+        remoteRef:
+          key: prod/temporal/db
+          property: password
+```
+
+
+#### Example with SealedSecrets
+
+```yaml
+extraObjects:
+  - |
+    apiVersion: bitnami.com/v1alpha1
+    kind: SealedSecret
+    metadata:
+      name: {{ .Release.Name }}-db-secret
+    spec:
+      encryptedData:
+        password: <encrypted-password>
+      template:
+        metadata:
+          name: {{ .Release.Name }}-db-secret
+```
+
 ### Install with MySQL
 
 To use a MySQL database, copy the [MySQL values file](values/values.mysql.yaml) locally and edit it with your database connection details:

charts/temporal/templates/extra-objects.yaml

@@ -0,0 +1,4 @@
+{{- range .Values.extraObjects }}
+---
+{{ tpl . $ }}
+{{- end }}

charts/temporal/tests/extra_objects_test.yaml

@@ -0,0 +1,67 @@
+suite: test extra objects
+templates:
+  - extra-objects.yaml
+tests:
+  - it: does not render anything when extraObjects is empty
+    asserts:
+      - not: true
+        containsDocument:
+          kind: "*"
+  - it: renders a ConfigMap from a string entry
+    set:
+      extraObjects:
+        - |
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: test-config
+          data:
+            key: value
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+      - equal:
+          path: metadata.name
+          value: test-config
+  - it: renders an ExternalSecret from a string entry
+    set:
+      extraObjects:
+        - |
+          apiVersion: external-secrets.io/v1beta1
+          kind: ExternalSecret
+          metadata:
+            name: test-secret
+          spec:
+            secretStoreRef:
+              name: test-store
+              kind: SecretStore
+            target:
+              name: test-target
+            data:
+            - secretKey: password
+              remoteRef:
+                key: test/key
+                property: password
+    asserts:
+      - containsDocument:
+          kind: ExternalSecret
+          apiVersion: external-secrets.io/v1beta1
+      - equal:
+          path: metadata.name
+          value: test-secret
+  - it: supports Go templating within entries
+    set:
+      extraObjects:
+        - |
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: {{ .Release.Name }}-config
+    asserts:
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-config

charts/temporal/values.yaml

@@ -16,6 +16,8 @@ serviceAccount:
   extraAnnotations:
 additionalAnnotations: {}
 additionalLabels: {}
+# Array of extra K8s manifests to deploy
+extraObjects: []
 server:
   enabled: true
   image: