Skip to content

Add a note to README about how externalSecret should be configured. #885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jiechenz merged 2 commits into from
Apr 13, 2026
Merged

Add a note to README about how externalSecret should be configured. #885

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
44ebfc7
Add a note to README about how externalSecret should be configured.
robholland Apr 10, 2026
354b79a
De-emphasise creating your own secret as we're discussing existing se…
robholland Apr 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,57 @@ server:

See the example values files in the `values/` directory for complete examples.

#### Using an existing Kubernetes secret

If you have already created a Kubernetes secret containing your database password, reference it with `existingSecret` and `secretKey`:

```bash
# Create the secret before installing the chart
kubectl create secret generic temporal-db-secret \
--from-literal=password=your_db_password
```

The secret should have the following structure:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: temporal-db-secret
type: Opaque
data:
password: <base64-encoded-password>
```
Copy link
Copy Markdown
Contributor

@jiechenz jiechenz Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: This YAML block could be confusing as something the user needs to write. If we want to keep it, how about rephrase to "To verify the secret was created, run kubectl get secret temporal-db-secret -o yaml" so readers understand this is output, not a second step.

Copy link
Copy Markdown
Contributor Author

@robholland robholland Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've re-worded, please see if it's better now.


Then reference it in your values:

```yaml
server:
config:
persistence:
datastores:
default:
sql:
pluginName: postgres12_pgx
driverName: postgres12_pgx
databaseName: temporal
connectAddr: "postgres.example.com:5432"
connectProtocol: tcp
user: temporal_user
existingSecret: temporal-db-secret
secretKey: password
visibility:
sql:
pluginName: postgres12_pgx
driverName: postgres12_pgx
databaseName: temporal_visibility
connectAddr: "postgres.example.com:5432"
connectProtocol: tcp
user: temporal_user
existingSecret: temporal-db-secret
secretKey: password
```

### Install with sidecar containers

You may need to provide your own sidecar containers (e.g., for database proxies).
Expand Down
Loading