Skip to content

Add support for existing secrets in Helm chart #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
crstian19 wants to merge 2 commits into
base: trunk
Choose a base branch
from
Open

Add support for existing secrets in Helm chart #43

crstian19 wants to merge 2 commits into from

Conversation

@crstian19
Copy link

@crstian19 crstian19 commented Dec 11, 2025

Description

Add support for using an existing Kubernetes secret for MySQL root credentials in the Helm chart, enabling secure GitOps workflows and integration with external secret management systems.

Contributor Checklist

  • OCA signed (https://oca.opensource.oracle.com/)
  • Changes limited to Helm chart only
  • Backward compatible (existing deployments unaffected)
  • Values.yaml includes parameter documentation
  • Tested locally with both traditional and existingSecret methods

Motivation

Current limitation:

  • Helm chart requires credentials.root.password in values.yaml
  • Not compatible with modern secret management (Vault, External Secrets, etc.)
  • Security risk: credentials in Git repositories

Changes

  1. templates/cluster_secret.yaml: Conditional secret creation
  2. templates/innodbcluster.yaml: Reference external secret when provided
  3. values.yaml: New credentials.root.existingSecret parameter

Testing

Verified with helm template:

✅ Traditional method (password in values) works unchanged
✅ With existingSecret, chart skips secret creation
✅ InnoDBCluster correctly references external secret
✅ Error message clear when neither password nor existingSecret provided

Example Usage

Before (insecure):

credentials:
  root:
    password: "my-password"  # ⚠️ In Git

After (secure):

credentials:
  root:
    existingSecret: mysql-credentials  # ✅ Managed externally

Backward Compatibility

100% backward compatible. Existing deployments continue to work without any changes.

@crstian19
Add support for existing secrets in Helm chart
d1c3d68 
Enable users to reference an existing Kubernetes secret for root
credentials instead of requiring password in values.yaml. This allows
integration with external secret management solutions for production and GitOps
workflows.

Changes:
- Add credentials.root.existingSecret parameter to values.yaml
- Make cluster secret creation conditional (only when existingSecret not set)
- Update InnoDBCluster to use existingSecret or default secret name

The default behavior remains unchanged - if existingSecret is not set,
the chart creates the secret automatically as before (backward compatible).
@crstian19
fix: default values in credentials configuration
3888cc2
@mysql-oca-bot
Copy link

mysql-oca-bot commented Dec 11, 2025

Hi, thank you for submitting this pull request. In order to consider your code we need you to sign the Oracle Contribution Agreement (OCA). Please review the details and follow the instructions at https://oca.opensource.oracle.com/
Please make sure to include your MySQL bug system user (email) in the returned form.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@crstian19 @mysql-oca-bot