From d1c3d681013146fdac8564bdeb99535960cded4b Mon Sep 17 00:00:00 2001
From: Cristian Gutierrez <cristian@crstian.me>
Date: Thu, 11 Dec 2025 13:19:06 +0100
Subject: [PATCH 1/2] Add support for existing secrets in Helm chart

Enable users to reference an existing Kubernetes secret for root
credentials instead of requiring password in values.yaml. This allows
integration with external secret management solutions for production and GitOps
workflows.

Changes:
- Add credentials.root.existingSecret parameter to values.yaml
- Make cluster secret creation conditional (only when existingSecret not set)
- Update InnoDBCluster to use existingSecret or default secret name

The default behavior remains unchanged - if existingSecret is not set,
the chart creates the secret automatically as before (backward compatible).
---
 .../templates/cluster_secret.yaml             |  7 +++--
 .../templates/deployment_cluster.yaml         |  2 +-
 helm/mysql-innodbcluster/values.yaml          | 30 ++++++++++++++++---
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/helm/mysql-innodbcluster/templates/cluster_secret.yaml b/helm/mysql-innodbcluster/templates/cluster_secret.yaml
index ab6c97b0..f9ed3145 100644
--- a/helm/mysql-innodbcluster/templates/cluster_secret.yaml
+++ b/helm/mysql-innodbcluster/templates/cluster_secret.yaml
@@ -1,10 +1,13 @@
-{{- $cluster_name :=  default "mycluster" .Release.Name }}
+{{- $cluster_name := default "mycluster" .Release.Name }}
+{{- if not .Values.credentials.root.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ $cluster_name }}-cluster-secret
   namespace: {{ .Release.Namespace }}
+type: Opaque
 stringData:
   rootUser: {{ .Values.credentials.root.user | default "root" | quote }}
   rootHost: {{ .Values.credentials.root.host | default "%%" | quote }}
-  rootPassword: {{ required "credentials.root.password is required" .Values.credentials.root.password | quote }}
+  rootPassword: {{ required "credentials.root.password is required when credentials.root.existingSecret is not set" .Values.credentials.root.password | quote }}
+{{- end }}
diff --git a/helm/mysql-innodbcluster/templates/deployment_cluster.yaml b/helm/mysql-innodbcluster/templates/deployment_cluster.yaml
index 86a54834..70dc7a9a 100644
--- a/helm/mysql-innodbcluster/templates/deployment_cluster.yaml
+++ b/helm/mysql-innodbcluster/templates/deployment_cluster.yaml
@@ -69,7 +69,7 @@ spec:
   {{- end }}
     tlsSecretName: {{ $secret_name }}
 {{- end }}
-  secretName: {{ .Release.Name }}-cluster-secret
+  secretName: {{ .Values.credentials.root.existingSecret | default (printf "%s-cluster-secret" .Release.Name) }}
   imagePullPolicy : {{ .Values.image.pullPolicy }}
   baseServerId: {{ required "baseServerId is required" .Values.baseServerId | toString | atoi }}
   version: {{ .Values.serverVersion | default .Chart.AppVersion }}
diff --git a/helm/mysql-innodbcluster/values.yaml b/helm/mysql-innodbcluster/values.yaml
index 8548ea0a..598e76f4 100644
--- a/helm/mysql-innodbcluster/values.yaml
+++ b/helm/mysql-innodbcluster/values.yaml
@@ -9,12 +9,34 @@ image:
 
 credentials:
   root:
-    user: root
-#    password: sakila
-    host: "%"
+    # Option 1: Provide credentials directly (chart will create a secret)
+    # Only used when existingSecret is not set
+    #user: root
+    #host: "%%"
+    #password: "test"
+
+    # Option 2: Reference an existing Kubernetes secret (recommended for production/GitOps)
+    # When set, user/host/password above are ignored and the chart will not create a secret.
+    #
+    # The referenced secret must contain these keys:
+    #   - rootUser: MySQL root username (e.g., "root")
+    #   - rootHost: MySQL root host pattern (e.g., "%%")
+    #   - rootPassword: MySQL root password
+    #
+    # Example secret:
+    #   apiVersion: v1
+    #   kind: Secret
+    #   metadata:
+    #     name: mysql-root-credentials
+    #   type: Opaque
+    #   stringData:
+    #     rootUser: root
+    #     rootHost: "%%"
+    #     rootPassword: "my-secure-password"
+    existingSecret: "vault-mysql-credentials"
 
 tls:
-  useSelfSigned: false
+  useSelfSigned: true
 #  caSecretName:
 #  serverCertAndPKsecretName:
 #  routerCertAndPKsecretName: # our use router.certAndPKsecretName

From 3888cc2594096893702bf090acd65f7ce5488e45 Mon Sep 17 00:00:00 2001
From: Cristian Gutierrez <cristian@crstian.me>
Date: Thu, 11 Dec 2025 14:35:55 +0100
Subject: [PATCH 2/2] fix: default values in credentials configuration

---
 helm/mysql-innodbcluster/values.yaml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/helm/mysql-innodbcluster/values.yaml b/helm/mysql-innodbcluster/values.yaml
index 598e76f4..13d64435 100644
--- a/helm/mysql-innodbcluster/values.yaml
+++ b/helm/mysql-innodbcluster/values.yaml
@@ -11,9 +11,10 @@ credentials:
   root:
     # Option 1: Provide credentials directly (chart will create a secret)
     # Only used when existingSecret is not set
-    #user: root
-    #host: "%%"
-    #password: "test"
+    user: root
+    password: sakila
+    host: "%"
+
 
     # Option 2: Reference an existing Kubernetes secret (recommended for production/GitOps)
     # When set, user/host/password above are ignored and the chart will not create a secret.
@@ -33,10 +34,11 @@ credentials:
     #     rootUser: root
     #     rootHost: "%%"
     #     rootPassword: "my-secure-password"
-    existingSecret: "vault-mysql-credentials"
+
+    # existingSecret: ""
 
 tls:
-  useSelfSigned: true
+  useSelfSigned: false
 #  caSecretName:
 #  serverCertAndPKsecretName:
 #  routerCertAndPKsecretName: # our use router.certAndPKsecretName