feat: add valueFrom option to auth.secret (#9932)

fwa-wup · web-flow · commit 0c6a3e86cd41 · 2025-10-30T20:10:29.000-07:00
diff --git a/helm/templates/phoenix/deployment.yaml b/helm/templates/phoenix/deployment.yaml
@@ -83,9 +83,13 @@ spec:
           {{- range $authSecrets := .Values.auth.secret }}
             - name: {{ $authSecrets.key }}
               valueFrom:
+              {{- if $authSecrets.valueFrom }}
+                {{- $authSecrets.valueFrom | toYaml | nindent 16 }}
+              {{- else }}
                 secretKeyRef:
                   name: {{ $.Values.auth.name }}
                   key: {{ $authSecrets.key }}
+              {{- end }}
           {{- end }}
           {{- end }}
           {{- if and .Values.auth.oauth2.enabled .Values.auth.oauth2.providers }}
diff --git a/helm/templates/phoenix/secret.yaml b/helm/templates/phoenix/secret.yaml
@@ -9,9 +9,9 @@ type: Opaque
 data:
 {{- if .Values.auth.secret }}
 {{- range $authSecrets := .Values.auth.secret }}
-  {{- if eq $authSecrets.key "PHOENIX_DEFAULT_ADMIN_INITIAL_PASSWORD" }}
+  {{- if and (eq $authSecrets.key "PHOENIX_DEFAULT_ADMIN_INITIAL_PASSWORD") (not $authSecrets.valueFrom) }}
   {{ $authSecrets.key }}: {{ (empty $authSecrets.value | ternary $.Values.auth.defaultAdminPassword $authSecrets.value) | b64enc }}
-  {{- else }}
+  {{- else if not $authSecrets.valueFrom }}
   {{ $authSecrets.key }}: {{ $authSecrets.value | default (randAlphaNum 32) | b64enc }}
   {{- end }}
 {{- end }}
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -333,6 +333,11 @@ auth:
     - key: "PHOENIX_SECRET"
       # -- Autogenerated if empty
       value: ""
+      # -- Use this for existing Secrets / Configmaps, takes precedence over auth.secret[].value
+      # valueFrom:
+      #   secretKeyRef:
+      #     name: my-secret
+      #     key: phoenix-secret-key
 
     # -- Environment variable name for the admin secret key
     - key: "PHOENIX_ADMIN_SECRET"
@@ -366,6 +371,8 @@ auth:
     # -- List of OAuth2 identity providers to configure
     # Each provider requires client_id, client_secret, and oidc_config_url
     # Optional settings include display_name, allow_sign_up, and auto_login
+    # You can also define corresponding ENVs via auth.secrets[].valueFrom to use existing secrets
+    # ENVs: PHOENIX_OAUTH2_{{ $provider_upper }}_{{ setting }}, e.g. PHOENIX_OAUTH2_GOOGLE_CLIENT_SECRET
     providers:
       # Example Google configuration:
       # google:
