Skip to content

feat(helm): support Secret-backed db URL for Postgres#1363

Draft
TaylorMutch wants to merge 1 commit into
mainfrom
tmutch/add-postgres-helm
Draft

feat(helm): support Secret-backed db URL for Postgres#1363
TaylorMutch wants to merge 1 commit into
mainfrom
tmutch/add-postgres-helm

Conversation

@TaylorMutch
Copy link
Copy Markdown
Collaborator

@TaylorMutch TaylorMutch commented May 13, 2026

Summary

Add a Secret-backed OPENSHELL_DB_URL path to the Helm chart so operators can point the gateway at Postgres without putting the password in values.yaml or Helm release history.

Related Issue

N/A

Changes

  • values.yaml: new server.dbUrlSecretRef (name + key); empty name preserves the existing SQLite default.
  • templates/statefulset.yaml: when dbUrlSecretRef.name is set, drop the --db-url CLI flag and inject OPENSHELL_DB_URL via secretKeyRef.
  • ci/values-postgres.yaml: new overlay documenting the out-of-band Secret recipe and the helm upgrade -f command.
  • README.md: list the new overlay alongside cert-manager / Keycloak.

Testing

  • `mise run pre-commit` passes
  • `helm template` with defaults still emits `--db-url "sqlite:/var/openshell/openshell.db"` and no DB env var.
  • `helm template -f values.yaml -f ci/values-postgres.yaml` drops `--db-url` and emits an `OPENSHELL_DB_URL` env entry sourced from `openshell-db`.
  • End-to-end Postgres install against a real cluster (not yet run).

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (not applicable — chart-only change)

@TaylorMutch
feat(helm): support Secret-backed db URL for Postgres
e78438f 
Adds server.dbUrlSecretRef so the gateway can pull OPENSHELL_DB_URL from a
Kubernetes Secret instead of taking the URL via --db-url. When the ref is
set, the StatefulSet drops the CLI flag and the URL never appears in
values.yaml or Helm release history. A ci/values-postgres.yaml overlay
documents the kubectl create secret recipe and applies the ref.
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 13, 2026

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp will be requested when the pull request is marked ready for review mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion will be requested when the pull request is marked ready for review maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr will be requested when the pull request is marked ready for review derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TaylorMutch