secrets.enabled

Author: nicktrn

hosting/k8s/helm/templates/secrets.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.secrets.existingSecret }}
+{{- if and .Values.secrets.enabled (not .Values.secrets.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata:

hosting/k8s/helm/templates/supervisor.yaml

@@ -118,11 +118,13 @@ spec:
               value: "http://{{ include "trigger-v4.fullname" . }}-webapp:{{ .Values.webapp.service.port }}"
             - name: TRIGGER_WORKER_TOKEN
               value: "file:///home/node/shared/worker_token"
+            {{- if .Values.secrets.enabled }}
             - name: MANAGED_WORKER_SECRET
               valueFrom:
                 secretKeyRef:
                   name: {{ include "trigger-v4.secretsName" . }}
                   key: managed-worker-secret
+            {{- end }}
             # Worker instance configuration
             - name: TRIGGER_WORKER_INSTANCE_NAME
               valueFrom:

hosting/k8s/helm/templates/webapp.yaml

@@ -125,6 +125,7 @@ spec:
             - name: DEFAULT_ORG_EXECUTION_CONCURRENCY_LIMIT
               value: {{ .Values.webapp.limits.defaultOrgExecutionConcurrencyLimit | quote }}
             {{- end }}
+            {{- if .Values.secrets.enabled }}
             - name: SESSION_SECRET
               valueFrom:
                 secretKeyRef:
@@ -155,6 +156,7 @@ spec:
                 secretKeyRef:
                   name: {{ include "trigger-v4.secretsName" . }}
                   key: object-store-secret-access-key
+            {{- end }}
             {{- if and .Values.webapp.internal .Values.webapp.internal.otel }}
             {{- if .Values.webapp.internal.otel.trace.exporterUrl }}
             - name: INTERNAL_OTEL_TRACE_EXPORTER_URL

hosting/k8s/helm/values.yaml

@@ -149,6 +149,11 @@ config:
 # 2. Override these values in your values.yaml or use external secret management
 # 3. Each secret must be exactly 32 hex characters (16 bytes)
 secrets:
+  # Enable/disable creation of secrets
+  # Set to false to use external secret management (Vault, Infisical, External Secrets, etc.)
+  # When disabled, use extraEnv and podAnnotations for secret injection
+  enabled: true
+
   # Name of existing secret to use instead of creating one
   # If empty, a secret will be created with the values below
   # The secret must contain the following keys: