Skip to content

feat(helm/studio): add opt-in ExternalSecret support for AWS Secrets Manager#3418

Merged
o-pauloroberto merged 2 commits into
mainfrom
feat/external-secret-support
May 21, 2026
Merged

feat(helm/studio): add opt-in ExternalSecret support for AWS Secrets Manager#3418
o-pauloroberto merged 2 commits into
mainfrom
feat/external-secret-support

Conversation

@o-pauloroberto
Copy link
Copy Markdown
Collaborator

@o-pauloroberto o-pauloroberto commented May 21, 2026
edited
Loading

Summary

  • New template templates/externalsecret.yaml: when externalSecret.enabled=true, creates a namespace-scoped SecretStore and an ExternalSecret using dataFrom — imports all keys from the Secrets Manager JSON at once, no per-key listing required
  • templates/secret.yaml: updated condition to skip inline Secret creation when externalSecret.enabled=true
  • values.yaml: new externalSecret block, disabled by default (enabled: false)

Backward compatible — existing deployments are unaffected unless externalSecret.enabled=true is explicitly set.

Usage

externalSecret:
  enabled: true
  secretPath: "your/secret/path"
  secretStoreName: "aws-secrets-manager"
  refreshInterval: "1h"
  provider:
    aws:
      region: "us-east-1"

Test plan

  • Deploy with externalSecret.enabled=true and verify the ExternalSecret syncs and the Secret is created correctly
  • Verify that deploys without externalSecret.enabled continue to work as before

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread deploy/helm/studio/templates/externalsecret.yaml Outdated
@o-pauloroberto
feat(helm/studio): add opt-in ExternalSecret support for AWS Secrets …
b5a99a1 
…Manager

When externalSecret.enabled=true, the chart creates a namespace-scoped
SecretStore and an ExternalSecret using dataFrom so every key in the SM
JSON becomes an env var automatically, with no per-key listing required.

Backward compatible: disabled by default.
@o-pauloroberto o-pauloroberto force-pushed the feat/external-secret-support branch from 0e5d535 to b5a99a1 Compare May 21, 2026 18:00
@o-pauloroberto
fix(helm/studio): guard ExternalSecret against secret.secretName conf…
dad6a5b 
…lict

- ExternalSecret target is now always the chart-managed name ({fullname}-secrets),
  never secret.secretName — prevents silent takeover of existing Secrets
- Validation fails if both externalSecret.enabled=true and secret.secretName are set
@o-pauloroberto o-pauloroberto merged commit 752ea3b into main May 21, 2026
14 checks passed
@o-pauloroberto o-pauloroberto deleted the feat/external-secret-support branch May 21, 2026 18:04
@o-pauloroberto o-pauloroberto mentioned this pull request May 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@o-pauloroberto