feat(helm/studio): add opt-in ExternalSecret support for AWS Secrets Manager

deploy/helm/studio/templates/_helpers.tpl

@@ -178,6 +178,18 @@ Validate OTel collector/S3 configuration.
 {{- end }}
 {{- end }}
 
+{{/*
+Validates ExternalSecret configuration.
+*/}}
+{{- define "chart-deco-studio.validateExternalSecret" -}}
+{{- if and .Values.externalSecret.enabled .Values.secret.secretName }}
+{{- fail "chart-deco-studio: externalSecret.enabled=true and secret.secretName are mutually exclusive — remove secret.secretName when using ExternalSecret" -}}
+{{- end }}
+{{- if and .Values.externalSecret.enabled (not .Values.externalSecret.secretPath) }}
+{{- fail "chart-deco-studio: externalSecret.secretPath is required when externalSecret.enabled=true" -}}
+{{- end }}
+{{- end }}
+
 {{/*
 Formats OTEL headers map as key=value,key2=value2 format.
 */}}

deploy/helm/studio/templates/externalsecret.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.externalSecret.enabled }}
+---
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: {{ .Values.externalSecret.secretStoreName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "chart-deco-studio.labels" . | nindent 4 }}
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: {{ .Values.externalSecret.provider.aws.region }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "chart-deco-studio.fullname" . }}-secrets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "chart-deco-studio.labels" . | nindent 4 }}
+spec:
+  refreshInterval: {{ .Values.externalSecret.refreshInterval | quote }}
+  secretStoreRef:
+    name: {{ .Values.externalSecret.secretStoreName }}
+    kind: SecretStore
+  target:
+    name: {{ include "chart-deco-studio.fullname" . }}-secrets
+    creationPolicy: Owner
+    deletionPolicy: Retain
+  dataFrom:
+    - extract:
+        key: {{ .Values.externalSecret.secretPath }}
+{{- end }}

deploy/helm/studio/templates/secret.yaml

@@ -1,4 +1,4 @@
-{{- if not .Values.secret.secretName }}
+{{- if and (not .Values.secret.secretName) (not .Values.externalSecret.enabled) }}
 apiVersion: v1
 kind: Secret
 metadata:

deploy/helm/studio/templates/validations.yaml

@@ -3,4 +3,5 @@ This file only runs chart-level validations and renders no resources.
 */ -}}
 {{- include "chart-deco-studio.validate" . -}}
 {{- include "chart-deco-studio.validateOtel" . -}}
+{{- include "chart-deco-studio.validateExternalSecret" . -}}
 

deploy/helm/studio/values.yaml

@@ -74,6 +74,20 @@ secret:
   # Generate with: openssl rand -base64 32
   ENCRYPTION_KEY: ""
 
+# ExternalSecret — pull all values from AWS Secrets Manager via external-secrets operator.
+# When enabled, creates a namespace-scoped SecretStore and an ExternalSecret using dataFrom
+# so every key in the SM JSON becomes an env var automatically.
+# Requires: external-secrets operator installed on the cluster.
+# Incompatible with: secret.secretName (both reference the same target Secret name).
+externalSecret:
+  enabled: false
+  # secretPath: ""  # Required when enabled. SM secret key path.
+  secretStoreName: "aws-secrets-manager"
+  refreshInterval: "1h"
+  provider:
+    aws:
+      region: "sa-east-1"
+
 volumes: []
 # - name: foo
 #   secret: