Skip to content

Update Helm Chart to Use External Secrets #1798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jinzishuai wants to merge 4 commits into from
Closed

Update Helm Chart to Use External Secrets #1798

jinzishuai wants to merge 4 commits into from

Conversation

@jinzishuai
Copy link
Contributor

@jinzishuai jinzishuai commented Dec 30, 2025

This is one way to address #1722 and it works on my EKS environment and RDS and Google SSO.

  • It supports adding service annotations so that we could use AWS NLB
  • All Postgres secrets can be stored in AWS secrets manager and we can use External Secrets Operator to create an k8s secrets that it used by the helm chart, not limited to username/password, but also the hostname, port and db name
  • Additional secrets can be mounted via the externalSecret value which allows setting up SSO
  • Additional value of none for cache_type

This way, we don't need to store any sensitive data in plain text and becomes production ready.

@jinzishuai
feat(helm-external-secret): add external secret reference support for…
ab02eaa 
… mcpContextForge

Signed-off-by: Shi Jin <jinzishuai@gmail.com>
@jinzishuai
update schema to allow none for CACHE_TYPE
4f34cf9 
Signed-off-by: Shi Jin <jinzishuai@gmail.com>
@jinzishuai
feat(IBM#1722): add AWS NLB service annotations support and example c…
5f90cb7 
…onfig

Signed-off-by: Shi Jin <jinzishuai@gmail.com>
@jinzishuai
refactor(helm-external-secret): use secret references for postgres co…
b63b1b9 
…nnection env vars

Signed-off-by: Shi Jin <jinzishuai@gmail.com>
@crivetimihai crivetimihai self-assigned this Dec 31, 2025
@crivetimihai crivetimihai mentioned this pull request Jan 5, 2026
Open
42 tasks
@crivetimihai
Copy link
Member

crivetimihai commented Jan 5, 2026

Thank you, would this also close: [Feature Request]: Support for External Secrets via customEnvFrom #1917?

@mekedron
Copy link

mekedron commented Jan 6, 2026

Hey @jinzishuai @crivetimihai

I checked your PR and I can confirm it would close #1917

I would recommend you renaming this parameter from externalSecret to extraEnvVarsSecret, similar to Bitnami helm charts, as it's naming become a standard, and add 2 more extraEnvVars and extraEnvVarsCM

As you can see these parameters were used there for years https://github.com/bitnami/charts/tree/main/bitnami and became a standard in almost every helm chart

@crivetimihai
Copy link
Member

crivetimihai commented Jan 14, 2026

Thank you @jinzishuai for this contribution! 🙏

After reviewing this PR, I found that most of the functionality has already been implemented in the main branch since this PR was opened:

Already Implemented:

  • External PostgreSQL support: The postgres.external.* configuration now provides flexible external database support with customizable secret key mappings (hostKey, portKey, databaseKey, userKey, passwordKey)
  • External secrets injection: mcpContextForge.extraEnvFrom already allows injecting multiple secrets and configmaps

Still Valid & Useful:

  • Service annotations for LoadBalancer configuration (e.g., AWS NLB)
  • CACHE_TYPE "none" option in the schema

I'm closing this PR and will open a new, smaller PR that includes only the still-valid changes (service annotations + CACHE_TYPE "none"), with proper attribution to you as the original author.

Thank you for identifying these gaps - the service annotations feature is particularly useful for cloud deployments!

@crivetimihai
Copy link
Member

crivetimihai commented Jan 14, 2026
edited
Loading

Closing as superseded. See the comment above for details. A new PR with the still-valid changes available as #2088

crivetimihai added a commit that referenced this pull request Jan 14, 2026
@jinzishuai @crivetimihai
feat(helm): add service annotations and CACHE_TYPE none option
c3b6f42 
- Add mcpContextForge.service.annotations for LoadBalancer configuration
  (e.g., AWS NLB, GCP load balancer annotations)
- Add "none" as a valid CACHE_TYPE option in values.schema.json
  to allow disabling caching entirely

These changes were extracted from PR #1798, which was superseded by
existing implementations for external PostgreSQL and secret injection.

Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai mentioned this pull request Jan 14, 2026
Merged
crivetimihai added a commit that referenced this pull request Jan 14, 2026
@crivetimihai @jinzishuai
feat(helm): add service annotations and CACHE_TYPE none option (#2088)
4f7af55 
- Add mcpContextForge.service.annotations for LoadBalancer configuration
  (e.g., AWS NLB, GCP load balancer annotations)
- Add "none" as a valid CACHE_TYPE option in values.schema.json
  to allow disabling caching entirely

These changes were extracted from PR #1798, which was superseded by
existing implementations for external PostgreSQL and secret injection.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Shi Jin <jinzishuai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai Awaiting requested review from crivetimihai crivetimihai is a code owner

Assignees

@crivetimihai crivetimihai

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jinzishuai @crivetimihai @mekedron