Separate Secrets for HTTP Basic Auth and Cloud Credentials

[soupdiver]

I will briefly describe my scenario: On our cluster we run ArgoCD alongside Chartmuseum. They belong to the "core" services of the cluster that are needed for all further functionality. Chartmuseum hosts our private Charts and ArgoCD is responsible for CD. We want to create a Secret chartmuseum-http-auth that contains username/password for HTTP Basic Auth. ArgoCD and Chartmuseum deployments should read from that Secret to get/set credentials. This Secret would be created before Chartmuseum itself is deployed. Additionally we have to ship Cloud Credentials with the Chartmuseum deployment to access GCS/S3/etc. Those would be deployed as part of the Chartmuseum deployment.

The issue: We can not read the credentials from different Secrets. chartmuseum/templates/secret is only created if Values.env.existingSecret is not set. See: https://github.com/chartmuseum/charts/blob/main/src/chartmuseum/templates/secret.yaml#L1 In the deployment however we can only pass one secret name. See: https://github.com/chartmuseum/charts/blob/main/src/chartmuseum/templates/deployment.yaml#L92

My ideal workflow: The deployment of Chartmuseum would create the Secret containing Cloud Credentials just as it is doing now. However I want to be able to read HTTP BA credentials from a different Secret, that I was (somehow) created before the Chartmuseum deployment.

Does that make sense for anybody else as well? 😁