Support fetching secrets from Vault

[mhutter]

Some tools like ArgoCD allow you to pull some secret values from vault by setting values in manifests to something like '?{vaultkv:path/to/vault/key}'. Those references are replaced by the actual value from vault before applying the manifest to the cluster.

However, since the chart renders all secrets as base64-encoded, ArgoCD cannot detect & replace those values.

Possible fixes

1. Don't base64-encoded secret values and use stringData instead of data
2. Allow using existing secrets so the secrets can be provided by other means. This is a common pattern in other charts, see https://github.com/minio/charts/blob/a5c84bcbad884728bff5c9c23541f936d57a13b3/minio/values.yaml#L76-L91 for an example

If this is something you want to support I could send you a PR for option 1

[ninjadq]

Hi, what secret value you wanna replace? We also provides secret config in values.yaml. are those config met your use case?

[mhutter]

We want to set fields like the default admin password, HTTP secrets and similar.

In our pipeline we use helm template to render out all manifests, and then use ArgoCD to apply the manifests. ArgoCD supports fetching the actual VALUE for a secret only when it is applied to the Kubernetes API.

In order to do that, ArgoCD must be able to identify values which reference a Vault entry before applying the manifest to the cluster. And this only works when Secret values are provided as stringData as opposed to data (since the data entries are base64-encoded and ArgoCD cannot determine whether this holds a Vault reference or binary data).