helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard
verified publisher icon temporalio

feat(helm): add extraObjects support for external secret management

Open ralf157 opened this issue 2 months ago • 1 comments

Add extraObjects support for external secret management

Problem

Temporal Helm charts currently create Kubernetes Secrets inline with base64-encoded sensitive data directly in chart templates. While this works for basic deployments, it creates significant challenges in GitOps workflows where sensitive data like database passwords are stored as base64-encoded strings in Git repositories, providing minimal security since base64 is easily reversible.

Solution

Add support for extraObjects configuration to allow injecting additional Kubernetes manifests, enabling external secret management solutions like ExternalSecretOperator or SealedSecrets.

Changes

Configuration (values.yaml)

  • Added extraObjects field as an array of Kubernetes resource definitions
  • Defaults to empty array for backward compatibility

Template (templates/extra-objects.yaml)

  • New template that renders all objects from extraObjects array
  • Supports both list and map formats
  • Uses --- document separators for multi-document YAML

Documentation (README.md)

  • Added new section "Install with extraObjects for external secret management"
  • Includes examples for ExternalSecretOperator and SealedSecrets
  • Provides clear installation instructions

Tests (tests/extra_objects_test.yaml)

  • Added automated tests using helm-unittest framework
  • Tests empty extraObjects (no output)
  • Tests rendering of ConfigMap and ExternalSecret resources

Usage Examples

ExternalSecretOperator

extraObjects:
  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: temporal-db-secret
    spec:
      secretStoreRef:
        name: aws-secretsmanager
        kind: SecretStore
      target:
        name: temporal-default-store
        creationPolicy: Owner
      data:
      - secretKey: password
        remoteRef:
          key: prod/temporal/db
          property: password

SealedSecrets

extraObjects:
  - apiVersion: bitnami.com/v1alpha1
    kind: SealedSecret
    metadata:
      name: temporal-db-secret
    spec:
      encryptedData:
        password: <encrypted-password>
      template:
        metadata:
          name: temporal-default-store

Benefits

  • Enhanced Security: Secrets can be properly encrypted or managed externally
  • GitOps Compatibility: Supports encrypted secrets in Git repositories
  • Flexibility: Works with various secret management solutions
  • Centralized Management: Keeps secret generation logic within Helm chart context
  • Backward Compatibility: Existing deployments continue to work unchanged

Testing

  • Added automated tests covering various scenarios
  • Manual validation of template rendering
  • Verified compatibility with existing chart functionality

Related Issues

Closes #780 (GitOps secret management support)

Checklist

  • [x] Changes follow Helm chart best practices
  • [x] Documentation updated with examples
  • [x] Automated tests added
  • [x] Backward compatibility maintained
  • [x] Security considerations addressed

ralf157 avatar Nov 17 '25 12:11 ralf157

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Nov 17 '25 12:11 CLAassistant