prevent Postgres secret from being overwritten on upgrade (#105)

wojcik91 · web-flow · commit 40e8062bb777 · 2025-10-22T10:56:37.000+02:00
* prevent postgres secret from being overwritten

* bump version

* add helm annotations to remaining secrets
diff --git a/charts/defguard/Chart.yaml b/charts/defguard/Chart.yaml
@@ -3,7 +3,7 @@ name: defguard
 description: Defguard is an open-source enterprise WireGuard VPN with MFA and SSO
 
 type: application
-version: 0.13.0
+version: 0.13.1
 appVersion: 1.5.2
 
 dependencies:
diff --git a/charts/defguard/templates/defguard-secret.yaml b/charts/defguard/templates/defguard-secret.yaml
@@ -16,6 +16,8 @@ metadata:
   name: {{ include "defguard.jwtSecretName" . }}
   labels:
     {{- include "defguard.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/resource-policy": keep
 type: Opaque
 data:
   auth: {{ $auth }}
diff --git a/charts/defguard/templates/openid-secret.yaml b/charts/defguard/templates/openid-secret.yaml
@@ -10,6 +10,8 @@ metadata:
   name: {{ include "defguard.openidSecretName" . }}
   labels:
     {{- include "defguard.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/resource-policy": keep
 type: Opaque
 data:
   openid-key: {{ $openIdKey }}
diff --git a/charts/defguard/templates/postgresql-secret.yaml b/charts/defguard/templates/postgresql-secret.yaml
@@ -1,19 +1,19 @@
 {{ if .Values.postgresql.enabled }}
-{{- $password := (randAlpha 16) | b64enc | quote }}
-{{- $postgresPassword := (randAlpha 16) | b64enc | quote }}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.postgresql.auth.existingSecret) }}
-{{- if $secret }}
-{{- $password = index $secret.data "password" }}
-{{- $postgresPassword = index $secret.data "postgres-password" }}
-{{- end }}
+{{- $secretName := .Values.postgresql.auth.existingSecret | default (printf "%s-postgresql" .Release.Name) }}
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
+
+{{- if not $existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.postgresql.auth.existingSecret }}
+  name: {{ $secretName }}
   labels:
     {{- include "defguard.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/resource-policy": keep
 type: Opaque
 data:
-  password: {{ $password }}
-  postgres-password: {{ $postgresPassword }}
+  password: {{ randAlpha 16 | b64enc | quote }}
+  postgres-password: {{ randAlpha 16 | b64enc | quote }}
+{{- end }}
 {{- end }}
