From 618e287ff0aee99754ccdb55ba716c0302c9c537 Mon Sep 17 00:00:00 2001
From: Xavier Rakotomamonjy <xavier.rakotomamonjy@camptocamp.com>
Date: Mon, 17 Nov 2025 14:24:36 +0100
Subject: [PATCH] feat(charts): pick key from k8s secrets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Léo Depriester <leo.depriester@camptocamp.com>
---
 contrib/charts/bivac/templates/deployment.yaml | 10 ++++++++++
 contrib/charts/bivac/values.yaml               | 18 ++++++++++++++----
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/contrib/charts/bivac/templates/deployment.yaml b/contrib/charts/bivac/templates/deployment.yaml
index aa3bbd4e..f7407e9e 100644
--- a/contrib/charts/bivac/templates/deployment.yaml
+++ b/contrib/charts/bivac/templates/deployment.yaml
@@ -53,12 +53,22 @@ spec:
             - name: RESTIC_PASSWORD
               {{- if .Values.resticPassword }}
               value: {{ .Values.resticPassword }}
+              {{- else if .Values.resticPasswordFromSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.resticPasswordFromSecret.name }}
+                  key: {{ .Values.resticPasswordFromSecret.key }}
               {{- else }}
               value: {{ randAlphaNum 15 }}
               {{- end }}
             - name: BIVAC_SERVER_PSK
               {{- if .Values.serverPSK }}
               value: {{ .Values.serverPSK }}
+              {{- else if .Values.serverPSKFromSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.serverPSKFromSecret.name }}
+                  key: {{ .Values.serverPSKFromSecret.key }}
               {{- else }}
               value: {{ randAlphaNum 15 }}
               {{- end }}
diff --git a/contrib/charts/bivac/values.yaml b/contrib/charts/bivac/values.yaml
index e3f279a4..0f891d66 100644
--- a/contrib/charts/bivac/values.yaml
+++ b/contrib/charts/bivac/values.yaml
@@ -22,14 +22,24 @@ watchAllNamespaces: true
 targetURL: ""
 
 ## Password used by Restic to encrypt the backups
-# If left empty, a generated one will be used
-#
+# Use `resticPassword` to set password as a raw string.
+# Use `resticPasswordFromSecret` to use a password stored in a Secret.
+# If those values are null/empty, a random password will be generated.
 resticPassword: ""
+resticPasswordFromSecret: ""
+#resticPasswordFromSecret: 
+#  name: secret_name
+#  key: key_name
 
 ## Pre-shared key which protect the Bivac server
-# If left empty, a generated one will be used
-#
+# Use `resticPassword` to set password as a raw string.
+# Use `resticPasswordFromSecret` to use a password stored in a Secret.
+# If those values are null/empty, a random password will be generated.
 serverPSK: ""
+serverPSKFromSecret: ""
+#serverPSKFromSecret: 
+#  name: secret_name
+#  key: key_name
 
 ## Additional environment variables
 #