Allow setting SEQ_FIRSTRUN_ADMINPASSWORD and SEQ_FIRSTRUN_ADMINPASSWORDHASH from Kubernetes secret

[mloskot]

It would be useful if the chart supported injecting value for firstRunAdminPassword from Kubernetes Secret.

This would be useful for GitOps-managed Seq deployments, where Secret-s with passwords can be SOPS-encrypted or passwords can be imported into Secret resources from external key vaults e.g. using https://external-secrets.io

Example

Here is a Helm chart with an interesting template

https://github.com/gruntwork-io/helm-kubernetes-services/blob/099b7ceb735c60f799756ca8f8da2cb28bdc7ae1/charts/k8s-service/templates/_deployment_spec.tpl#L296-L306

which allows to specify this:

spec:
  values:
    secrets:
      seq-administrator-password:
        as: environment
        items:
          password:
            envVarName: SEQ_FIRSTRUN_ADMINPASSWORD

where seq-administrator-password is pre-existing Kubernetes secret in the same namespace where Seq will be deployed, with password data item.

I could try propose PR with such solution, if this of interest, I hope it is ;)

References

This feature request is related to #54 but it is a much simpler plain Kubernetes suggestion.

[KodrAus]

Thanks for the suggestion @mloskot 👍 This definitely seems like something we should try support. If you'd like to open a PR I'd be keen to take a look at it.

[mloskot]

@KodrAus Thanks for supporting the idea.

After further learning Seq and the role of the SEQ_FIRSTRUN_ADMINPASSWORD, I reflected on my proposal above and, AFAIU, there may be a little confusion on my end.

As https://blog.datalust.co/setting-an-initial-password-when-deploying-seq-to-docker/ explains, those

The SEQ_FIRSTRUN_* variables (..) that Seq, in Docker, will check the very first time it starts up

what is consistent with this

helm.datalust.co/charts/seq/values.yaml

Line 18 in 2101683

# Seq requires a default admin password in order to initialize a fresh container. Either

However, it looks like that SEQ_FIRSTRUN_ADMINPASSWORD password is required to be changed on the "first run" loggon to UI, isn't it?

[KodrAus]

@mloskot Ah yes that is true, but I think it's still understandable to want to treat that default password as a secret, especially if you're already managing other similar pieces of configuration in your environment that way 👍

[mloskot]

@KodrAus See #65

[mloskot]

@KodrAus Thanks for accepting this feature.
I have taken the liberty to update the PR for the sake of GitHub archives search.