From 1be43df3ec5b47db0458cd4a2b0e79b1353b0b43 Mon Sep 17 00:00:00 2001
From: Jacek N <jacek@stellar.org>
Date: Fri, 10 Apr 2026 15:49:55 +0100
Subject: [PATCH 1/2] core: add support for extra volumes and secret

### What

This PR will allow operators to mount extra secret and
volumes in the core and core-init containers.

### Why

To allow us to run multiple validators from one StatefulSet
we need a way for each pod to use different seed.
Having capability to use pre-existing secret and memory-backed
empty dir will allow operators to prepare seeds in the init
continainer and consume them in the core container.
---
 charts/core/Chart.yaml              |  2 +-
 charts/core/templates/core-sts.yaml | 24 ++++++++++++++++++++++++
 charts/core/values.yaml             | 17 +++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/charts/core/Chart.yaml b/charts/core/Chart.yaml
index 260a6c1..b137e1a 100644
--- a/charts/core/Chart.yaml
+++ b/charts/core/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: core
 description: This chart will deploy Stellar Core node
-version: 0.7.0
+version: 0.8.0
 appVersion: "26.0.1-3109.e78c97ed0.jammy"
 maintainers:
   - name: Stellar Development Foundation
diff --git a/charts/core/templates/core-sts.yaml b/charts/core/templates/core-sts.yaml
index e14cef1..76a1609 100644
--- a/charts/core/templates/core-sts.yaml
+++ b/charts/core/templates/core-sts.yaml
@@ -63,6 +63,14 @@ spec:
           name: {{ template "common.fullname" . }}-var-lib-stellar
         - mountPath: /init-scripts
           name: init-scripts
+        {{- if (.Values.core).existingSecret }}
+        - mountPath: {{ .Values.core.existingSecret.mountPath | default "/secret" }}
+          name: existing-secret
+          readOnly: true
+        {{- end }}
+        {{- if (.Values.core).extraVolumeMounts }}
+{{ toYaml .Values.core.extraVolumeMounts | indent 8 }}
+        {{- end }}
       containers:
       - name: core
         image: {{ include "common.coreImage" . | quote }}
@@ -91,6 +99,14 @@ spec:
           name: core-config
         - mountPath: /var/lib/stellar
           name: {{ template "common.fullname" . }}-var-lib-stellar
+        {{- if (.Values.core).existingSecret }}
+        - mountPath: {{ .Values.core.existingSecret.mountPath | default "/secret" }}
+          name: existing-secret
+          readOnly: true
+        {{- end }}
+        {{- if (.Values.core).extraVolumeMounts }}
+{{ toYaml .Values.core.extraVolumeMounts | indent 8 }}
+        {{- end }}
       {{- if (.Values.core.coreExporter).enabled }}
       - name: stellar-core-prometheus-exporter
         image: "{{ .Values.global.image.coreExporter.registry }}/{{ .Values.global.image.coreExporter.repository }}:{{ .Values.global.image.coreExporter.tag }}"
@@ -137,6 +153,14 @@ spec:
         configMap:
           name: {{ template "common.fullname" . }}-nginx
       {{- end }}
+      {{- if (.Values.core).existingSecret }}
+      - name: existing-secret
+        secret:
+          secretName: {{ .Values.core.existingSecret.name }}
+      {{- end }}
+      {{- if (.Values.core).extraVolumes }}
+{{ toYaml .Values.core.extraVolumes | indent 6 }}
+      {{- end }}
       affinity: {{- toYaml .Values.core.affinity | nindent 8 }}
   {{- if .Values.core.persistence.enabled }}
   volumeClaimTemplates:
diff --git a/charts/core/values.yaml b/charts/core/values.yaml
index 9358cef..586bd1d 100644
--- a/charts/core/values.yaml
+++ b/charts/core/values.yaml
@@ -92,6 +92,23 @@ core:
   ## Uncomment to use custom service account
   # serviceAccountName: default
 
+  ## Mount a pre-existing Kubernetes secret into the core containers.
+  ## Useful for providing sensitive config such as validator seed.
+  # existingSecret:
+  #   name: my-core-secret
+  #   mountPath: /secret
+
+  ## Extra volumes to add to the pod.
+  # extraVolumes:
+  #   - name: my-extra-volume
+  #     emptyDir: {}
+
+  ## Extra volume mounts for the init and core containers only.
+  ## Not mounted in the prometheus exporter or history proxy containers.
+  # extraVolumeMounts:
+  #   - name: my-extra-volume
+  #     mountPath: /extra
+
   ## Additional annotations or labels to add the Deployment template
   # annotations:
   #   prometheus.io/scrape: "true"

From 31aea5738a9322cf170d53431c6912c614818e13 Mon Sep 17 00:00:00 2001
From: jacekn <jacekn@users.noreply.github.com>
Date: Fri, 10 Apr 2026 16:05:59 +0100
Subject: [PATCH 2/2] Update charts/core/templates/core-sts.yaml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 charts/core/templates/core-sts.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/core/templates/core-sts.yaml b/charts/core/templates/core-sts.yaml
index 76a1609..e615439 100644
--- a/charts/core/templates/core-sts.yaml
+++ b/charts/core/templates/core-sts.yaml
@@ -156,7 +156,7 @@ spec:
       {{- if (.Values.core).existingSecret }}
       - name: existing-secret
         secret:
-          secretName: {{ .Values.core.existingSecret.name }}
+          secretName: {{ required "core.existingSecret.name is required when core.existingSecret is set" .Values.core.existingSecret.name }}
       {{- end }}
       {{- if (.Values.core).extraVolumes }}
 {{ toYaml .Values.core.extraVolumes | indent 6 }}