Managing Secrets via Kubernetes Secrets

The existingSecret parameter allows storing sensitive data (passwords, tokens, credentials) in Kubernetes Secrets instead of values.yaml.

When using existingSecret, Helm performs a lookup of the secret during deployment and substitutes values directly.

How It Works

  • If existingSecret is set — passwords are taken from the specified Kubernetes Secret by the corresponding key.

  • If existingSecret is not set — the value from values.yaml is used (backward compatibility is maintained).

  • If existingSecret is set but the secret is not found in the cluster — the deployment will fail with an error.

Note

The secret must exist before deployment — Helm performs a lookup during template rendering.

Components and Secret Keys

RabbitmqApp

RabbitmqApp:
  existingSecret: <secret-name>
  environments:
    username: "rabbitmqadmin"  # берётся из values.yaml, не из секрета
    password: ""               # используется только если existingSecret не задан

Key in secret

Field in values.yaml

Default (if both are empty)

password

RabbitmqApp.environments.password

RabbitmqStrongPassword

Note

username is always taken from RabbitmqApp.environments.username; the secret does not override it.

Secret example:

apiVersion: v1
kind: Secret
metadata:
  name: my-rabbitmq-secret
type: Opaque
stringData:
  password: "StrongRabbitPassword"

EcosRegistryApp

EcosRegistryApp:
  existingSecret: <secret-name>
  environments:
    adminPassword: ""  # используется только если existingSecret не задан

Key in secret

Field in values.yaml

Default (if both are empty)

admin-password

EcosRegistryApp.environments.adminPassword

EcosRegistryStrongPassword

Secret example:

apiVersion: v1
kind: Secret
metadata:
  name: my-registry-secret
type: Opaque
stringData:
  admin-password: "StrongRegistryPassword"

EcosIdentityApp (Keycloak)

EcosIdentityApp:
  existingSecret: <secret-name>
  environments:
    password: ""  # используется только если existingSecret не задан

Key in secret

Field in values.yaml

Default (if both are empty)

password

EcosIdentityApp.environments.password

VeryStrongPassword

Secret example:

apiVersion: v1
kind: Secret
metadata:
  name: my-identity-secret
type: Opaque
stringData:
  password: "StrongKeycloakPassword"

EcosProxyApp

EcosProxyApp:
  existingSecret: <secret-name>
  eisIntegration:
    clientSecret: ""  # используется только если existingSecret не задан

Key in secret

Field in values.yaml

Default (if both are empty)

client-secret

EcosProxyApp.eisIntegration.clientSecret

change-me-please

Secret example:

apiVersion: v1
kind: Secret
metadata:
  name: my-proxy-secret
type: Opaque
stringData:
  client-secret: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

EcosGatewayApp

EcosGatewayApp:
  existingSecret: <secret-name>

Key in secret

Field in values.yaml

Default (if both are empty)

truststore-password

— (no direct field in values)

— (key is optional)

Note

The truststore-password key is marked as optional: true. If the key is absent from the secret — the env var GATEWAY_TRUSTSTORE_PASSWORD will simply not be set.

Secret example:

apiVersion: v1
kind: Secret
metadata:
  name: my-gateway-secret
type: Opaque
stringData:
  truststore-password: "strongpassword"

MongoDBApp

MongoDBApp:
  existingSecret: <secret-name>
  environments:
    username: ""   # берётся из values.yaml, не из секрета
    password: ""   # используется только если existingSecret не задан

Key in secret

Field in values.yaml

Default (if both are empty)

password

MongoDBApp.environments.password

root_user_password

Note

username is always taken from MongoDBApp.environments.username; the secret does not override it.

Secret example:

apiVersion: v1
kind: Secret
metadata:
  name: my-mongodb-secret
type: Opaque
stringData:
  password: "StrongMongoPassword"

EcosPostgresqlApp

EcosPostgresqlApp:
  existingSecret: <secret-name>
  environments:
    password: ""    # пароль superuser — только если existingSecret не задан
    databases:
      ecosApp:
        username: alfresco
        password: ""  # только если existingSecret не задан
      ecosFlowable:
        username: alfresco
        password: ""  # только если existingSecret не задан

Key in secret

Field in values.yaml

Default (if both are empty)

password

EcosPostgresqlApp.environments.password

postgresstorngpassword

alfresco-db-password

EcosPostgresqlApp.environments.databases.ecosApp.password

alfr3sc0

flowable-db-password

EcosPostgresqlApp.environments.databases.ecosFlowable.password

alfr3sc0

Secret example:

apiVersion: v1
kind: Secret
metadata:
  name: my-postgresql-secret
type: Opaque
stringData:
  password: "StrongPostgresPassword"
  alfresco-db-password: "AlfrescoDbPassword"
  flowable-db-password: "FlowableDbPassword"

EcosMicroservicesPostgresqlApp

EcosMicroservicesPostgresqlApp:
  existingSecret: <secret-name>
  environments:
    username: ""     # postgres superuser username — не берётся из секрета
    password: ""     # postgres superuser password — только если existingSecret не задан
    databases:
      ecosAppsApp:
        database: ecos_apps
        username: apps          # определяет ключ секрета: apps-password
        password: appspassword  # только если existingSecret не задан
      ecosGatewayApp:
        username: gateway       # ключ секрета: gateway-password
        password: gatewaypassword
      # ... и т.д. для каждой БД

Password keys for each database are formed using the template ``{username}-password``:

Key in secret

username in values.yaml

Field in values.yaml

postgres-password

— (superuser)

environments.password

apps-password

databases.ecosAppsApp.username: apps

databases.ecosAppsApp.password

gateway-password

databases.ecosGatewayApp.username: gateway

databases.ecosGatewayApp.password

uiserv-password

databases.ecosUiservApp.username: uiserv

databases.ecosUiservApp.password

notifications-password

databases.ecosNotificationsApp.username: notifications

databases.ecosNotificationsApp.password

history-password

databases.ecosHistoryApp.username: history

databases.ecosHistoryApp.password

integrations-password

databases.ecosIntegrationsApp.username: integrations

databases.ecosIntegrationsApp.password

model-password

databases.ecosModelApp.username: model

databases.ecosModelApp.password

reports-password

databases.ecosJiraReportsApp.username: reports

databases.ecosJiraReportsApp.password

casemodel-password

databases.ecosCasemodelApp.username: casemodel

databases.ecosCasemodelApp.password

eis-password

databases.ecosIdentityApp.username: eis

databases.ecosIdentityApp.password

process-password

databases.ecosProcessApp.username: process

databases.ecosProcessApp.password

camunda-password

databases.ecosCamundaApp.username: camunda

databases.ecosCamundaApp.password

edi-password

databases.ecosEdiApp.username: edi

databases.ecosEdiApp.password

Important

If username is changed in values.yaml, the key in the secret must be updated accordingly. For example, if username: myapps — the key must be myapps-password.

Secret example:

apiVersion: v1
kind: Secret
metadata:
  name: my-microservices-postgresql-secret
type: Opaque
stringData:
  postgres-password: "StrongPostgresPassword"
  apps-password: "AppsDbPassword"
  gateway-password: "GatewayDbPassword"
  uiserv-password: "UiservDbPassword"
  notifications-password: "NotificationsDbPassword"
  history-password: "HistoryDbPassword"
  integrations-password: "IntegrationsDbPassword"
  model-password: "ModelDbPassword"
  reports-password: "ReportsDbPassword"
  casemodel-password: "CasemodelDbPassword"
  eis-password: "EisDbPassword"
  process-password: "ProcessDbPassword"
  camunda-password: "CamundaDbPassword"
  edi-password: "EdiDbPassword"

EcosApp

EcosApp:
  existingSecret: <secret-name>
  environments:
    alfresco:
      ldap:
        enabled: true
        injectSyncCredentials: false        # false — пароль не берётся из секрета
        injectTruststorePassphrase: false   # false — пароль не берётся из секрета
    mail:
      password: ""                          # используется только если existingSecret не задан
      injectPasswordFromSecret: false       # false — пароль не берётся из секрета
      injectFlowablePasswordFromSecret: false
  dataSource:
    alfresco:
      password: ""   # используется если EcosPostgresqlApp.enabled: false
    flowable:
      password: ""   # используется если EcosPostgresqlApp.enabled: false

Key in secret

Field in values.yaml

Control flag

Default

alfresco-db-password

EcosPostgresqlApp.environments.databases.ecosApp.password or dataSource.alfresco.password

— (always when existingSecret is set)

alfr3sc0

flowable-db-password

EcosPostgresqlApp.environments.databases.ecosFlowable.password or dataSource.flowable.password

— (always when existingSecret is set)

alfr3sc0

ldap-sync-credentials

— (no direct field)

ldap.injectSyncCredentials: true

ldap-truststore-passphrase

— (no direct field)

ldap.injectTruststorePassphrase: true

mail-password

environments.mail.password

mail.injectPasswordFromSecret: true

flowable-mail-password

— (no direct field)

mail.injectFlowablePasswordFromSecret: true

Note

When injectPasswordFromSecret: true is set, the password is injected into the mail.password property (Alfresco mail). When injectFlowablePasswordFromSecret: true is set — into flowable.mail.server.password (Flowable mail). Both can be used simultaneously with different passwords.

Secret example (full):

apiVersion: v1
kind: Secret
metadata:
  name: my-ecos-app-secret
type: Opaque
stringData:
  alfresco-db-password: "AlfrescoDbPassword"
  flowable-db-password: "FlowableDbPassword"
  ldap-sync-credentials: "LdapBindPassword"
  ldap-truststore-passphrase: "strongpassword"
  mail-password: "AlfrescoMailPassword"
  flowable-mail-password: "FlowableMailPassword"

Full Configuration Example

RabbitmqApp:
  existingSecret: my-rabbitmq-secret

EcosRegistryApp:
  existingSecret: my-registry-secret

EcosIdentityApp:
  existingSecret: my-identity-secret

EcosProxyApp:
  existingSecret: my-proxy-secret

EcosGatewayApp:
  existingSecret: my-gateway-secret

MongoDBApp:
  existingSecret: my-mongodb-secret

EcosPostgresqlApp:
  existingSecret: my-postgresql-secret

EcosMicroservicesPostgresqlApp:
  existingSecret: my-microservices-postgresql-secret

EcosApp:
  existingSecret: my-ecos-app-secret
  environments:
    alfresco:
      ldap:
        enabled: true
        injectSyncCredentials: true
        injectTruststorePassphrase: false
    mail:
      injectPasswordFromSecret: true
      injectFlowablePasswordFromSecret: true