fix(helm): resolve existing secrets for in-cluster postgresql and redis

[saadsb20]

Description 📣

This PR adds support for using existing secrets for PostgreSQL and Redis databases in the Helm chart, providing users with more flexibility in secret management.

Changes Made:

• Added existingSecret configuration options for PostgreSQL and Redis in values.yml
• Updated Helm templates to conditionally use existing secrets when specified
• Maintained backward compatibility with current secret generation approach

Motivation:

Many users prefer to manage database credentials through external secret management systems (like Vault, External Secrets Operator, etc.) rather than having Helm generate them. This change allows users to reference pre-existing secrets while maintaining the current behavior as default.

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

Testing with Existing Secrets:

1. Create test secrets:

# Create PostgreSQL secret
kubectl create secret generic my-postgres-secret \
  --from-literal=postgres-password=mypostgresadminpassword \
  --from-literal=user-password=mypostgresuserpassword

# Create Redis secret  
kubectl create secret generic my-redis-secret \
  --from-literal=redis-password=myredispassword

2. Deploy with existing secrets:

helm install infisical ./helm-chart \
  --set postgresql.auth.existingSecret=my-postgres-secret \
  --set postgresql.auth.secretKeys.adminPasswordKey=postgres-password \
  --set postgresql.auth.secretKeys.userPasswordKey=user-password \
  --set redis.auth.existingSecret=my-redis-secret \
  --set redis.auth.existingSecretPasswordKey=redis-password

3. Verify the deployment uses existing secrets:

# Check that pods reference the correct secrets
kubectl describe deployment infisical
kubectl get pods -o yaml | grep -A5 -B5 "secretKeyRef"

Testing Backward Compatibility:

# Deploy without specifying existing secrets (should work as before)
helm install infisical-default ./helm-chart

# Verify auto-generated secrets are created and used
kubectl get secrets | grep infisical

Configuration Examples:

# values.yml - Using existing secrets
postgresql:
  auth:
    existingSecret: "my-postgres-secret"
    secretKeys:
      adminPasswordKey: "postgres-password"
      userPasswordKey: "user-password"

redis:
  auth:
    existingSecret: "my-redis-secret"
    existingSecretPasswordKey: "redis-password"

---

• I have read the [contributing guide](https://infisical.com/docs/contributing/getting-started/overview), agreed and acknowledged the [code of conduct](https://infisical.com/docs/contributing/getting-started/code-of-conduct). 📝

[greptile-apps]

PR Summary

Enhanced Helm chart to support externally managed secrets for PostgreSQL and Redis databases, enabling integration with external secret management systems like Vault or External Secrets Operator.

• Added secure handling of existing secrets in helm-charts/infisical-standalone-postgres/templates/infisical.yaml with conditional logic for both PostgreSQL and Redis credentials
• Modified schema migration job in schema-migration-job.yaml to properly handle secret injection when using external secrets
• Improved Redis service naming in _helpers.tpl by adding 'redis-' prefix to prevent potential naming conflicts
• Per Rule 2: The dynamic construction of database connection strings uses shell commands - recommend adding input validation for secret values to prevent potential command injection
• Per Rule 1: Add validation checks for any password or secret values retrieved from external secrets before using them in connection strings

_{4 files reviewed, no comments
Edit PR Review Bot Settings | Greptile}

[maidul98]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)