From 45daca19810489b465c9b3072170129a3ec05827 Mon Sep 17 00:00:00 2001
From: Joao Andrade <sousa.andrade.joao@gmail.com>
Date: Mon, 9 Aug 2021 12:09:31 +0100
Subject: [PATCH] Add support for external s3 secrets

---
 README.md                 | 1 +
 templates/deployment.yaml | 6 +++---
 values.yaml               | 2 ++
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 47f9a7b..440667d 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,7 @@ their default values.
 | `secrets.htpasswd`          | Htpasswd authentication                                                                    | `nil`           |
 | `secrets.s3.accessKey`      | Access Key for S3 configuration                                                            | `nil`           |
 | `secrets.s3.secretKey`      | Secret Key for S3 configuration                                                            | `nil`           |
+| `secrets.s3.secretRef`      | The ref for an external secret containing the accessKey and secretKey keys                 | `""`            |
 | `secrets.swift.username`    | Username for Swift configuration                                                           | `nil`           |
 | `secrets.swift.password`    | Password for Swift configuration                                                           | `nil`           |
 | `haSharedSecret`            | Shared secret for Registry                                                                 | `nil`           |
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index b9b33ae..d3ea7af 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -110,16 +110,16 @@ spec:
                   name: {{ template "docker-registry.fullname" . }}-secret
                   key: azureContainer
 {{- else if eq .Values.storage "s3" }}
-            {{- if and .Values.secrets.s3.secretKey .Values.secrets.s3.accessKey }}
+            {{- if or (and .Values.secrets.s3.secretKey .Values.secrets.s3.accessKey) .Values.secrets.s3.secretRef }}
             - name: REGISTRY_STORAGE_S3_ACCESSKEY
               valueFrom:
                 secretKeyRef:
-                  name: {{ template "docker-registry.fullname" . }}-secret
+                  name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
                   key: s3AccessKey
             - name: REGISTRY_STORAGE_S3_SECRETKEY
               valueFrom:
                 secretKeyRef:
-                  name: {{ template "docker-registry.fullname" . }}-secret
+                  name: {{ if .Values.secrets.s3.secretRef }}{{ .Values.secrets.s3.secretRef }}{{ else }}{{ template "docker-registry.fullname" . }}-secret{{ end }}
                   key: s3SecretKey
             {{- end }}
             - name: REGISTRY_STORAGE_S3_REGION
diff --git a/values.yaml b/values.yaml
index 11470f0..39a42b4 100644
--- a/values.yaml
+++ b/values.yaml
@@ -76,7 +76,9 @@ secrets:
 #     accountKey: ""
 #     container: ""
 # Secrets for S3 access and secret keys
+# Use a secretRef with keys (accessKey, secretKey) for secrets stored outside the chart
 #   s3:
+#     secretRef: ""
 #     accessKey: ""
 #     secretKey: ""
 # Secrets for Swift username and password