Prevent garm db passphrase regeneration on redeployment

2025-12-22 10:29:24 +01:00 · 2025-12-22 10:29:24 +01:00 · b46e1d03b5
commit b46e1d03b5
parent 8e6647a86f
2 changed files with 19 additions and 4 deletions
--- a/charts/garm/templates/_credentials.tpl
+++ b/charts/garm/templates/_credentials.tpl
@ -44,10 +44,9 @@ Get Gitea token - either user-provided or generated
 {{- end -}}

 {{- define "garm.dbPassphrase" -}}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-config" ( include "garm.fullname" . )) -}}
-{{- if and $secret ((fromToml (index $secret.data "config.toml" | b64dec)).database.passphrase) -}}
-{{- $another := fromToml (index $secret.data "config.toml" | b64dec) -}}
-{{ $another.database.passphrase }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-db-credentials" ( include "garm.fullname" . )) -}}
+{{- if and $secret (index $secret.data "passphrase" | b64dec) -}}
+{{- (index $secret.data "passphrase" | b64dec) -}}
 {{- else -}}
 {{- include "garm.randomString" . -}}
 {{- end -}}
--- a/charts/garm/templates/secrets.yaml
+++ b/charts/garm/templates/secrets.yaml
@ -14,6 +14,22 @@ stringData:
  GARM_URL: {{ printf "https://%s" (index .Values.ingress.hosts 0).host | quote }}
  GIT_URL: {{ .Values.credentials.gitea.url | quote }}
 ---
+{{- $secretName := printf "%s%s" (include "garm.fullname" .)  "-db-credentials" -}}
+{{- $secretExists := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+
+{{- if not $secretExists -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-weight": "-5"
+stringData:
+  passphrase: {{- include "garm.randomString" . -}}
+{{- end -}}
+---
 apiVersion: v1
 kind: Secret
 metadata: