helm: Add support for mounting config from secret

mikemrm · mikemrm · commit 2087651b9e73 · 2025-08-24T10:17:26.000-05:00
This change allows for config files to be sourced from a secret rather than a config map as these configs may have sensitive data. In addition to being able to source the config from a secret, the `extraContainerVolumeMounts` option was added which allows for mounting additional volumes defined in `extraContainerVolumes`, such mounting a passkey file secret. This also solves the same issue in a slightly different way from pr matrix-org#962 Signed-off-by: Mike Mason <github@mikemrm.com>
diff --git a/helm/hookshot/templates/_pod.tpl b/helm/hookshot/templates/_pod.tpl
@@ -43,9 +43,10 @@ containers:
 {{- toYaml .Values.containerSecurityContext | nindent 6 }}
 {{- end }}
     volumeMounts:
-{{- if or (and (not .Values.hookshot.existingConfigMap) (.Values.hookshot.config)) (.Values.hookshot.existingConfigMap) }}
       - name: config
         mountPath: "/data"
+{{- if .Values.extraContainerVolumeMounts }}
+{{ tpl (toYaml .Values.extraContainerVolumeMounts) . | indent 6 }}
 {{- end }}
     ports:
       - name: webhook
@@ -108,9 +109,15 @@ tolerations:
 {{ toYaml . | indent 2 }}
 {{- end }}
 volumes:
+{{- if .Values.hookshot.existingConfigSecretName }}
+  - name: config
+    secret:
+      secretName: {{ .Values.hookshot.existingConfigSecretName }}
+{{- else }}
   - name: config
     configMap:
       name: {{ template "hookshot.configMapName" . }}
+{{- end }}
 {{- $root := . }}
 {{- range .Values.extraConfigmapMounts }}
   - name: {{ tpl .name $root }}
diff --git a/helm/hookshot/templates/configmap.yaml b/helm/hookshot/templates/configmap.yaml
@@ -1,5 +1,5 @@
 ---
-{{- if not .Values.hookshot.existingConfigMap }}
+{{- if not (or .Values.hookshot.existingConfigMap .Values.hookshot.existingConfigSecretName) }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
diff --git a/helm/hookshot/values.yaml b/helm/hookshot/values.yaml
@@ -101,6 +101,8 @@ tolerations: []
 # -- Affinity settings for deployment
 affinity: {}
 hookshot:
+  # -- Name of existing config Secret with valid Hookshot configuration
+  existingConfigSecretName:
   # -- Name of existing ConfigMap with valid Hookshot configuration
   existingConfigMap:
   # -- Raw Hookshot configuration. Gets templated into a YAML file and then loaded unless an existingConfigMap is specified.
