feat(ddn-workspace): Add external secrets support for HashiCorp Vault#61
Merged
Conversation
Wires the ddn-workspace chart into the same secret-refresher pattern used by ndc-mongodb / ndc-snowflake-jdbc / ndc-sqlserver-jdbc, so the WORKSPACE_PASSWORD can be loaded from HashiCorp Vault (or another external secret store) instead of a Kubernetes Secret. - Bump chart version to v2026.05.28 and common dependency to 0.0.19 - Add global.externalSecrets / global.deploySecrets toggles - Add local externalSecrets toggle and image.tagSuffix for env-loader - Guard templates/secrets.yaml with global.deploySecrets - Add templates/external-secrets-config.yaml using common helper - Document the Vault flow and example overrides in the README Co-authored-by: Tomasz Skawinski <tom@hasura.io>
Contributor
Author
|
/claude-review |
tomhasura
approved these changes
May 28, 2026
Storing the secret under `HASHED_PASSWORD` matches the env var name the workspace entrypoint already expects, so the custom `env:` block that remapped `WORKSPACE_PASSWORD` to `HASHED_PASSWORD` is no longer needed. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the projected ServiceAccount token option to the example overrides, nested under hashicorp.auth where common@0.0.19 actually reads it, plus a short "How It Works" subsection describing the three things that flip on when projectedToken.enabled=true (projected volume, mount path, auto-switched jwt_path). Also bumps the example image.tag from 2.6.1 to 2.7.9 and notes the minimum chart release. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
tomhasura
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ddn-workspacechart into the same secret-refresher pattern already used byndc-mongodb,ndc-snowflake-jdbc, andndc-sqlserver-jdbc, soWORKSPACE_PASSWORDcan be sourced from an external secret store (e.g. HashiCorp Vault) instead of a Kubernetes Secret.v2026.05.28and thecommondependency to0.0.19.global.externalSecrets/global.deploySecretstoggles, a localexternalSecretsblock, and animage.tagSuffixtemplate that appends-env-loaderwhen both toggles are enabled.templates/secrets.yamlwithglobal.deploySecrets(in addition to the existing auth-proxy check) and addstemplates/external-secrets-config.yamlwhich renders thecommon.externalsSecretsConfighelper.WORKSPACE_PASSWORD), and example overrides in the chart README.This follows the same pattern landed in #58 / #59 for
ndc-mongodb/ndc-snowflake-jdbc/ndc-sqlserver-jdbc— no behavior change unlessglobal.externalSecrets.enabledandexternalSecrets.enabledare both set totrue.Originating thread: https://prompt.ql.app/project/hasuraql/promptql-playground/thread/3c7e0165-6c4d-4e19-9a28-22405407c5dd
Test plan
helm templatewith defaults renders identical output to the current chart (noexternal-secrets-configresource,Secretrendered as before).helm templatewithglobal.externalSecrets.enabled=true,externalSecrets.enabled=true,global.deploySecrets=falseskips theSecret, renders the external-secrets config, and the deployment image is suffixed with-env-loader.helm templatewithworkspaceAuthProxy.enabled=truecontinues to skip theSecretas before.helm lint charts/ddn-workspacepasses.🤖 Generated with Claude Code