From f67bff59c350a3e0a9d873fa0154df50bf4ff55c Mon Sep 17 00:00:00 2001
From: Johannes Kirchner <124351955+johannes-kirchner@users.noreply.github.com>
Date: Sun, 26 Apr 2026 12:52:21 +0200
Subject: [PATCH] feat: add environment variables and secrets to statefulset
 and deployment (#644)

* feat: add environment variables and secrets to statefulset

* feat: add env and envFromSecrets to deplyoment container
---
 helm/opengist/templates/deployment.yaml  | 13 +++++++++++++
 helm/opengist/templates/statefulset.yaml | 13 +++++++++++++
 helm/opengist/values.yaml                |  7 +++++++
 3 files changed, 33 insertions(+)

diff --git a/helm/opengist/templates/deployment.yaml b/helm/opengist/templates/deployment.yaml
index faf619f..c9b3d25 100644
--- a/helm/opengist/templates/deployment.yaml
+++ b/helm/opengist/templates/deployment.yaml
@@ -63,6 +63,19 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if or .Values.deployment.env .Values.deployment.envFromSecrets }}
+          env:
+          {{- if .Values.deployment.env }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
+          {{- end }}
+          {{- range .Values.deployment.envFromSecrets }}
+            - name: {{ .name }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretName }}
+                  key: {{ .secretKey }}
+          {{- end }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.http.port }}
diff --git a/helm/opengist/templates/statefulset.yaml b/helm/opengist/templates/statefulset.yaml
index a5564c0..2441fe4 100644
--- a/helm/opengist/templates/statefulset.yaml
+++ b/helm/opengist/templates/statefulset.yaml
@@ -131,6 +131,19 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if or .Values.deployment.env .Values.deployment.envFromSecrets }}
+          env:
+          {{- if .Values.deployment.env }}
+            {{- toYaml .Values.deployment.env | nindent 12 }}
+          {{- end }}
+          {{- range .Values.deployment.envFromSecrets }}
+            - name: {{ .name }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .secretName }}
+                  key: {{ .secretKey }}
+          {{- end }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.service.http.port }}
diff --git a/helm/opengist/values.yaml b/helm/opengist/values.yaml
index a6a8afe..c2cea85 100644
--- a/helm/opengist/values.yaml
+++ b/helm/opengist/values.yaml
@@ -258,6 +258,13 @@ autoscaling:
 ## Additional deployment configuration
 deployment:
   env: []
+  ## Load environment variables from specific secret keys
+  ## Each entry creates an env.valueFrom.secretKeyRef in the container spec
+  ## ref: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables
+  envFromSecrets: []
+  # - name: OG_OIDC_SECRET
+  #   secretName: opengist-oidc-client-secret
+  #   secretKey: client_secret
   terminationGracePeriodSeconds: 60
   labels: {}
   annotations: {}