Patch Leantime Helm chart to support existing secret for app.session.password #198
Description
Objective
Modify the Leantime Helm chart under helm/leantime/ to support sourcing the session cookie encryption password from an existing Secret.
Requirements:
-
Backwards compatible:
- If
app.session.existingSecret.nameis set → chart uses that secret/key. - Else → chart uses the current behavior (
app.session.password) and (if chart currently generates a Secret) keeps doing so.
- If
-
No secret values committed to Git.
-
Works with 1Password Operator creating the Secret in the target namespace before the Helm release.
Implementation steps
1) Update values.yaml schema
Edit helm/leantime/values.yaml to introduce new values under app.session:
-
existingSecretobject:name(string, default"")key(string, default"session-password")
Keep the existing password field for fallback/back-compat, but update comments to strongly discourage committing it.
Add this block:
app:
session:
existingSecret:
name: ""
key: "session-password"
password: ""Also update your existing documentation/comments nearby to state:
- Use
existingSecretfor production / GitOps. passwordonly for quick local testing.
2) Identify where the session password is currently wired
In helm/leantime/templates/, locate where app.session.password is used. It will be in one of:
deployment.yamlenv varLEAN_SESSION_PASSWORD(or similar), or- a generated Secret template + envFrom, or
- configmap/secret volume mount
Copilot must:
-
Search for
session.passwordusage:rg -n "session\.password|LEAN_SESSION|password.*session" helm/leantime/templates
-
Confirm the exact env var name the app expects (don’t guess).
3) Add helper template functions
Create or update helm/leantime/templates/_helpers.tpl with helper functions to resolve:
- the secret name to use
- the secret key to use
Add:
{{- define "leantime.sessionSecretName" -}}
{{- if .Values.app.session.existingSecret.name -}}
{{- .Values.app.session.existingSecret.name -}}
{{- else -}}
{{- include "leantime.fullname" . -}}
{{- end -}}
{{- end -}}
{{- define "leantime.sessionSecretKey" -}}
{{- if .Values.app.session.existingSecret.key -}}
{{- .Values.app.session.existingSecret.key -}}
{{- else -}}
session-password
{{- end -}}
{{- end -}}
Notes:
include "leantime.fullname"must match whatever the chart uses today for its generated Secret naming. If it currently uses a different name (e.g.,{{ include "leantime.fullname" . }}-app), use that instead. Copilot must align to existing naming.
4) Adjust Secret template generation logic (if chart generates a Secret today)
If the chart has a templates/secret.yaml (or similar) that currently includes the session password:
Change it so the chart only generates the session secret when NOT using existingSecret.
Pattern:
{{- if not .Values.app.session.existingSecret.name }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "leantime.sessionSecretName" . }}
type: Opaque
data:
{{ include "leantime.sessionSecretKey" . }}: {{ required "app.session.password is required when app.session.existingSecret.name is empty" .Values.app.session.password | b64enc }}
{{- end }}
Key requirements:
- Use
requiredso Helm fails fast if neitherexistingSecret.namenorpasswordis provided. - Use the key returned by
leantime.sessionSecretKey(so you can standardize the key even in generated mode). - If the chart already has a Secret with multiple keys, only gate the session password portion or gate the whole Secret depending on how it’s structured. Don’t break other keys.
5) Update Deployment to always reference the resolved secret name/key
In templates/deployment.yaml, set the session password env var using valueFrom.secretKeyRef, pointing to:
- name:
{{ include "leantime.sessionSecretName" . }} - key:
{{ include "leantime.sessionSecretKey" . }}
Example (adjust env var name to match chart):
- name: LEAN_SESSION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "leantime.sessionSecretName" . }}
key: {{ include "leantime.sessionSecretKey" . }}Important:
- If the chart currently sets the env var directly from
.Values.app.session.password, remove that direct wiring. - Do not use
envFromunless the chart already standardizes on it; keep changes minimal.
6) Add validation in templates
Add a guard that ensures one of the two is set:
.Values.app.session.existingSecret.nameOR.Values.app.session.password
You can do this in the Secret template (via required) and/or at top of deployment template:
{{- if and (not .Values.app.session.existingSecret.name) (not .Values.app.session.password) -}}
{{- fail "Either app.session.existingSecret.name must be set, or app.session.password must be provided." -}}
{{- end -}}
Prefer fail (clear error) rather than silently producing an invalid deployment.
7) Update your GitOps values to use 1Password secret
In your helm/leantime/values.yaml (your environment values), remove app.session.password entirely and set:
app:
session:
existingSecret:
name: leantime-app
key: session-passwordThen your 1Password Operator item should render:
- Secret name:
leantime-app - Key:
session-password
8) Acceptance tests (must pass)
Copilot must run these locally (or provide exact commands + expected outcomes):
- Existing secret mode renders correctly
helm template leantime helm/leantime -f helm/leantime/values.yamlExpected:
- Deployment includes env var with
secretKeyRef.name: leantime-app - The chart does not render a generated Secret for the session password (if you gated it)
- Fallback mode fails fast if missing
SetexistingSecret.name: ""andpassword: ""and re-run template.
Expected:
- Helm template fails with your error message.
- Fallback mode works
SetexistingSecret.name: ""andpassword: "test"and re-run.
Expected:
- A Secret is generated (if that’s how the chart works today)
- Deployment points at that generated secret/key
Notes for ArgoCD wiring (what you should change after patch)
- Your ArgoCD Application stays pointed at
path: helm/leantimein your repo. - Your 1Password secrets app must sync before the Helm app (your sync-wave 10/20 pattern is correct).
- You can now delete the committed
app.session.passwordfrom Git permanently.