fix(deploy): use secretRef instead of configMapRef in all deployments

ConfigMap was removed from Helm chart (managed externally). Secret contains all required env vars (APP_DATABASE_URL, APP_REDIS_URL, SMTP credentials, SSH domain/key, etc.) and is always rendered (helm.sh/resource-policy: keep prevents deletion on upgrade). Also add APP_SSH_PORT and APP_SSH_SERVER_PRIVATE_KEY to secret template.
2026-04-15 14:06:40 +08:00 · 2026-04-15 14:06:40 +08:00 · b7b56938aa
commit b7b56938aa
parent ad2cb7255f
7 changed files with 21 additions and 13 deletions
--- a/deploy/templates/app-deployment.yaml
+++ b/deploy/templates/app-deployment.yaml
@ -36,8 +36,8 @@ spec:
              containerPort: {{ .Values.app.service.port }}
              protocol: TCP
          envFrom:
-            - configMapRef:
-                name: {{ include "gitdata.fullname" . }}-config
+            - secretRef:
+                name: {{ include "gitdata.fullname" . }}-secrets
            {{- range .Values.app.env }}
            - name: {{ .name }}
              value: {{ .value | quote }}
--- a/deploy/templates/email-worker-deployment.yaml
+++ b/deploy/templates/email-worker-deployment.yaml
@ -31,8 +31,8 @@ spec:
          image: "{{ .Values.image.registry }}/{{ .Values.emailWorker.image.repository }}:{{ .Values.emailWorker.image.tag }}"
          imagePullPolicy: {{ .Values.emailWorker.image.pullPolicy | default .Values.image.pullPolicy }}
          envFrom:
-            - configMapRef:
-                name: {{ include "gitdata.fullname" . }}-config
+            - secretRef:
+                name: {{ include "gitdata.fullname" . }}-secrets
            {{- range .Values.emailWorker.env }}
            - name: {{ .name }}
              value: {{ .value | quote }}
--- a/deploy/templates/git-hook-deployment.yaml
+++ b/deploy/templates/git-hook-deployment.yaml
@ -31,8 +31,8 @@ spec:
          image: "{{ .Values.image.registry }}/{{ .Values.gitHook.image.repository }}:{{ .Values.gitHook.image.tag }}"
          imagePullPolicy: {{ .Values.gitHook.image.pullPolicy | default .Values.image.pullPolicy }}
          envFrom:
-            - configMapRef:
-                name: {{ include "gitdata.fullname" . }}-config
+            - secretRef:
+                name: {{ include "gitdata.fullname" . }}-secrets
            {{- range .Values.gitHook.env }}
            - name: {{ .name }}
              value: {{ .value | quote }}
--- a/deploy/templates/gitserver-deployment.yaml
+++ b/deploy/templates/gitserver-deployment.yaml
@ -45,8 +45,8 @@ spec:
              containerPort: {{ $svc.service.ssh.port }}
              protocol: TCP
          envFrom:
-            - configMapRef:
-                name: {{ $fullName }}-config
+            - secretRef:
+                name: {{ $fullName }}-secrets
          env:
            - name: APP_REPOS_ROOT
              value: /data/repos
--- a/deploy/templates/operator-deployment.yaml
+++ b/deploy/templates/operator-deployment.yaml
@ -30,8 +30,8 @@ spec:
          image: "{{ .Values.image.registry }}/{{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag }}"
          imagePullPolicy: {{ .Values.operator.image.pullPolicy | default .Values.image.pullPolicy }}
          envFrom:
-            - configMapRef:
-                name: {{ include "gitdata.fullname" . }}-config
+            - secretRef:
+                name: {{ include "gitdata.fullname" . }}-secrets
          env:
            - name: OPERATOR_IMAGE_PREFIX
              value: {{ .Values.operator.imagePrefix | default (printf "%s/" (include "gitdata.fullname" .)) | quote }}
--- a/deploy/templates/secret.yaml
+++ b/deploy/templates/secret.yaml
@ -9,7 +9,9 @@
 */ -}}

 {{- $secrets := .Values.secrets | default dict -}}
-{{- if $secrets.create -}}
+{{- /* Always render Secret (helm.sh/resource-policy: keep prevents deletion on upgrade) */ -}}
+{{- /* Set secrets.enabled: false to disable */ -}}
+{{- if ne $secrets.enabled false -}}
 apiVersion: v1
 kind: Secret
 metadata:
@ -57,6 +59,12 @@ stringData:
  {{- if $secrets.sshDomain }}
  APP_SSH_DOMAIN: {{ $secrets.sshDomain | quote }}
  {{- end }}
+  {{- if $secrets.sshPort }}
+  APP_SSH_PORT: {{ $secrets.sshPort | quote }}
+  {{- end }}
+  {{- if $secrets.sshServerPrivateKey }}
+  APP_SSH_SERVER_PRIVATE_KEY: {{ $secrets.sshServerPrivateKey | quote }}
+  {{- end }}
  {{- range $key, $value := $secrets.extra | default dict }}
  {{ $key }}: {{ $value | quote }}
  {{- end }}
--- a/deploy/templates/static-deployment.yaml
+++ b/deploy/templates/static-deployment.yaml
@ -41,8 +41,8 @@ spec:
              containerPort: {{ $svc.service.port }}
              protocol: TCP
          envFrom:
-            - configMapRef:
-                name: {{ $fullName }}-config
+            - secretRef:
+                name: {{ $fullName }}-secrets
          env:
            - name: STATIC_ROOT
              value: /data