Hive Hive
Sign in
Projects
Domains
Forage
Specs
Drops

feat(infra): support external PostgreSQL existing secrets

GitHub issue · Closed

Metadata
Source
tuist/tuist #11367
Updated
Jun 24, 2026
Domains
Kura
Details

Resolves no tracked issue.

Allows self-hosted operators to use an externally managed PostgreSQL Secret without rendering the password into Helm manifests.

The Helm chart now exposes postgresql.external.existingSecret and postgresql.external.existingSecretKeys for external PostgreSQL deployments. When configured, the server and migration pods read the host, username, and password through secretKeyRef entries and compose DATABASE_URL through Kubernetes env-var substitution, so the database password is not materialized in the rendered manifest.

The migration job uses the same secret-backed values for its pg_isready wait step, and the chart-owned app-secrets Secret skips the legacy postgres-password entry for this path. The chart README and English self-hosting guide document the new configuration shape.

How to test locally

  • helm lint infra/helm/tuist -f infra/helm/tuist/values-ci.yaml
  • helm template tuist infra/helm/tuist -f infra/helm/tuist/values-ci.yaml
  • helm template tuist infra/helm/tuist -f infra/helm/tuist/values-ci.yaml --set postgresql.mode=external --set postgresql.external.host=rendered-host-should-not-appear --set postgresql.external.username=rendered-user-should-not-appear --set postgresql.external.password=rendered-password-should-not-appear --set postgresql.external.existingSecret=tuist-postgresql --set postgresql.external.existingSecretKeys.host=hostname --set postgresql.external.existingSecretKeys.username=user --set postgresql.external.existingSecretKeys.password=pass
  • helm template tuist infra/helm/tuist -f infra/helm/tuist/values-managed-common.yaml -f infra/helm/tuist/values-managed-production.yaml -f infra/helm/tuist/values-ci.yaml
  • helm template tuist infra/helm/tuist -f infra/helm/tuist/values-managed-common.yaml -f infra/helm/tuist/values-managed-staging.yaml -f infra/helm/tuist/values-ci.yaml
  • helm template tuist infra/helm/tuist -f infra/helm/tuist/values-managed-common.yaml -f infra/helm/tuist/values-managed-canary.yaml -f infra/helm/tuist/values-ci.yaml
  • git diff --check
Comments

No GitHub comments yet.