Split db connection string and use existing secret

Make use of 'Dependent Environment Variables'.
Ref: https://kubernetes.io/docs/tasks/inject-data-application/define-interdependent-environment-variables/

deploy/helm/templates/deployment.yaml

@@ -1,3 +1,7 @@
+{{- $db := ( tpl .Values.config.database.dbname . ) }}
+{{- $host := .Values.config.database.host | default (include "nebraska.postgresql.fullname" .) }}
+{{- $port := .Values.config.database.port | toString }}
+{{- $user := ( tpl .Values.config.database.username . ) }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -84,11 +88,18 @@ spec:
             - "-gh-ro-teams={{ .Values.config.auth.github.readOnlyTeams }}"
             {{- end }}
           env:
-            - name: NEBRASKA_DB_URL
+            - name: DB_PASSWORD
               valueFrom:
                 secretKeyRef:
+                  {{- if .Values.config.database.passwordExistingSecret.enabled }}
+                  name: {{ tpl .Values.config.database.passwordExistingSecret.name . }}
+                  key: {{ .Values.config.database.passwordExistingSecret.key }}
+                  {{- else }}
                   name: {{ include "nebraska.fullname" . }}
-                  key: dbURL
+                  key: dbPassword
+                  {{- end }}
+            - name: NEBRASKA_DB_URL
+              value: {{ printf "postgres://%s:$(DB_PASSWORD)@%s:%s/%s?sslmode=disable&connect_timeout=10" $user $host $port $db | quote }}
             {{- if or (eq .Values.config.auth.mode "github") (not .Values.config.auth.mode) }}
             - name: "NEBRASKA_GITHUB_OAUTH_CLIENT_ID"
               value: "{{ .Values.config.auth.github.clientID }}"

deploy/helm/templates/secrets.yaml

@@ -1,8 +1,6 @@
-{{- $user := ( tpl .Values.config.database.username . ) }}
-{{- $pass := ( tpl .Values.config.database.password . ) }}
-{{- $db := ( tpl .Values.config.database.dbname . ) }}
-{{- $host := .Values.config.database.host | default (include "nebraska.postgresql.fullname" .) }}
-{{- $port := .Values.config.database.port | toString }}
+{{- $useGhAuth := or (eq .Values.config.auth.mode "github") (not .Values.config.auth.mode) }}
+{{- $useDbPassword := not .Values.config.database.passwordExistingSecret.enabled }}
+{{- if or $useDbPassword $useGhAuth }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -11,10 +9,13 @@ metadata:
     {{- include "nebraska.labels" . | nindent 4 }}
 type: Opaque
 data:
-  dbURL: {{ printf "postgres://%s:%s@%s:%s/%s?sslmode=disable&connect_timeout=10" $user $pass $host $port $db | b64enc }}
-  {{- if or (eq .Values.config.auth.mode "github") (not .Values.config.auth.mode) }}
+  {{- if $useDbPassword }}
+  dbPassword: {{ (tpl .Values.config.database.password .) | b64enc }}
+  {{- end }}
+  {{- if $useGhAuth }}
   ghClientSecret: {{ required "A valid 'clientSecret' is required when using github authentication." .Values.config.auth.github.clientSecret | toString | b64enc }}
   ghSessionAuthKey: {{ required "A valid 'sessionAuthKey' is required when using github authentication." .Values.config.auth.github.sessionAuthKey | toString | b64enc }}
   ghSessionCryptKey: {{ required "A valid 'sessionCryptKey' is required when using github authentication." .Values.config.auth.github.sessionCryptKey | toString | b64enc }}
   ghWebhookSecret: {{ required "A valid 'webhookSecret' is required when using github authentication." .Values.config.auth.github.webhookSecret | toString | b64enc }}
   {{- end }}
+{{- end }}

deploy/helm/values.yaml

@@ -54,9 +54,13 @@ config:
   database:
     host: ""
     port: 5432
-    username: '{{ .Values.postgresql.postgresqlUsername }}'
-    password: '{{ .Values.postgresql.postgresqlPassword }}'
     dbname: '{{ .Values.postgresql.postgresqlDatabase }}'
+    username: '{{ .Values.postgresql.postgresqlUsername }}'
+    password: ""
+    passwordExistingSecret:
+      enabled: true
+      name: '{{ .Release.Name }}-postgresql'
+      key: postgresql-password
 
 extraArgs: []
   # - "-http-log"