Skip to content

use existing secrets in helm charts#1828

Open
MasayaAoyama wants to merge 4 commits into
kagent-dev:mainfrom
MasayaAoyama:existing-secrets
Open

use existing secrets in helm charts#1828
MasayaAoyama wants to merge 4 commits into
kagent-dev:mainfrom
MasayaAoyama:existing-secrets

Conversation

@MasayaAoyama
Copy link
Copy Markdown

@MasayaAoyama MasayaAoyama commented May 11, 2026

Add template values for using existing secrets in the Helm chart.
This is useful when used together with other secret management tools such as ExternalSecret.

Test

  • useExistingSecret=false
# helm template kagent . --set providers.openAI.apiKey=test-key --set providers.openAI.useExistingSecret=false | yq 'select(.kind == "Secret")'
# Source: kagent/templates/modelconfig-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: "kagent-openai"
  namespace: argocd
  labels:
    helm.sh/chart: kagent-v1
    app.kubernetes.io/name: kagent
    app.kubernetes.io/instance: kagent
    app.kubernetes.io/version: "v1"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kagent
type: Opaque
data:
  OPENAI_API_KEY: dGVzdC1rZXk=
---
# Source: kagent/templates/postgresql-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: kagent-postgresql
  namespace: argocd
  labels:
    helm.sh/chart: kagent-v1
    app.kubernetes.io/name: kagent
    app.kubernetes.io/instance: kagent
    app.kubernetes.io/version: "v1"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kagent
    app.kubernetes.io/component: database
type: Opaque
data:
  POSTGRES_PASSWORD: "a2FnZW50"
  • useExistingSecret=true
# helm template kagent . --set providers.openAI.apiKey=test-key --set providers.openAI.useExistingSecret=true | yq 'select(.kind == "Secret")'
# Source: kagent/templates/postgresql-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: kagent-postgresql
  namespace: argocd
  labels:
    helm.sh/chart: kagent-v1
    app.kubernetes.io/name: kagent
    app.kubernetes.io/instance: kagent
    app.kubernetes.io/version: "v1"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: kagent
    app.kubernetes.io/component: database
type: Opaque
data:
  POSTGRES_PASSWORD: "a2FnZW50"

Copilot AI review requested due to automatic review settings May 11, 2026 09:32
@MasayaAoyama
use existing secrets in helm charts
adbd3a3 
_

Signed-off-by: MasayaAoyama <amsy810@gmail.com>
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a Helm values flag to allow using pre-created/provider-managed Kubernetes Secrets (e.g., ExternalSecrets) instead of having the chart generate an API key Secret for the default LLM provider.

Changes:

  • Introduces providers.<provider>.useExistingSecret values (default false) for several providers.
  • Updates modelconfig-secret.yaml to skip rendering the Secret when useExistingSecret is enabled.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
helm/kagent/values.yaml Adds useExistingSecret values and inline docs for LLM providers.
helm/kagent/templates/modelconfig-secret.yaml Gates Secret rendering on useExistingSecret being false.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread helm/kagent/values.yaml Outdated
Comment thread helm/kagent/templates/modelconfig-secret.yaml
MasayaAoyama and others added 3 commits May 11, 2026 18:38
@MasayaAoyama
Potential fix for pull request finding
e93097f 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Masaya Aoyama (@amsy810) <tennis.tenmasa@gmail.com>
@MasayaAoyama
add render test for useExistingSecret helm values
481928a 
Signed-off-by: MasayaAoyama <amsy810@gmail.com>
@EItanya
Merge branch 'main' into existing-secrets
f589ba3
EItanya
EItanya reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@EItanya EItanya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this makes sense, but can't you just set apiKeySecretRef and skip apiKey to achieve the same behavior?

@MasayaAoyama
Copy link
Copy Markdown
Author

MasayaAoyama commented May 13, 2026

@EItanya Thank you for the review!

If we use apiKeySecretRef in that way, then when users provide the apiKey directly, we would likely need to hardcode the Secret name on the chart side when generating the Secret. Alternatively, we might need to introduce another separate value for that purpose.

Also, this approach would break backward compatibility with older versions, and it would also affect the Secret name used when mounting the Secret from the Deployment.

For these reasons, this PR keeps the current implementation.

What do you think about the current approach?

@EItanya
Copy link
Copy Markdown
Contributor

EItanya commented May 13, 2026

@EItanya Thank you for the review!

If we use apiKeySecretRef in that way, then when users provide the apiKey directly, we would likely need to hardcode the Secret name on the chart side when generating the Secret. Alternatively, we might need to introduce another separate value for that purpose.

Also, this approach would break backward compatibility with older versions, and it would also affect the Secret name used when mounting the Secret from the Deployment.

For these reasons, this PR keeps the current implementation.

What do you think about the current approach?

I'm a little confused, I think the way I mentioned would work today. If a user specifies just apiKeySecretRef then we template out the following in the modelConfig:

  {{- if $model.apiKeySecretRef }}
  apiKeySecret: {{.apiKeySecretRef}}
  {{- end }}
  {{- if $model.apiKeySecretKey }}
  apiKeySecretKey: {{.apiKeySecretKey}}
  {{- end }}

Why is the apiKey involved at all in this flow?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EItanya EItanya EItanya left review comments

Copilot code review Copilot Copilot left review comments

@ilackarms ilackarms Awaiting requested review from ilackarms ilackarms is a code owner

@yuval-k yuval-k Awaiting requested review from yuval-k yuval-k is a code owner

@supreme-gg-gg supreme-gg-gg Awaiting requested review from supreme-gg-gg supreme-gg-gg is a code owner

@iplay88keys iplay88keys Awaiting requested review from iplay88keys iplay88keys is a code owner

@jmhbh jmhbh Awaiting requested review from jmhbh jmhbh is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MasayaAoyama @EItanya