From fcea38661b16ed866ee7e84a3fe6972275e74be2 Mon Sep 17 00:00:00 2001
From: tidusete <jordicidisierra@gmail.com>
Date: Mon, 23 Feb 2026 20:22:36 +0100
Subject: [PATCH] charts: preserve helper secrets across upgrades

Use lookup() to check whether the helper TLS certificate secret and the
helper server-token secret already exist in the cluster before rendering
new values. If they do, their existing data is reused verbatim so that
helm upgrade, Flux reconciliations and Terraform applies no longer
rotate certificates or tokens on every run.

On a first install the secrets are generated as before. The
helm.sh/resource-policy: keep annotation prevents accidental deletion
on helm uninstall.

The same lookup-based preservation is applied to the helper secret in
webhookconfiguration.yaml (webhooks path), including the caBundle used
by the MutatingWebhookConfiguration and ValidatingWebhookConfiguration.

For ArgoCD deployments, lookup() returns nil during helm-template
rendering so certs are still regenerated each sync. The recommended
mitigation is to add ignoreDifferences for /data on both secrets in the
ArgoCD Application spec.
---
 charts/s1-agent/templates/common/secrets.yaml | 22 +++++++++++++++++--
 .../templates/hooks/webhookconfiguration.yaml | 13 ++++++++---
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/charts/s1-agent/templates/common/secrets.yaml b/charts/s1-agent/templates/common/secrets.yaml
index 75000e11..b41a68da 100644
--- a/charts/s1-agent/templates/common/secrets.yaml
+++ b/charts/s1-agent/templates/common/secrets.yaml
@@ -16,24 +16,42 @@ data:
 ---
 
 {{- if and (include "helper.secret.create" .) (eq (include "webhooks.enabled" .) "false") }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (include "helper.secret.name" .) }}
+{{- $secretData := "" }}
+{{- if and $existingSecret $existingSecret.data }}
+{{- $secretData = $existingSecret.data | toYaml }}
+{{- else }}
+{{- $secretData = include "helper.certificates" . }}
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "helper.secret.name" . }}
   labels: {{- include "sentinelone.helper.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/resource-policy": keep
 type: kubernetes.io/tls
-data: {{- include "helper.certificates" . | nindent 2 }}
+data: {{- $secretData | nindent 2 }}
 {{- end }}
 
 ---
 
 {{- if include "helper_token.secret.create" . }}
+{{- $existingToken := lookup "v1" "Secret" .Release.Namespace (include "helper_token.secret.name" .) }}
+{{- $serverToken := "" }}
+{{- if and $existingToken $existingToken.data (index $existingToken.data "server-token") }}
+{{- $serverToken = index $existingToken.data "server-token" | quote }}
+{{- else }}
+{{- $serverToken = include "helper.token" . }}
+{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "helper_token.secret.name" . }}
   labels: {{- include "sentinelone.helper.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/resource-policy": keep
 type: Opaque
 data:
-  server-token: {{ include "helper.token" . }}
+  server-token: {{ $serverToken }}
 {{- end -}}
diff --git a/charts/s1-agent/templates/hooks/webhookconfiguration.yaml b/charts/s1-agent/templates/hooks/webhookconfiguration.yaml
index e48ee609..849f1fa8 100644
--- a/charts/s1-agent/templates/hooks/webhookconfiguration.yaml
+++ b/charts/s1-agent/templates/hooks/webhookconfiguration.yaml
@@ -1,13 +1,18 @@
 {{ if eq (include "webhooks.enabled" .) "true" }}
 {{- $certs := "" }}
 {{- $caBundle := "" }}
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace (include "helper.secret.name" .)) }}
 {{- if include "helper.secret.create" . }}
+{{- if and $existingSecret $existingSecret.data }}
+{{- $certs = $existingSecret.data | toYaml -}}
+{{- $caBundle = index $existingSecret.data "ca.crt" -}}
+{{- else }}
 {{- $certs = include "helper.certificates" . -}}
 {{- $caBundle = index ($certs | fromYaml) "ca.crt" -}}
+{{- end }}
 {{- else }}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "helper.secret.name" .)) }}
-{{- if $secret -}}
-{{- $caBundle = index $secret "data" "ca.crt" -}}
+{{- if $existingSecret -}}
+{{- $caBundle = index $existingSecret "data" "ca.crt" -}}
 {{- end }}
 {{- end }}
 
@@ -19,6 +24,8 @@ kind: Secret
 metadata:
   name: {{ include "helper.secret.name" . }}
   labels: {{- include "sentinelone.helper.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/resource-policy": keep
 type: kubernetes.io/tls
 data: {{- $certs | nindent 2 }}
 {{- end }}