From 39eabb4b1b5c0c0a68996c933449cb12c2124e05 Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Sun, 29 Mar 2026 09:00:34 +0200 Subject: [PATCH 1/2] fix: configmap generation with `no-config` mode for external secret management Signed-off-by: Jan Larwig --- helm/oauth2-proxy/Chart.yaml | 8 ++++---- helm/oauth2-proxy/README.md | 1 + helm/oauth2-proxy/templates/_helpers.tpl | 3 +++ helm/oauth2-proxy/templates/configmap.yaml | 4 +++- helm/oauth2-proxy/templates/deployment.yaml | 7 +++++++ helm/oauth2-proxy/values.yaml | 4 ++++ 6 files changed, 22 insertions(+), 5 deletions(-) diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml index d24bd4fe..0a35ad14 100644 --- a/helm/oauth2-proxy/Chart.yaml +++ b/helm/oauth2-proxy/Chart.yaml @@ -1,5 +1,5 @@ name: oauth2-proxy -version: 10.4.1 +version: 10.4.2 apiVersion: v2 appVersion: 7.15.0 home: https://oauth2-proxy.github.io/oauth2-proxy/ @@ -30,8 +30,8 @@ maintainers: kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/changes: | - - kind: changed - description: Bump OAuth2 Proxy image to v7.15.1 + - kind: fixed + description: Add back support for running without generated/mounted ConfigMap links: - name: GitHub PR - url: https://github.com/oauth2-proxy/manifests/pull/403 + url: https://github.com/oauth2-proxy/manifests/pull/402 diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md index 06238471..41e8e120 100644 --- a/helm/oauth2-proxy/README.md +++ b/helm/oauth2-proxy/README.md @@ -498,6 +498,7 @@ that are already supported by the Alpha Config will need to be removed from the Keep the following in mind: - The chart always mounts `/etc/oauth2_proxy/oauth2_proxy.cfg`. (Legacy toml config) + Unless both `alphaConfig.enabled` and `forceLegacyConfig` are set to `false` - Per default `config.forceLegacyConfig` is `true` The evaluation happens in the following order: diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index dfe0ff27..2423348b 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -167,6 +167,7 @@ metricsServer: If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config. If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is mounted into the mounted file. If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file. +If `config.forceLegacyConfig=false` and `alphaConfig.enabled=false`, the chart renders no config map and does not mount a file. */}} {{- define "oauth2-proxy.legacy-config.mode" -}} {{- if and .Values.alphaConfig.enabled (not .Values.config.forceLegacyConfig) -}} @@ -177,6 +178,8 @@ existing-configmap inline-custom {{- else if .Values.alphaConfig.enabled -}} generated-alpha-compatible +{{- else if and (not .Values.alphaConfig.enabled) (not .Values.config.forceLegacyConfig) -}} +no-config {{- else -}} generated-legacy {{- end -}} diff --git a/helm/oauth2-proxy/templates/configmap.yaml b/helm/oauth2-proxy/templates/configmap.yaml index 30e25c55..8e0ca831 100644 --- a/helm/oauth2-proxy/templates/configmap.yaml +++ b/helm/oauth2-proxy/templates/configmap.yaml @@ -1,4 +1,5 @@ -{{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} +{{- $mode := include "oauth2-proxy.legacy-config.mode" . }} +{{- if not (has $mode (list "existing-configmap" "no-config")) }} apiVersion: v1 kind: ConfigMap metadata: @@ -7,6 +8,7 @@ metadata: {{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: + mode: {{ include "oauth2-proxy.legacy-config.mode" . }} app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 4ce265cd..8ad1303e 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -1,3 +1,4 @@ +{{- $mode := include "oauth2-proxy.legacy-config.mode" . }} {{- $redisEnabled := eq (include "oauth2-proxy.redis.enabled" .) "true" -}} {{- $redisValues := index .Values "redis-ha" | default dict -}} apiVersion: apps/v1 @@ -145,7 +146,9 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} + {{- if ne $mode "no-config" }} - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} {{- if .Values.authenticatedEmailsFile.template }} - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} @@ -302,9 +305,11 @@ spec: readOnly: true {{- end }} {{- end }} +{{- if ne $mode "no-config" }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg name: configmain subPath: oauth2_proxy.cfg +{{- end }} {{- if .Values.alphaConfig.enabled }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml name: configalpha @@ -368,10 +373,12 @@ spec: name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis defaultMode: 0775 {{- end }} +{{- if ne $mode "no-config" }} - configMap: defaultMode: 420 name: {{ include "oauth2-proxy.legacy-config.name" . | trim }} name: configmain +{{- end }} {{- if .Values.alphaConfig.enabled }} {{- if .Values.alphaConfig.existingConfig }} - configMap: diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index dd2f6592..96353c7a 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -64,6 +64,8 @@ config: # generates a minimal legacy config from emailDomains only. # 3. If configFile is empty/not set, the config is auto-generated # from emailDomains and, when alphaConfig is disabled, upstreams. + # 4. When alphaConfig.enabled=false and forceLegacyConfig=false + # no ConfigMap is generated and mounted configFile: "" # Email domains allowed to authenticate when the chart generates # the main oauth2_proxy.cfg. @@ -109,6 +111,8 @@ config: # instead (see examples below). # - Move any other relevant settings into alphaConfig and/or # flags rather than relying on a custom legacy configFile. + # 3) If forceLegacyConfig and alphaConfig.enabled are false + # no ConfigMap is being mounted. forceLegacyConfig: true # # Custom configuration file: oauth2_proxy.cfg (overrides From 8ece5f70531e6c19240b3b1c45aa9742db627df2 Mon Sep 17 00:00:00 2001 From: Jan Larwig Date: Sun, 29 Mar 2026 10:01:27 +0200 Subject: [PATCH 2/2] rework Signed-off-by: Jan Larwig --- helm/oauth2-proxy/README.md | 8 ++-- .../alphaconfig-7-existing-secret-values.yaml | 23 +++++++++ helm/oauth2-proxy/templates/_helpers.tpl | 47 ++++++++++++++++--- helm/oauth2-proxy/templates/configmap.yaml | 5 +- helm/oauth2-proxy/templates/deployment.yaml | 28 ++++++----- helm/oauth2-proxy/templates/deprecation.yaml | 6 +++ helm/oauth2-proxy/templates/secret-alpha.yaml | 9 +--- helm/oauth2-proxy/values.yaml | 10 +++- 8 files changed, 101 insertions(+), 35 deletions(-) create mode 100644 helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md index 41e8e120..bc555f37 100644 --- a/helm/oauth2-proxy/README.md +++ b/helm/oauth2-proxy/README.md @@ -152,10 +152,10 @@ The following table lists the configurable parameters of the oauth2-proxy chart | `affinity` | node/pod affinities | None | | `alphaConfig.annotations` | Configmap annotations | `{}` | | `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | -| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | +| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context. Can be combined with generated alpha content, but not with `alphaConfig.existingConfig` or `alphaConfig.existingSecret` | `""` | | `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | -| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | -| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. Mutually exclusive with `alphaConfig.existingSecret` and generated alpha content (`serverConfigData`, `metricsConfigData`, `configData`, `configFile`) | `nil` | +| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. Mutually exclusive with `alphaConfig.existingConfig` and generated alpha content (`serverConfigData`, `metricsConfigData`, `configData`, `configFile`) | `nil` | | `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | | `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | | `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | @@ -500,6 +500,8 @@ Keep the following in mind: - The chart always mounts `/etc/oauth2_proxy/oauth2_proxy.cfg`. (Legacy toml config) Unless both `alphaConfig.enabled` and `forceLegacyConfig` are set to `false` - Per default `config.forceLegacyConfig` is `true` +- `alphaConfig.existingConfig` and `alphaConfig.existingSecret` are external-source modes. + They cannot be combined with generated alpha content like `configData` or `configFile`. The evaluation happens in the following order: diff --git a/helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml b/helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml new file mode 100644 index 00000000..a6b7df10 --- /dev/null +++ b/helm/oauth2-proxy/ci/alphaconfig-7-existing-secret-values.yaml @@ -0,0 +1,23 @@ +# Test Case 7: alphaConfig enabled + existingSecret +# Expected: Chart mounts the external alpha Secret instead of generating one. + +alphaConfig: + enabled: true + existingSecret: my-external-alpha-secret + +extraObjects: + - apiVersion: v1 + kind: Secret + metadata: + name: my-external-alpha-secret + type: Opaque + stringData: + oauth2_proxy.yml: | + --- + server: + BindAddress: 0.0.0.0:4180 + providers: + - id: google + provider: google + clientID: fake-client-id + clientSecret: fake-client-secret diff --git a/helm/oauth2-proxy/templates/_helpers.tpl b/helm/oauth2-proxy/templates/_helpers.tpl index 2423348b..31af1349 100644 --- a/helm/oauth2-proxy/templates/_helpers.tpl +++ b/helm/oauth2-proxy/templates/_helpers.tpl @@ -163,30 +163,63 @@ metricsServer: {{- end }} {{- end -}} +{{- define "oauth2-proxy.alpha-config.source" -}} +{{- if not .Values.alphaConfig.enabled -}} +disabled +{{- else if .Values.alphaConfig.existingConfig -}} +existing-configmap +{{- else if .Values.alphaConfig.existingSecret -}} +existing-secret +{{- else -}} +generated +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.alpha-config.name" -}} +{{- $source := include "oauth2-proxy.alpha-config.source" . -}} +{{- if eq $source "existing-configmap" -}} +{{- .Values.alphaConfig.existingConfig -}} +{{- else if eq $source "existing-secret" -}} +{{- .Values.alphaConfig.existingSecret -}} +{{- else if eq $source "generated" -}} +{{- printf "%s-alpha" (include "oauth2-proxy.fullname" .) -}} +{{- end -}} +{{- end -}} + {{/* If `config.forceLegacyConfig=false`, the chart ignores both the `config.configFile` and `config.existingConfig` overrides and only generates a minimal necessary legacy config. If `config.existingConfig` is set and `config.forceLegacyConfig=true`, the external ConfigMap is mounted into the mounted file. If `config.configFile` is set and `config.forceLegacyConfig=true`, the chart renders that inline content into the mounted file. If `config.forceLegacyConfig=false` and `alphaConfig.enabled=false`, the chart renders no config map and does not mount a file. */}} -{{- define "oauth2-proxy.legacy-config.mode" -}} -{{- if and .Values.alphaConfig.enabled (not .Values.config.forceLegacyConfig) -}} +{{- define "oauth2-proxy.legacy-config.source" -}} +{{- if .Values.alphaConfig.enabled -}} +{{- if not .Values.config.forceLegacyConfig -}} generated-alpha-compatible {{- else if .Values.config.existingConfig -}} existing-configmap {{- else if .Values.config.configFile -}} inline-custom -{{- else if .Values.alphaConfig.enabled -}} +{{- else -}} generated-alpha-compatible -{{- else if and (not .Values.alphaConfig.enabled) (not .Values.config.forceLegacyConfig) -}} +{{- end -}} +{{- else if not .Values.config.forceLegacyConfig -}} no-config +{{- else if .Values.config.existingConfig -}} +existing-configmap +{{- else if .Values.config.configFile -}} +inline-custom {{- else -}} generated-legacy {{- end -}} {{- end -}} +{{- define "oauth2-proxy.legacy-config.enabled" -}} +{{- ne (include "oauth2-proxy.legacy-config.source" .) "no-config" -}} +{{- end -}} + {{- define "oauth2-proxy.legacy-config.name" -}} -{{- if eq (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" -}} +{{- if eq (include "oauth2-proxy.legacy-config.source" .) "existing-configmap" -}} {{- .Values.config.existingConfig -}} {{- else -}} {{- template "oauth2-proxy.fullname" . -}} @@ -194,9 +227,9 @@ generated-legacy {{- end -}} {{- define "oauth2-proxy.legacy-config.content" -}} -{{- if eq (include "oauth2-proxy.legacy-config.mode" .) "inline-custom" -}} +{{- if eq (include "oauth2-proxy.legacy-config.source" .) "inline-custom" -}} {{- tpl .Values.config.configFile $ -}} -{{- else if eq (include "oauth2-proxy.legacy-config.mode" .) "generated-alpha-compatible" -}} +{{- else if eq (include "oauth2-proxy.legacy-config.source" .) "generated-alpha-compatible" -}} email_domains = {{ .Values.config.emailDomains | toJson }} {{- else -}} email_domains = {{ .Values.config.emailDomains | toJson }} diff --git a/helm/oauth2-proxy/templates/configmap.yaml b/helm/oauth2-proxy/templates/configmap.yaml index 8e0ca831..3fb24932 100644 --- a/helm/oauth2-proxy/templates/configmap.yaml +++ b/helm/oauth2-proxy/templates/configmap.yaml @@ -1,5 +1,5 @@ -{{- $mode := include "oauth2-proxy.legacy-config.mode" . }} -{{- if not (has $mode (list "existing-configmap" "no-config")) }} +{{- $legacySource := include "oauth2-proxy.legacy-config.source" . }} +{{- if not (has $legacySource (list "existing-configmap" "no-config")) }} apiVersion: v1 kind: ConfigMap metadata: @@ -8,7 +8,6 @@ metadata: {{ tpl ( toYaml . ) $ | indent 4 }} {{- end }} labels: - mode: {{ include "oauth2-proxy.legacy-config.mode" . }} app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} name: {{ template "oauth2-proxy.fullname" . }} diff --git a/helm/oauth2-proxy/templates/deployment.yaml b/helm/oauth2-proxy/templates/deployment.yaml index 8ad1303e..f16f7645 100644 --- a/helm/oauth2-proxy/templates/deployment.yaml +++ b/helm/oauth2-proxy/templates/deployment.yaml @@ -1,4 +1,6 @@ -{{- $mode := include "oauth2-proxy.legacy-config.mode" . }} +{{- $legacySource := include "oauth2-proxy.legacy-config.source" . }} +{{- $legacyConfigEnabled := eq (include "oauth2-proxy.legacy-config.enabled" .) "true" -}} +{{- $alphaConfigSource := include "oauth2-proxy.alpha-config.source" . -}} {{- $redisEnabled := eq (include "oauth2-proxy.redis.enabled" .) "true" -}} {{- $redisValues := index .Values "redis-ha" | default dict -}} apiVersion: apps/v1 @@ -28,12 +30,14 @@ spec: template: metadata: annotations: - {{- if ne (include "oauth2-proxy.legacy-config.mode" .) "existing-configmap" }} + {{- if and $legacyConfigEnabled (ne $legacySource "existing-configmap") }} checksum/config: {{ include "oauth2-proxy.legacy-config.content" . | sha256sum }} {{- end }} - {{- if .Values.alphaConfig.enabled }} + {{- if eq $alphaConfigSource "generated" }} checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} {{- end }} + legacy/source: {{ include "oauth2-proxy.legacy-config.source" . }} + alpha/source: {{ include "oauth2-proxy.alpha-config.source" . }} {{- if .Values.authenticatedEmailsFile.enabled }} checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} {{- end }} @@ -146,7 +150,7 @@ spec: {{- toYaml . | nindent 10 }} {{- end }} {{- end }} - {{- if ne $mode "no-config" }} + {{- if $legacyConfigEnabled }} - --config=/etc/oauth2_proxy/oauth2_proxy.cfg {{- end }} {{- if .Values.authenticatedEmailsFile.enabled }} @@ -305,12 +309,12 @@ spec: readOnly: true {{- end }} {{- end }} -{{- if ne $mode "no-config" }} +{{- if $legacyConfigEnabled }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg name: configmain subPath: oauth2_proxy.cfg {{- end }} -{{- if .Values.alphaConfig.enabled }} +{{- if ne $alphaConfigSource "disabled" }} - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml name: configalpha subPath: oauth2_proxy.yml @@ -373,25 +377,23 @@ spec: name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis defaultMode: 0775 {{- end }} -{{- if ne $mode "no-config" }} +{{- if $legacyConfigEnabled }} - configMap: defaultMode: 420 name: {{ include "oauth2-proxy.legacy-config.name" . | trim }} name: configmain {{- end }} -{{- if .Values.alphaConfig.enabled }} -{{- if .Values.alphaConfig.existingConfig }} +{{- if eq $alphaConfigSource "existing-configmap" }} - configMap: defaultMode: 420 - name: {{ .Values.alphaConfig.existingConfig }} + name: {{ include "oauth2-proxy.alpha-config.name" . }} name: configalpha -{{- else }} +{{- else if or (eq $alphaConfigSource "existing-secret") (eq $alphaConfigSource "generated") }} - secret: defaultMode: 420 - secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + secretName: {{ include "oauth2-proxy.alpha-config.name" . }} name: configalpha {{- end }} -{{- end }} {{- if ne (len .Values.extraVolumes) 0 }} {{ tpl (toYaml .Values.extraVolumes) . | indent 6 }} {{- end }} diff --git a/helm/oauth2-proxy/templates/deprecation.yaml b/helm/oauth2-proxy/templates/deprecation.yaml index 126d3e7a..65f89f0d 100644 --- a/helm/oauth2-proxy/templates/deprecation.yaml +++ b/helm/oauth2-proxy/templates/deprecation.yaml @@ -2,6 +2,12 @@ {{- if .Values.service.port }} {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }} {{- end }} + {{- if and .Values.alphaConfig.enabled .Values.alphaConfig.existingConfig .Values.alphaConfig.existingSecret }} + {{ fail "`alphaConfig.existingConfig` and `alphaConfig.existingSecret` are mutually exclusive. Configure exactly one external alpha config source." }} + {{- end }} + {{- if and .Values.alphaConfig.enabled (or .Values.alphaConfig.existingConfig .Values.alphaConfig.existingSecret) (or .Values.alphaConfig.serverConfigData .Values.alphaConfig.metricsConfigData .Values.alphaConfig.configData .Values.alphaConfig.configFile) }} + {{ fail "External alpha config sources (`alphaConfig.existingConfig` or `alphaConfig.existingSecret`) cannot be combined with generated alpha config content (`serverConfigData`, `metricsConfigData`, `configData`, or `configFile`). Choose one alpha config source." }} + {{- end }} {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}} {{- range .Values.ingress.extraPaths }} {{- if or (.backend.serviceName) (.backend.servicePort) }} diff --git a/helm/oauth2-proxy/templates/secret-alpha.yaml b/helm/oauth2-proxy/templates/secret-alpha.yaml index ba2c02d5..6edfad12 100644 --- a/helm/oauth2-proxy/templates/secret-alpha.yaml +++ b/helm/oauth2-proxy/templates/secret-alpha.yaml @@ -1,9 +1,4 @@ -{{- - if and - .Values.alphaConfig.enabled - (not .Values.alphaConfig.existingConfig) - (not .Values.alphaConfig.existingSecret) -}} +{{- if eq (include "oauth2-proxy.alpha-config.source" .) "generated" }} apiVersion: v1 kind: Secret metadata: @@ -14,7 +9,7 @@ metadata: labels: app: {{ template "oauth2-proxy.name" . }} {{- include "oauth2-proxy.labels" . | indent 4 }} - name: {{ template "oauth2-proxy.fullname" . }}-alpha + name: {{ include "oauth2-proxy.alpha-config.name" . }} namespace: {{ template "oauth2-proxy.namespace" $ }} data: oauth2_proxy.yml: {{ include "oauth2-proxy.alpha-config" . | b64enc | quote }} diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml index 96353c7a..547691c2 100644 --- a/helm/oauth2-proxy/values.yaml +++ b/helm/oauth2-proxy/values.yaml @@ -168,10 +168,16 @@ alphaConfig: # # Arbitrary configuration to append # This is treated as a Go template and rendered with the root context + # This may be combined with configData/serverConfigData/metricsConfigData + # when the chart generates the alpha config itself. configFile: "" - # Use an existing config map (see secret-alpha.yaml for required fields) + # Use an existing config map (see secret-alpha.yaml for required fields). + # Mutually exclusive with existingSecret and all generated alpha config + # content options above. existingConfig: ~ - # Use an existing secret + # Use an existing secret. + # Mutually exclusive with existingConfig and all generated alpha config + # content options above. existingSecret: ~ # # NOTE: When using alphaConfig with external secrets (e.g., Azure