When doing upgrade we want helm to check if there is already a value in the backend auth secret so it wont zero its values (#19)

rlevartovsky · web-flow · commit 0469a803d2c2 · 2025-10-21T13:01:32.000Z
Signed-off-by: Roey &lt;rlevartovsky@paloaltonetworks.com&gt;
diff --git a/charts/konnector/Chart.yaml b/charts/konnector/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: konnector
 description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
 type: application
-version: 1.0.20
+version: 1.0.21
 appVersion: "1.0.0"
 maintainers:
   - name: Palo Alto Networks - Cortex KSPM team
diff --git a/charts/konnector/templates/_helpers.tpl b/charts/konnector/templates/_helpers.tpl
@@ -115,3 +115,21 @@ spec:
 {{- end }}
 {{ $groups | toYaml }}
 {{- end }}
+
+{{/*
+Return a base64 value for a Secret key:
+- If an existing Secret is present: reuse existing.data[key] (already base64).
+  If that key is missing, fall back to base64 of "" (or change to seed if you prefer).
+- If no existing Secret: use base64 of the provided seed.
+Usage: {{ include "secret.valueOrExistingB64" (dict "existing" $existing "key" "token" "seed" "--set-by-konnnector-at-runtime--") }}
+*/}}
+{{- define "secret.valueOrExistingB64" -}}
+{{- $existing := .existing -}}
+{{- $key := .key -}}
+{{- $seed := .seed | default "--set-by-konnnector-at-runtime--" -}}
+{{- if $existing -}}
+  {{- index $existing.data $key | default (b64enc "") | quote -}}
+{{- else -}}
+  {{- b64enc $seed | quote -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/konnector/templates/secret.yaml b/charts/konnector/templates/secret.yaml
@@ -1,16 +1,18 @@
+{{- $ns := $.Values.namespace.name -}}
+{{- $name := $.Values.system.secrets.backendAuth.name -}}
+{{- $existing := lookup "v1" "Secret" $ns $name -}}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.system.secrets.backendAuth.name }}
-  namespace: {{ .Values.namespace.name }}
+  name: {{ $name }}
+  namespace: {{ $ns }}
   labels:
     {{- include "common.labels" . | nindent 4 }}
 type: Opaque
-stringData:
-  token: "--set-by-konnnector-at-runtime--"
-  refreshToken: "--set-by-konnnector-at-runtime--"
-  sosToken: "--set-by-konnnector-at-runtime--"
-  chapi: "--set-by-konnnector-at-runtime--"
+data:
+  {{- range $k := list "token" "refreshToken" "sosToken" "chapi" }}
+  {{ $k }}: {{ include "secret.valueOrExistingB64" (dict "existing" $existing "key" $k "seed" "--set-by-konnnector-at-runtime--") }}
+  {{- end }}
 ---
 apiVersion: v1
 kind: Secret
