Skip to main content

Using Kubernetes Secrets

To securely store sensitive configuration like passwords, tokens, and admin secrets, we recommend using Kubernetes Secrets.

By default, the RepoFlow Helm chart uses values defined in values.yaml, but you can optionally override specific environment variables using Secrets by configuring the secretEnv field.

Example: Server Secrets

server:
  secretEnv:
    HASURA_ADMIN_SECRET:
      secretName: repoflow-server-secret
      key: hasuraAdminSecret

To securely inject sensitive values, create the Kubernetes secret manually before installing the chart:

kubectl create secret generic repoflow-server-secret \
  --from-literal=hasuraAdminSecret=supersecretvalue

Environment Variable Precedence

  • If a key exists in both environment and secretEnv, the value from secretEnv is used.
  • If a key exists only in environment, the inline value is used.
  • Secrets are resolved using valueFrom.secretKeyRef at runtime, never hardcoded in the Helm release.

PostgreSQL Setup

If you're using an external PostgreSQL database (which is recommended for production), store the connection string in a Kubernetes Secret and reference it in your values:

kubectl create secret generic repoflow-postgres-secret \
  --from-literal=databaseUrl=postgres://user:password@your-db-host:5432/db-name

Then reference it in your Helm values:

hasura:
  secretEnv:
    HASURA_GRAPHQL_DATABASE_URL:
      secretName: repoflow-postgres-secret
      key: databaseUrl
    HASURA_GRAPHQL_METADATA_DATABASE_URL:
      secretName: repoflow-postgres-secret
      key: databaseUrl