From 451ddf8410247323d687fdc35ea12310a86295e0 Mon Sep 17 00:00:00 2001
From: Rojin Ebrahimi <rojin.ebrahimi@snapp.cab>
Date: Fri, 13 Feb 2026 23:25:56 +0330
Subject: [PATCH] Support API Credentials as secret, enable config file

---
 deploy/helm/templates/_helpers.tpl    | 30 +++++++++++++++++
 deploy/helm/templates/deployment.yaml | 25 ++++++++++++++
 deploy/helm/templates/httproute.yaml  | 47 +++++++++++++++++++++++++++
 deploy/helm/values.yaml               | 43 ++++++++++++++++++++----
 4 files changed, 139 insertions(+), 6 deletions(-)
 create mode 100644 deploy/helm/templates/httproute.yaml

diff --git a/deploy/helm/templates/_helpers.tpl b/deploy/helm/templates/_helpers.tpl
index 097c7b3..412679b 100644
--- a/deploy/helm/templates/_helpers.tpl
+++ b/deploy/helm/templates/_helpers.tpl
@@ -60,3 +60,33 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Return the secret name, with validation when enabled.
+*/}}
+{{- define "garage-webui.secretName" -}}
+{{- if and .Values.secretRefs .Values.secretRefs.enabled }}
+  {{- if not .Values.secretRefs.name }}
+    {{- fail "secretRefs.name must be set when secretRefs.enabled=true" }}
+  {{- end }}
+{{- end }}
+{{- if .Values.secretRefs }}{{ .Values.secretRefs.name | default "" }}{{ end }}
+{{- end }}
+
+{{/*
+Generate env variables based on secretRefs.keys.
+*/}}
+{{- define "garage-webui.secretEnv" -}}
+{{- if and .Values.secretRefs .Values.secretRefs.enabled .Values.secretRefs.keys }}
+{{- $secretName := include "garage-webui.secretName" . }}
+{{- range $envName, $keyName := .Values.secretRefs.keys }}
+{{- if $keyName }}
+- name: {{ $envName }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ $secretName }}
+      key: {{ $keyName }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml
index a4bd339..3a232ef 100644
--- a/deploy/helm/templates/deployment.yaml
+++ b/deploy/helm/templates/deployment.yaml
@@ -42,10 +42,15 @@ spec:
               value: {{ .Values.garageConfig.s3Endpoint | quote }}
             - name: S3_REGION
               value: {{ .Values.garageConfig.region | quote }}
+            {{- include "garage-webui.secretEnv" . | nindent 12 }}
+            {{- if not (and .Values.secretRefs (and .Values.secretRefs.enabled (index .Values.secretRefs.keys "AUTH_USER_PASS"))) }}
             - name: AUTH_USER_PASS
               value: {{ .Values.auth.userPassHash | quote }}
+            {{- end }}
+            {{- if not (and .Values.secretRefs (and .Values.secretRefs.enabled (index .Values.secretRefs.keys "API_ADMIN_KEY"))) }}
             - name: API_ADMIN_KEY
               value: {{ .Values.garageConfig.adminApiKey | quote }}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: /
@@ -58,6 +63,16 @@ spec:
               port: http
             initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          volumeMounts:
+            {{- if .Values.config.enabled }}
+            - name: config
+              mountPath: /etc/garage.toml
+              subPath: garage.toml
+              readOnly: true
+            {{- end }}
+            {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}
@@ -72,3 +87,13 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      volumes:
+        {{- if .Values.config.enabled }}
+        - name: config
+          configMap:
+            name: {{ .Values.config.name }}
+        {{- end }}
+        {{- with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+
diff --git a/deploy/helm/templates/httproute.yaml b/deploy/helm/templates/httproute.yaml
new file mode 100644
index 0000000..bb06b4e
--- /dev/null
+++ b/deploy/helm/templates/httproute.yaml
@@ -0,0 +1,47 @@
+{{- if .Values.httproute.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ include "garage-webui.fullname" . }}
+  labels:
+    {{- include "garage-webui.labels" . | nindent 4 }}
+  {{- with .Values.httproute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+  {{- range .Values.httproute.parentRefs }}
+    - name: {{ .name }}
+      namespace: {{ .namespace | default $.Release.Namespace }}
+      {{- if .sectionName }}
+      sectionName: {{ .sectionName }}
+      {{- end }}
+  {{- end }}
+  {{- if .Values.httproute.hostnames }}
+  hostnames:
+    {{- toYaml .Values.httproute.hostnames | nindent 4 }}
+  {{- end }}
+  rules:
+  {{- if .Values.httproute.rules }}
+  {{- range .Values.httproute.rules }}
+    - matches:
+      {{- toYaml .matches | nindent 6 }}
+      backendRefs:
+      {{- if .backendRefs }}
+        {{- toYaml .backendRefs | nindent 8 }}
+      {{- else }}
+        - name: {{ include "garage-webui.fullname" $ }}
+          port: {{ $.Values.service.port }}
+      {{- end }}
+  {{- end }}
+  {{- else }}
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - name: {{ include "garage-webui.fullname" . }}
+          port: {{ .Values.service.port }}
+  {{- end }}
+{{- end }}
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
index e9c102b..60dfbad 100644
--- a/deploy/helm/values.yaml
+++ b/deploy/helm/values.yaml
@@ -55,6 +55,12 @@ service:
   port: 80
   targetPort: 3909
 
+httproute:
+  enabled: false
+  annotations: {}
+  parentRefs: []
+  hostnames: []
+
 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
   enabled: false
@@ -107,17 +113,25 @@ autoscaling:
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
 
-# Additional volumes on the output Deployment definition.
+# Additional volumes on the pod (merged with built-in config volume when config.enabled).
+# Each volume here must have a matching mount in volumeMounts.
 volumes: []
-# - name: foo
+# - name: certs
 #   secret:
-#     secretName: mysecret
+#     secretName: my-tls-secret
 #     optional: false
+# - name: extra-config
+#   configMap:
+#     name: my-config
 
-# Additional volumeMounts on the output Deployment definition.
+# Additional volumeMounts for the main container (merged with config mount when config.enabled).
+# Names must match entries in volumes.
 volumeMounts: []
-# - name: foo
-#   mountPath: "/etc/foo"
+# - name: certs
+#   mountPath: /etc/certs
+#   readOnly: true
+# - name: extra-config
+#   mountPath: /etc/extra
 #   readOnly: true
 
 nodeSelector: {}
@@ -135,3 +149,20 @@ garageConfig:
 auth:
   # Generate this using: htpasswd -nbBC 10 "admin" "yourpassword"
   userPassHash: ""
+
+# API credentials (admin API key, auth hash) from an existing Secret.
+# When enabled, env vars are set via secretKeyRef; otherwise values from garageConfig.adminApiKey and auth.userPassHash are used.
+secretRefs:
+  enabled: false
+  # Name of the existing Secret (required when enabled)
+  name: ""
+  # Map of environment variable names to Secret data keys
+  keys:
+    API_ADMIN_KEY: ""   # e.g. "admin-api-key"
+    AUTH_USER_PASS: ""  # e.g. "user-pass-hash"
+
+config:
+  # -- Enable mounting of the config file
+  enabled: false
+  # -- Name of the ConfigMap to mount
+  name: "garage-webui-config"