From a22accb992f2192bbe9a42b41bc056718c412107 Mon Sep 17 00:00:00 2001
From: Jennings Zhang <Jennings.Zhang@childrens.harvard.edu>
Date: Wed, 22 Jan 2025 18:50:50 -0500
Subject: [PATCH] Accept root credentials from existing secret

---
 .../templates/openobserve-statefulset.yaml     | 12 ++++++++++++
 .../templates/secret.yaml                      |  4 +++-
 .../templates/zplane-deployment.yaml           | 18 ++++++++++++++++--
 charts/openobserve-standalone/values.yaml      | 12 ++++++++++++
 4 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/charts/openobserve-standalone/templates/openobserve-statefulset.yaml b/charts/openobserve-standalone/templates/openobserve-statefulset.yaml
index d04c1ff..350771e 100644
--- a/charts/openobserve-standalone/templates/openobserve-statefulset.yaml
+++ b/charts/openobserve-standalone/templates/openobserve-statefulset.yaml
@@ -86,6 +86,18 @@ spec:
             - secretRef:
                 name: {{ include "openobserve.fullname" . }}
           env:
+            {{- if .Values.auth.existingRootUserSecret.name }}
+            - name: ZO_ROOT_USER_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.auth.existingRootUserSecret.name }}
+                  key: {{ .Values.auth.existingRootUserSecret.emailKey }}
+            - name: ZO_ROOT_USER_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.auth.existingRootUserSecret.name }}
+                  key: {{ .Values.auth.existingRootUserSecret.passwordKey }}
+            {{- end }}
             {{- with .Values.extraEnv }}
             {{- toYaml . |  nindent 12 }}
             {{- end }}
diff --git a/charts/openobserve-standalone/templates/secret.yaml b/charts/openobserve-standalone/templates/secret.yaml
index adb6c86..06a5244 100644
--- a/charts/openobserve-standalone/templates/secret.yaml
+++ b/charts/openobserve-standalone/templates/secret.yaml
@@ -6,8 +6,10 @@ metadata:
   labels: {{- include "openobserve.labels" . | nindent 4 }}
 type: Opaque
 stringData:
+  {{- if not .Values.auth.existingRootUserSecret.name }}
   ZO_ROOT_USER_EMAIL: "{{ .Values.auth.ZO_ROOT_USER_EMAIL }}"
   ZO_ROOT_USER_PASSWORD: "{{ .Values.auth.ZO_ROOT_USER_PASSWORD }}"
+  {{- end }}
   {{- if not .Values.minio.enabled }}
   ZO_S3_ACCESS_KEY: "{{ .Values.auth.ZO_S3_ACCESS_KEY }}"
   {{- else }}
@@ -26,4 +28,4 @@ stringData:
   AZURE_STORAGE_ACCOUNT_KEY: "{{ .Values.config.AZURE_STORAGE_ACCOUNT_KEY }}"
   AZURE_STORAGE_ACCOUNT_NAME: "{{ .Values.config.AZURE_STORAGE_ACCOUNT_NAME }}"  
   {{- end }}
-  {{- end }}
\ No newline at end of file
+  {{- end }}
diff --git a/charts/openobserve-standalone/templates/zplane-deployment.yaml b/charts/openobserve-standalone/templates/zplane-deployment.yaml
index 6099365..051163a 100644
--- a/charts/openobserve-standalone/templates/zplane-deployment.yaml
+++ b/charts/openobserve-standalone/templates/zplane-deployment.yaml
@@ -51,9 +51,23 @@ spec:
             {{- toYaml .Values.zplane.resources | nindent 12 }}
           env:
             - name: ZPLANE_ZO_USERNAME
-              value: "{{ .Values.auth.ZO_ROOT_USER_EMAIL }}"
+              {{- if .Values.auth.existingRootUserSecret.name }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.auth.existingRootUserSecret.name }}
+                  key: {{ .Values.auth.existingRootUserSecret.emailKey }}
+              {{- else }}
+              value: {{ .Values.auth.ZO_ROOT_USER_EMAIL | quote }}
+              {{- end }}
             - name: ZPLANE_ZO_PASSWORD
-              value: "{{ .Values.auth.ZO_ROOT_USER_PASSWORD }}"
+              {{- if .Values.auth.existingRootUserSecret.name }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.auth.existingRootUserSecret.name }}
+                  key: {{ .Values.auth.existingRootUserSecret.passwordKey }}
+              {{- else }}
+              value: {{ .Values.auth.ZO_ROOT_USER_PASSWORD | quote }}
+              {{- end }}
             - name: ZPLANE_ZO_ENDPOINT
               value: "http://{{ include "openobserve.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.service.port }}"
 
diff --git a/charts/openobserve-standalone/values.yaml b/charts/openobserve-standalone/values.yaml
index e5ec3c3..0134563 100644
--- a/charts/openobserve-standalone/values.yaml
+++ b/charts/openobserve-standalone/values.yaml
@@ -61,9 +61,21 @@ headless:
 
 # Credentials for authentication
 auth:
+  # Either specify root user credentials here, or use an existing secret.
+
+  # OpenObserve root user email
   ZO_ROOT_USER_EMAIL: "root@example.com"
+  # OpenObserve root user password
   ZO_ROOT_USER_PASSWORD: "Complexpass#123"
 
+  existingRootUserSecret:
+    # Existing secret with OpenObserve root user credentials.
+    name: ""
+    # Email key to be retrieved from existing secret
+    emailKey: "ZO_ROOT_USER_EMAIL"
+    # Password key to be retrieved from existing secret
+    passwordKey: "ZO_ROOT_USER_PASSWORD"
+
   # do not need to set this if enabled minio is being used. settings will be picked from minio section. Also IRSA is preferred if on EKS. Set the Service account section with the correct IAM role ARN. Refer https://zinc.dev/docs/guide/ha_deployment/#amazon-eks-s3
   ZO_S3_ACCESS_KEY: ""
   ZO_S3_SECRET_KEY: ""