From c053e57068cb33a069c2ae8f66f61d7f50d0c4eb Mon Sep 17 00:00:00 2001
From: Alik <43503284+alikhtag@users.noreply.github.com>
Date: Sat, 30 Sep 2023 22:44:38 +0200
Subject: [PATCH] Add paramaters in Helm chart to load OIDC clientSecret from
 Secret Resource (#17784)

---
 helm/minio/templates/deployment.yaml  | 7 +++++++
 helm/minio/templates/statefulset.yaml | 7 +++++++
 helm/minio/values.yaml                | 3 +++
 3 files changed, 17 insertions(+)

diff --git a/helm/minio/templates/deployment.yaml b/helm/minio/templates/deployment.yaml
index 555c0ac56..da6297332 100644
--- a/helm/minio/templates/deployment.yaml
+++ b/helm/minio/templates/deployment.yaml
@@ -120,7 +120,14 @@ spec:
             - name: MINIO_IDENTITY_OPENID_CLIENT_ID
               value: {{ .Values.oidc.clientId }}
             - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
+            {{- if and .Values.oidc.existingClientSecretName .Values.oidc.existingClientSecretKey }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.oidc.existingClientSecretName }}
+                  key: {{ .Values.oidc.existingClientSecretKey }}
+            {{- else }}
               value: {{ .Values.oidc.clientSecret }}
+            {{- end }}
             - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
               value: {{ .Values.oidc.claimName }}
             - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
diff --git a/helm/minio/templates/statefulset.yaml b/helm/minio/templates/statefulset.yaml
index 91ac782ca..c95cba226 100644
--- a/helm/minio/templates/statefulset.yaml
+++ b/helm/minio/templates/statefulset.yaml
@@ -158,7 +158,14 @@ spec:
             - name: MINIO_IDENTITY_OPENID_CLIENT_ID
               value: {{ .Values.oidc.clientId }}
             - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
+            {{- if and .Values.oidc.existingClientSecretName .Values.oidc.existingClientSecretKey }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.oidc.existingClientSecretName }}
+                  key: {{ .Values.oidc.existingClientSecretKey }}
+            {{- else }}
               value: {{ .Values.oidc.clientSecret }}
+            {{- end }}
             - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
               value: {{ .Values.oidc.claimName }}
             - name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
diff --git a/helm/minio/values.yaml b/helm/minio/values.yaml
index 55c7bec98..1c2c8e397 100644
--- a/helm/minio/values.yaml
+++ b/helm/minio/values.yaml
@@ -486,6 +486,9 @@ oidc:
   configUrl: "https://identity-provider-url/.well-known/openid-configuration"
   clientId: "minio"
   clientSecret: ""
+  # Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientSecret`
+  existingClientSecretName: ""
+  existingClientSecretKey: ""
   claimName: "policy"
   scopes: "openid,profile,email"
   redirectUri: "https://console-endpoint-url/oauth_callback"