From 561692dfb1965a6e231d56890c3ff8b64ed32cb9 Mon Sep 17 00:00:00 2001
From: Guangning E <guangning@streamnative.io>
Date: Thu, 18 Dec 2025 10:34:06 +0800
Subject: [PATCH 1/2] Support save db password to secret

---
 .../streamnative-console-statefulset.yaml     | 25 +++++++++++++------
 charts/sn-platform-slim/values.yaml           |  6 +++--
 .../streamnative-console-statefulset.yaml     | 25 +++++++++++++------
 charts/sn-platform/values.yaml                |  6 +++--
 4 files changed, 42 insertions(+), 20 deletions(-)

diff --git a/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml b/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml
index 7fabc66ef..c67f18110 100644
--- a/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml
+++ b/charts/sn-platform-slim/templates/streamnative-console/streamnative-console-statefulset.yaml
@@ -134,6 +134,12 @@ spec:
               if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then
                 export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN)
               fi
+              if [ -f "/pulsar-manager/secrets/db-password/DB_PASSWORD" ]; then
+                export DB_PASSWORD=$(cat /pulsar-manager/secrets/db-password/DB_PASSWORD)
+              fi
+              if [ -f "/pulsar-manager/secrets/db-password/NEW_PASSWORD" ]; then
+                export NEW_PASSWORD=$(cat /pulsar-manager/secrets/db-password/NEW_PASSWORD)
+              fi
               /pulsar-manager/entrypoint.sh
           env:
           - name: SPRING_CONFIGURATION_FILE
@@ -148,18 +154,10 @@ spec:
           - name: GLOBAL_RESOURCE_READ_ONLY
             value: "true"
           {{- end }}
-          {{- if .Values.streamnative_console.configData.DB_PASSWORD }}
-          - name: DB_PASSWORD
-            value: {{ .Values.streamnative_console.configData.DB_PASSWORD | b64dec | quote }}
-          {{- end }}
           {{- if hasSuffix "-all" .Values.images.streamnative_console.tag }}
           - name: DB_BASE
             value: sqlite
           {{- end }}
-          {{- if .Values.streamnative_console.configData.NEW_PASSWORD }}
-          - name: NEW_PASSWORD
-            value: {{ .Values.streamnative_console.configData.NEW_PASSWORD | b64dec | quote }}
-          {{- end }}
           - name: CONNECTOR_ENABLED
             value: "{{ .Values.streamnative_console.configData.CONNECTOR_ENABLED | default "true" }}"
           {{- with .Values.streamnative_console.extraEnv }}
@@ -299,6 +297,11 @@ spec:
             mountPath: /pulsar-manager/secrets/pulsar-jwt
             readOnly: true
           {{- end }}
+          {{- if .Values.streamnative_console.dbPasswordSecret }}
+          - name: db-password-secret
+            mountPath: /pulsar-manager/secrets/db-password
+            readOnly: true
+          {{- end }}
         - name: "{{ template "pulsar.fullname" . }}-{{ .Values.streamnative_console.component }}-gateway"
           image: "{{ .Values.images.streamnative_console.repository }}:{{ .Values.images.streamnative_console.tag }}"
           imagePullPolicy: {{ .Values.images.streamnative_console.pullPolicy }}
@@ -437,6 +440,12 @@ spec:
           secretName: {{ .Values.streamnative_console.login.sso.pulsarJwt.config.SERVICE_ACCOUNT_SUPER_TOKEN_SECRET }}
           defaultMode: 0440
       {{- end }}
+      {{- if .Values.streamnative_console.dbPasswordSecret }}
+      - name: db-password-secret
+        secret:
+          secretName: {{ .Values.streamnative_console.dbPasswordSecret }}
+          defaultMode: 0440
+      {{- end }}
       {{- if .Values.streamnative_console.securityContext }}
       securityContext: {{- toYaml .Values.streamnative_console.securityContext | nindent 8 }}
       {{- end }}
diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml
index dd3b50405..6b135e66d 100644
--- a/charts/sn-platform-slim/values.yaml
+++ b/charts/sn-platform-slim/values.yaml
@@ -2396,10 +2396,12 @@ streamnative_console:
     GRAFANA_AUTH_PROXY_USER: ""
     CONNECTOR_ENABLED: true
     OPENAPI_ENABLED: false
-    # please use base64 encoded your password
-    DB_PASSWORD: ""
   # Extra environment variables for streamnative-console container
   extraEnv: []
+  # Secret name containing DB_PASSWORD and NEW_PASSWORD keys
+  # The secret should have two keys: DB_PASSWORD and NEW_PASSWORD
+  # Example: kubectl create secret generic my-db-password-secret --from-literal=DB_PASSWORD=xxx --from-literal=NEW_PASSWORD=yyy
+  dbPasswordSecret: ""
 
   login:
     sso:
diff --git a/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml b/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml
index 43c9237de..8f0153a25 100644
--- a/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml
+++ b/charts/sn-platform/templates/streamnative-console/streamnative-console-statefulset.yaml
@@ -176,6 +176,12 @@ spec:
               if [ -f "/pulsar-manager/secrets/pulsar-jwt/TOKEN" ]; then
                 export TOKEN=$(cat /pulsar-manager/secrets/pulsar-jwt/TOKEN)
               fi
+              if [ -f "/pulsar-manager/secrets/db-password/DB_PASSWORD" ]; then
+                export DB_PASSWORD=$(cat /pulsar-manager/secrets/db-password/DB_PASSWORD)
+              fi
+              if [ -f "/pulsar-manager/secrets/db-password/NEW_PASSWORD" ]; then
+                export NEW_PASSWORD=$(cat /pulsar-manager/secrets/db-password/NEW_PASSWORD)
+              fi
               /pulsar-manager/entrypoint.sh
           env:
           - name: SPRING_CONFIGURATION_FILE
@@ -192,18 +198,10 @@ spec:
           - name: GLOBAL_RESOURCE_READ_ONLY
             value: "true"
           {{- end }}
-          {{- if .Values.streamnative_console.configData.DB_PASSWORD }}
-          - name: DB_PASSWORD
-            value: {{ .Values.streamnative_console.configData.DB_PASSWORD | b64dec | quote }}
-          {{- end }}
           {{- if hasSuffix "-all" .Values.images.streamnative_console.tag }}
           - name: DB_BASE
             value: sqlite
           {{- end }}
-          {{- if .Values.streamnative_console.configData.NEW_PASSWORD }}
-          - name: NEW_PASSWORD
-            value: {{ .Values.streamnative_console.configData.NEW_PASSWORD | b64dec | quote }}
-          {{- end }}
           - name: CONNECTOR_ENABLED
             value: "{{ .Values.streamnative_console.configData.CONNECTOR_ENABLED | default "true" }}"
           {{- with .Values.streamnative_console.extraEnv }}
@@ -352,6 +350,11 @@ spec:
             mountPath: /pulsar-manager/secrets/pulsar-jwt
             readOnly: true
           {{- end }}
+          {{- if .Values.streamnative_console.dbPasswordSecret }}
+          - name: db-password-secret
+            mountPath: /pulsar-manager/secrets/db-password
+            readOnly: true
+          {{- end }}
         - name: "{{ template "pulsar.fullname" . }}-{{ .Values.streamnative_console.component }}-gateway"
           image: "{{ .Values.images.streamnative_console.repository }}:{{ .Values.images.streamnative_console.tag }}"
           {{- if .Values.streamnative_console.securityContext }}
@@ -496,6 +499,12 @@ spec:
           secretName: {{ .Values.streamnative_console.login.sso.pulsarJwt.config.SERVICE_ACCOUNT_SUPER_TOKEN_SECRET }}
           defaultMode: 0440
       {{- end }}
+      {{- if .Values.streamnative_console.dbPasswordSecret }}
+      - name: db-password-secret
+        secret:
+          secretName: {{ .Values.streamnative_console.dbPasswordSecret }}
+          defaultMode: 0440
+      {{- end }}
       {{- if .Values.streamnative_console.securityContext }}
       securityContext: {{- toYaml .Values.streamnative_console.securityContext | nindent 8 }}
       {{- end }}
diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml
index 4bef142d4..0f414137d 100644
--- a/charts/sn-platform/values.yaml
+++ b/charts/sn-platform/values.yaml
@@ -2487,10 +2487,12 @@ streamnative_console:
     CONNECTOR_ENABLED: true
     CUSTOM_PAYLOAD_ENABLED: false
     OPENAPI_ENABLED: false
-    # please use base64 encoded your password
-    DB_PASSWORD: ""
   # Extra environment variables for streamnative-console container
   extraEnv: []
+  # Secret name containing DB_PASSWORD and NEW_PASSWORD keys
+  # The secret should have two keys: DB_PASSWORD and NEW_PASSWORD
+  # Example: kubectl create secret generic my-db-password-secret --from-literal=DB_PASSWORD=xxx --from-literal=NEW_PASSWORD=yyy
+  dbPasswordSecret: ""
 
   login:
     sso:

From e7f4957f0f2ae38354ff9e31f0d980ad75a99881 Mon Sep 17 00:00:00 2001
From: Guangning E <guangning@streamnative.io>
Date: Thu, 18 Dec 2025 10:37:43 +0800
Subject: [PATCH 2/2] Fixed comment

---
 charts/sn-platform-slim/values.yaml | 10 +++++++++-
 charts/sn-platform/values.yaml      | 10 +++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/charts/sn-platform-slim/values.yaml b/charts/sn-platform-slim/values.yaml
index 6b135e66d..3dda202ba 100644
--- a/charts/sn-platform-slim/values.yaml
+++ b/charts/sn-platform-slim/values.yaml
@@ -2400,7 +2400,15 @@ streamnative_console:
   extraEnv: []
   # Secret name containing DB_PASSWORD and NEW_PASSWORD keys
   # The secret should have two keys: DB_PASSWORD and NEW_PASSWORD
-  # Example: kubectl create secret generic my-db-password-secret --from-literal=DB_PASSWORD=xxx --from-literal=NEW_PASSWORD=yyy
+  # Example command to create the secret:
+  # kubectl create secret generic my-db-password-secret \
+  #   --from-literal=DB_PASSWORD=your-db-password \
+  #   --from-literal=NEW_PASSWORD=your-new-password
+  # Example command to update the secret:
+  # kubectl create secret generic my-db-password-secret \
+  #   --from-literal=DB_PASSWORD=your-new-db-password \
+  #   --from-literal=NEW_PASSWORD=your-new-password \
+  #   --dry-run=client -o yaml | kubectl apply -f -
   dbPasswordSecret: ""
 
   login:
diff --git a/charts/sn-platform/values.yaml b/charts/sn-platform/values.yaml
index 0f414137d..12118763c 100644
--- a/charts/sn-platform/values.yaml
+++ b/charts/sn-platform/values.yaml
@@ -2491,7 +2491,15 @@ streamnative_console:
   extraEnv: []
   # Secret name containing DB_PASSWORD and NEW_PASSWORD keys
   # The secret should have two keys: DB_PASSWORD and NEW_PASSWORD
-  # Example: kubectl create secret generic my-db-password-secret --from-literal=DB_PASSWORD=xxx --from-literal=NEW_PASSWORD=yyy
+  # Example command to create the secret:
+  # kubectl create secret generic my-db-password-secret \
+  #   --from-literal=DB_PASSWORD=your-db-password \
+  #   --from-literal=NEW_PASSWORD=your-new-password
+  # Example command to update the secret:
+  # kubectl create secret generic my-db-password-secret \
+  #   --from-literal=DB_PASSWORD=your-new-db-password \
+  #   --from-literal=NEW_PASSWORD=your-new-password \
+  #   --dry-run=client -o yaml | kubectl apply -f -
   dbPasswordSecret: ""
 
   login: