Objective
Modify the Leantime Helm chart under helm/leantime/ to support sourcing the session cookie encryption password from an existing Secret.
Requirements:
Implementation steps
1) Update values.yaml schema
Edit helm/leantime/values.yaml to introduce new values under app.session:
-
existingSecret object:
name (string, default "")key (string, default "session-password")
Keep the existing password field for fallback/back-compat, but update comments to strongly discourage committing it.
Add this block:
app:
session:
existingSecret:
name: ""
key: "session-password"
password: ""Also update your existing documentation/comments nearby to state:
- Use
existingSecret for production / GitOps.
password only for quick local testing.
2) Identify where the session password is currently wired
In helm/leantime/templates/, locate where app.session.password is used. It will be in one of:
deployment.yaml env var LEAN_SESSION_PASSWORD (or similar), or- a generated Secret template + envFrom, or
- configmap/secret volume mount
Copilot must:
3) Add helper template functions
Create or update helm/leantime/templates/_helpers.tpl with helper functions to resolve:
- the secret name to use
- the secret key to use
Add:
{{- define "leantime.sessionSecretName" -}}
{{- if .Values.app.session.existingSecret.name -}}
{{- .Values.app.session.existingSecret.name -}}
{{- else -}}
{{- include "leantime.fullname" . -}}
{{- end -}}
{{- end -}}
{{- define "leantime.sessionSecretKey" -}}
{{- if .Values.app.session.existingSecret.key -}}
{{- .Values.app.session.existingSecret.key -}}
{{- else -}}
session-password
{{- end -}}
{{- end -}}
Notes:
include "leantime.fullname" must match whatever the chart uses today for its generated Secret naming. If it currently uses a different name (e.g., {{ include "leantime.fullname" . }}-app), use that instead. Copilot must align to existing naming.
4) Adjust Secret template generation logic (if chart generates a Secret today)
If the chart has a templates/secret.yaml (or similar) that currently includes the session password:
Change it so the chart only generates the session secret when NOT using existingSecret.
Pattern:
{{- if not .Values.app.session.existingSecret.name }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "leantime.sessionSecretName" . }}
type: Opaque
data:
{{ include "leantime.sessionSecretKey" . }}: {{ required "app.session.password is required when app.session.existingSecret.name is empty" .Values.app.session.password | b64enc }}
{{- end }}
Key requirements:
- Use
required so Helm fails fast if neither existingSecret.name nor password is provided.
- Use the key returned by
leantime.sessionSecretKey (so you can standardize the key even in generated mode).
- If the chart already has a Secret with multiple keys, only gate the session password portion or gate the whole Secret depending on how it’s structured. Don’t break other keys.
5) Update Deployment to always reference the resolved secret name/key
In templates/deployment.yaml, set the session password env var using valueFrom.secretKeyRef, pointing to:
- name:
{{ include "leantime.sessionSecretName" . }}
- key:
{{ include "leantime.sessionSecretKey" . }}
Example (adjust env var name to match chart):
- name: LEAN_SESSION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "leantime.sessionSecretName" . }}
key: {{ include "leantime.sessionSecretKey" . }}Important:
- If the chart currently sets the env var directly from
.Values.app.session.password, remove that direct wiring.
- Do not use
envFrom unless the chart already standardizes on it; keep changes minimal.
6) Add validation in templates
Add a guard that ensures one of the two is set:
.Values.app.session.existingSecret.name OR .Values.app.session.password
You can do this in the Secret template (via required) and/or at top of deployment template:
{{- if and (not .Values.app.session.existingSecret.name) (not .Values.app.session.password) -}}
{{- fail "Either app.session.existingSecret.name must be set, or app.session.password must be provided." -}}
{{- end -}}
Prefer fail (clear error) rather than silently producing an invalid deployment.
7) Update your GitOps values to use 1Password secret
In your helm/leantime/values.yaml (your environment values), remove app.session.password entirely and set:
app:
session:
existingSecret:
name: leantime-app
key: session-passwordThen your 1Password Operator item should render:
- Secret name:
leantime-app
- Key:
session-password
8) Acceptance tests (must pass)
Copilot must run these locally (or provide exact commands + expected outcomes):
- Existing secret mode renders correctly
helm template leantime helm/leantime -f helm/leantime/values.yaml
Expected:
- Deployment includes env var with
secretKeyRef.name: leantime-app
- The chart does not render a generated Secret for the session password (if you gated it)
- Fallback mode fails fast if missing
Set existingSecret.name: "" and password: "" and re-run template.
Expected:
- Helm template fails with your error message.
- Fallback mode works
Set existingSecret.name: "" and password: "test" and re-run.
Expected:
- A Secret is generated (if that’s how the chart works today)
- Deployment points at that generated secret/key
Notes for ArgoCD wiring (what you should change after patch)
- Your ArgoCD Application stays pointed at
path: helm/leantime in your repo.
- Your 1Password secrets app must sync before the Helm app (your sync-wave 10/20 pattern is correct).
- You can now delete the committed
app.session.password from Git permanently.
Objective
Modify the Leantime Helm chart under
helm/leantime/to support sourcing the session cookie encryption password from an existing Secret.Requirements:
Backwards compatible:
app.session.existingSecret.nameis set → chart uses that secret/key.app.session.password) and (if chart currently generates a Secret) keeps doing so.No secret values committed to Git.
Works with 1Password Operator creating the Secret in the target namespace before the Helm release.
Implementation steps
1) Update
values.yamlschemaEdit
helm/leantime/values.yamlto introduce new values underapp.session:existingSecretobject:name(string, default"")key(string, default"session-password")Keep the existing
passwordfield for fallback/back-compat, but update comments to strongly discourage committing it.Add this block:
Also update your existing documentation/comments nearby to state:
existingSecretfor production / GitOps.passwordonly for quick local testing.2) Identify where the session password is currently wired
In
helm/leantime/templates/, locate whereapp.session.passwordis used. It will be in one of:deployment.yamlenv varLEAN_SESSION_PASSWORD(or similar), orCopilot must:
Search for
session.passwordusage:rg -n "session\.password|LEAN_SESSION|password.*session" helm/leantime/templatesConfirm the exact env var name the app expects (don’t guess).
3) Add helper template functions
Create or update
helm/leantime/templates/_helpers.tplwith helper functions to resolve:Add:
Notes:
include "leantime.fullname"must match whatever the chart uses today for its generated Secret naming. If it currently uses a different name (e.g.,{{ include "leantime.fullname" . }}-app), use that instead. Copilot must align to existing naming.4) Adjust Secret template generation logic (if chart generates a Secret today)
If the chart has a
templates/secret.yaml(or similar) that currently includes the session password:Change it so the chart only generates the session secret when NOT using existingSecret.
Pattern:
Key requirements:
requiredso Helm fails fast if neitherexistingSecret.namenorpasswordis provided.leantime.sessionSecretKey(so you can standardize the key even in generated mode).5) Update Deployment to always reference the resolved secret name/key
In
templates/deployment.yaml, set the session password env var usingvalueFrom.secretKeyRef, pointing to:{{ include "leantime.sessionSecretName" . }}{{ include "leantime.sessionSecretKey" . }}Example (adjust env var name to match chart):
Important:
.Values.app.session.password, remove that direct wiring.envFromunless the chart already standardizes on it; keep changes minimal.6) Add validation in templates
Add a guard that ensures one of the two is set:
.Values.app.session.existingSecret.nameOR.Values.app.session.passwordYou can do this in the Secret template (via
required) and/or at top of deployment template:Prefer
fail(clear error) rather than silently producing an invalid deployment.7) Update your GitOps values to use 1Password secret
In your
helm/leantime/values.yaml(your environment values), removeapp.session.passwordentirely and set:Then your 1Password Operator item should render:
leantime-appsession-password8) Acceptance tests (must pass)
Copilot must run these locally (or provide exact commands + expected outcomes):
Expected:
secretKeyRef.name: leantime-appSet
existingSecret.name: ""andpassword: ""and re-run template.Expected:
Set
existingSecret.name: ""andpassword: "test"and re-run.Expected:
Notes for ArgoCD wiring (what you should change after patch)
path: helm/leantimein your repo.app.session.passwordfrom Git permanently.