OctopusDeploy · Astabh · Sep 12, 2025 · Sep 12, 2025 · Sep 12, 2025 · Sep 12, 2025
@@ -165,3 +165,54 @@ The resulting endpoints will be:
 Your Octopus Kubernetes Agents and Virtual Machine Polling Tentacles must be configured to poll every Octopus server node.  Documentation for configuring this can be found below:
 - [Kubernetes Agent](https://octopus.com/docs/infrastructure/deployment-targets/kubernetes/kubernetes-agent/ha-cluster-support#octopus-deploy-ha-cluster)
 - [Virtual Machine Polling Tentacles](https://octopus.com/docs/administration/high-availability/maintain/polling-tentacles-with-ha)
+
+
+### External Secrets Management
+
+By default, this chart creates and manages Kubernetes secrets automatically. However, you can configure it to use external secrets management systems like HashiCorp Vault, Azure Key Vault, AWS Secrets Manager, or External Secrets Operator (ESO).
+
+#### Using External Secrets
+
+To use external secrets, set `createSecrets: false` in your values:
+
+```yaml
+octopus:
+  createSecrets: false
+  # When createSecrets is false, the following fields are ignored
+  # masterKey: ""
+  # databaseConnectionString: ""  
+  # username: ""
+  # password: ""
+  # licenseKeyBase64: ""
+
+mssql:
+  enabled: true
+  createSecrets: false  # Must match octopus.createSecrets when using built-in SQL Server
+```
+
+#### Required External Secret Names
+
+When `createSecrets: false`, you must provide the following secrets in your cluster before deploying:
+
+| Secret Name | Key | Description |
+|-------------|-----|-------------|
+| `{{ .Release.Name }}-adminusername` | `secret` | Octopus admin username |
+| `{{ .Release.Name }}-adminpassword` | `secret` | Octopus admin password |
+| `{{ .Release.Name }}-masterkey` | `secret` | Master key for encrypting sensitive data |
+| `{{ .Release.Name }}-licensekey` | `secret` | Base64-encoded Octopus license key |
+
+##### When Using Built-in SQL Server (`mssql.enabled: true`)
+
+Additionally provide:
+| Secret Name | Key | Description |
+|-------------|-----|-------------|
+| `{{ .Release.Name }}-sapassword` | `secret` | SQL Server SA user password |
+
+The database connection string will be automatically constructed using the SA password.
+
+##### When Using External SQL Server
+
+Additionally provide:
+| Secret Name | Key | Description |
+|-------------|-----|-------------|
+| `{{ .Release.Name }}-connectionstring` | `secret` | Complete SQL Server connection string |
@@ -1,3 +1,4 @@
+{{- if .Values.createSecrets }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,4 +7,5 @@ metadata:
     {{- include "labels" . | nindent 4 }}
 type: Opaque
 data:
-  sa_password : {{ include "mssql.password" . | b64enc | quote}} 
+  sa_password : {{ include "mssql.password" . | b64enc | quote}} 
+{{- end }}
@@ -32,26 +32,31 @@ spec:
           ports:
            - containerPort: {{ .Values.containers.ports.containerPort}}
           env:
-           - name: MSSQL_PID
-             value: "{{ .Values.MSSQL_PID}}"
-           - name: ACCEPT_EULA
-             value: "{{ .Values.ACCEPT_EULA | upper}}"
-           - name: MSSQL_AGENT_ENABLED
-             value: "{{ .Values.MSSQL_AGENT_ENABLED}}"
-           - name: SA_PASSWORD
-             valueFrom:
-              secretKeyRef:
-               name: {{ include "mssql.name" . }}
-               key: sa_password
+            - name: MSSQL_PID
+              value: "{{ .Values.MSSQL_PID}}"
+            - name: ACCEPT_EULA
+              value: "{{ .Values.ACCEPT_EULA | upper}}"
+            - name: MSSQL_AGENT_ENABLED
+              value: "{{ .Values.MSSQL_AGENT_ENABLED}}"
+            - name: SA_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  {{- if .Values.createSecrets }}
+                  name: {{ include "mssql.name" . }}
+                  key: sa_password
+                  {{- else }}
+                  name: {{ .Release.Name }}-sapassword
+                  key: secret
+                  {{- end }}
           volumeMounts:
-           - name: mssql
-             mountPath: "/var/opt/mssql"
-           - name: mssql-config-volume
-             mountPath: /var/opt/config
+            - name: mssql
+              mountPath: "/var/opt/mssql"
+            - name: mssql-config-volume
+              mountPath: /var/opt/config
       volumes:        
       - name: mssql-config-volume
         configMap:
-         name: {{ include "mssql.name" . }}
+          name: {{ include "mssql.name" . }}
   volumeClaimTemplates:
     - metadata:
         name: mssql

@@ -51,9 +51,52 @@ spec:
       tolerations:
       {{- toYaml . | nindent 8 }}
       {{- end }}
+      # Init container builds DB connection string if mssql enabled and createSecrets is false
+      {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }}
+      initContainers:
+      - name: init-connection-string
+        image: busybox:1.35
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 65534
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        command: ["/bin/sh", "-c"]
+        args:
+          - |
+            echo "Starting init container to create DB connection string..."
+            echo "Server={{ include "octopus.mssql.server" . }};Initial Catalog=OctopusDeploy;Persist Security Info=False;User ID=SA;Password=${SA_PASSWORD};Encrypt=True;Connection Timeout=30;" > /shared/db_connection_string
+            chmod 600 /shared/db_connection_string
+            echo "DB connection string written to /shared/db_connection_string"
+        env:
+          - name: SA_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ printf "%s-sapassword" .Release.Name }}
+                key: secret
+        volumeMounts:
+          - name: connection-string-vol
+            mountPath: /shared
+        resources:
+          requests:
+            memory: "16Mi"
+            cpu: "10m"
+          limits:
+            memory: "32Mi"
+            cpu: "50m"
+      {{- end }}
       containers:
       - name: octopus
         image: "{{ .Values.octopus.image.repository }}:{{ default .Chart.AppVersion .Values.octopus.image.tag }}"
+        {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }}
+        command: ["/bin/bash", "-c"]
+        args:
+          - |
+            echo "Reading connection string from file..."
+            export DB_CONNECTION_STRING=$(cat /shared/db_connection_string)
+            echo "Connection string loaded successfully"
+            exec ./install.sh
+        {{- end }}
         securityContext:
           {{- with .Values.octopus.containerSecurityContext }}
           {{- toYaml . | nindent 10 }}
@@ -75,11 +118,13 @@ spec:
           - name: USER
             value: octopus
           {{- end}}
+          {{- if and .Values.mssql.enabled .Values.octopus.createSecrets }}
           - name: DB_CONNECTION_STRING
             valueFrom:
               secretKeyRef:
                 name: {{printf "%s-%s" $.Release.Name "connectionstring"}}
                 key: secret
+          {{- end }}
           - name: ADMIN_USERNAME
             valueFrom:
               secretKeyRef:
@@ -146,6 +191,11 @@ spec:
             mountPath: /home/octopus/.octopus/OctopusServer/Server/Logs
           - name: audit-log-volume
             mountPath: /eventExports
+          {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }}
+          - name: connection-string-vol
+            mountPath: /shared
+            readOnly: true
+          {{- end }}
         {{- if .Values.octopus.resources }}
         resources:
         {{- toYaml .Values.octopus.resources | nindent 10 }}
@@ -191,6 +241,11 @@ spec:
         - name: audit-log-volume
           persistentVolumeClaim:
             claimName: audit-log-claim
+        {{- if and .Values.mssql.enabled (not .Values.octopus.createSecrets) }}
+        - name: connection-string-vol
+          emptyDir:
+            sizeLimit: 1Mi
+        {{- end }}
       {{- if .Values.dockerHub.login }}
       imagePullSecrets:
         - name: dockerhubcreds

@@ -2,7 +2,11 @@ octopus:
   # Must be set to "Y" or true to accept the EULA at https://octopus.com/legal/customer-agreement
   acceptEula: "N"
 
-  ## Allows the secrets to be managed via an external secrets provider
+  # Allows secrets to be managed via an external secrets provider
+  # - true: Chart creates and manages secrets automatically,
+  #         You can override individual secret values by using the fields below (masterKey, databaseConnectionString, username, password, licenseKeyBase64)
+  # - false: Use external secrets (e.g., from Vault, ESO etc) secret names must be
+  # Required secret names are documented in README.md
   createSecrets: true
 
   # The below 5 options are not required if createSecrets is false
@@ -186,7 +190,8 @@ dockerHub:
 mssql: 
   enabled: false
   ACCEPT_EULA: "Y"
-  SA_PASSWORD: ""
+  createSecrets: true # determines if the db password is auto generated should match octopus.createSecrets
+  SA_PASSWORD: "" # Will be ignored when createSecrets is false and will look for {{ .Release.Name }}-sapassword, You can override the password value here when createSecrets is true
 
 global:
   # Set the default storageClass to be used for all persistent volume claims