Secret is regenerated on every helm upgrade, breaking database connectivity #24
Description
The secrets.yaml template uses randAlphaNum to generate MySQL passwords on every render. While the Secret has the helm.sh/resource-policy: keep annotation (which prevents deletion on helm uninstall), it does not prevent the Secret from being overwritten during helm upgrade.
This causes the following scenario:
helm install — Secret is created with random password, MySQL is initialized with that password
helm upgrade — Secret is re-rendered with a new random password, overwriting the existing one
phpIPAM and cron containers receive the new password via env var, but MySQL still has the old password stored in its PVC
Database connection fails with Access denied for user 'phpipam'
Expected behavior: The Secret should retain its original values across upgrades.
Suggested fix: Use Helm's lookup function to check if the Secret already exists and reuse its data, only generating new random passwords on first install.