From aa6bafc77e87109f356b7159b356811a8ff4827d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20Bi=C4=8Di=C5=A1t=C4=9B?= <adam@freshost.cz>
Date: Tue, 24 Feb 2026 12:39:48 +0100
Subject: [PATCH] fix: preserve generated secrets across helm upgrades

Use lookup to check if the Secret already exists before generating
new random passwords. Without this, every helm upgrade regenerates
the mysql-pass and mysql-root-pass values, breaking database
connectivity since MySQL retains the original password in its
persistent volume.
---
 charts/phpipam/templates/secrets.yaml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/charts/phpipam/templates/secrets.yaml b/charts/phpipam/templates/secrets.yaml
index 719864a..e524b40 100644
--- a/charts/phpipam/templates/secrets.yaml
+++ b/charts/phpipam/templates/secrets.yaml
@@ -1,12 +1,19 @@
 ---
+{{- $secretName := printf "%s-%s-secrets" .Release.Name .Chart.Name }}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-{{ .Chart.Name }}-secrets
+  name: {{ $secretName }}
   namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/resource-policy": "keep"
 type: Opaque
 data:
-  {{ .Chart.Name }}-mysql-root-pass: {{ randAlphaNum 10 | b64enc | quote }}
-  {{ .Chart.Name }}-mysql-pass: {{ randAlphaNum 10 | b64enc | quote }}
+{{- if $existing }}
+  {{ .Chart.Name }}-mysql-root-pass: {{ index $existing.data (printf "%s-mysql-root-pass" .Chart.Name) }}
+  {{ .Chart.Name }}-mysql-pass: {{ index $existing.data (printf "%s-mysql-pass" .Chart.Name) }}
+{{- else }}
+  {{ .Chart.Name }}-mysql-root-pass: {{ randAlphaNum 16 | b64enc | quote }}
+  {{ .Chart.Name }}-mysql-pass: {{ randAlphaNum 16 | b64enc | quote }}
+{{- end }}