From 31b34fc9c31b4833a4839d1d1f5c866e18659b41 Mon Sep 17 00:00:00 2001
From: Lev Kokotov <lev.kokotov@gmail.com>
Date: Fri, 12 Jun 2026 10:10:07 -0700
Subject: [PATCH 1/2] feat: allow to reference Secret for users.toml and OTEL
 DD API KEY

---
 Chart.yaml                |  4 +--
 README.md                 | 54 +++++++++++++++++++++++++++++++++++++++
 templates/deployment.yaml | 18 ++++++++++++-
 templates/secrets.yaml    |  2 +-
 values.yaml               | 26 +++++++++++++++++++
 5 files changed, 100 insertions(+), 4 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index f960f5a..70339e8 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 name: pgdog
-version: v0.64
-appVersion: "0.1.43"
+version: v0.65
+appVersion: "0.1.44"
diff --git a/README.md b/README.md
index a04d51c..9e532f1 100644
--- a/README.md
+++ b/README.md
@@ -178,6 +178,60 @@ externalSecrets:
   secretName: "my-secret" # Name of Secret you created
 ```
 
+### Referencing Existing Secrets
+
+If you manage Kubernetes Secrets yourself (via `kubectl`, sealed-secrets,
+SOPS, etc.), point the chart at them directly instead of putting secret
+values in `values.yaml`. This works without the ExternalSecrets operator.
+
+#### users.toml from an existing Secret
+
+Set `usersSecret.name` to reference a Secret you created that holds the
+`users.toml` file. The chart then skips rendering its own users Secret and
+mounts yours instead:
+
+```yaml
+usersSecret:
+  name: my-pgdog-users # existing Secret in the same namespace
+  key: users.toml      # key holding the users.toml content (default: users.toml)
+```
+
+Create the Secret, for example:
+
+```bash
+kubectl create secret generic my-pgdog-users \
+  --from-file=users.toml=./users.toml
+```
+
+The value is mounted at `/etc/secrets/pgdog/users.toml` regardless of the
+key name. A custom `key` is remapped automatically.
+
+#### Datadog API key from an existing Secret
+
+PgDog reads the Datadog API key from the `DD_API_KEY` environment variable.
+Reference an existing Secret and the chart injects it as `DD_API_KEY`, so the
+key is never written into `pgdog.toml` (or the ConfigMap):
+
+```yaml
+otel:
+  endpoint: https://otlp.example.com/v1/metrics # your OTLP endpoint
+  datadogApiKeySecret:
+    name: my-datadog # existing Secret in the same namespace
+    key: dd-api-key  # key holding the API key (default: dd-api-key)
+```
+
+Create the Secret, for example:
+
+```bash
+kubectl create secret generic my-datadog \
+  --from-literal=dd-api-key=<your-datadog-api-key>
+```
+
+This is mutually exclusive with the inline `otel.datadogApiKey`, which writes
+the key into the ConfigMap as plaintext and should be avoided.
+
+If both are set, the inline value takes precedence.
+
 ### ServiceAccount & RBAC
 
 RBAC with minimal permissions is enabled by default:
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
index d19c982..552f639 100644
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -85,6 +85,17 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            {{- with .Values.otel }}
+            {{- with .datadogApiKeySecret }}
+            {{- if .name }}
+            - name: DD_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .name }}
+                  key: {{ .key | default "dd-api-key" }}
+            {{- end }}
+            {{- end }}
+            {{- end }}
             {{- range .Values.env }}
             {{- if ne .name "NODE_ID" }}
             - {{- toYaml . | nindent 14 }}
@@ -181,7 +192,12 @@ spec:
             name: {{ include "pgdog.fullname" . }}
         - name: users
           secret:
-            {{- if and .Values.externalSecrets.enabled
+            {{- if .Values.usersSecret.name }}
+            secretName: {{ .Values.usersSecret.name }}
+            items:
+              - key: {{ .Values.usersSecret.key | default "users.toml" }}
+                path: users.toml
+            {{- else if and .Values.externalSecrets.enabled
                        .Values.externalSecrets.secretName }}
             secretName: {{ .Values.externalSecrets.secretName }}
             {{- else }}
diff --git a/templates/secrets.yaml b/templates/secrets.yaml
index f7ccad3..80c48f0 100644
--- a/templates/secrets.yaml
+++ b/templates/secrets.yaml
@@ -44,7 +44,7 @@ server_auth = {{ .serverAuth | quote }}
 {{- end }}
 {{- end -}}
 
-{{- if not .Values.externalSecrets.enabled }}
+{{- if and (not .Values.externalSecrets.enabled) (not .Values.usersSecret.name) }}
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/values.yaml b/values.yaml
index 06b2549..43ad525 100644
--- a/values.yaml
+++ b/values.yaml
@@ -400,6 +400,32 @@ externalSecrets:
     #     key: pgdog/users
     #     property: users.toml
 
+# usersSecret references an existing Secret (that you created yourself in
+# this namespace) holding the users.toml file. When name is set, the chart
+# does not render its own users Secret and mounts this one instead.
+usersSecret:
+  # name of the existing Secret containing users.toml
+  name: ""
+  # key within that Secret whose value is the users.toml content;
+  # it is mounted at /etc/secrets/pgdog/users.toml regardless of the key name
+  key: users.toml
+
+# otel configures OpenTelemetry metrics export. Left unset by default so the
+# [otel] section is omitted from pgdog.toml. Uncomment and fill in to enable.
+# otel:
+#   endpoint: https://otlp.example.com/v1/metrics
+#   namespace: pgdog
+#   # Datadog API key options (mutually exclusive):
+#   #   datadogApiKey: inline value, written into pgdog.toml (plaintext in the
+#   #     ConfigMap) — avoid for real secrets.
+#   datadogApiKey: ""
+#   #   datadogApiKeySecret: inject the key from an existing Secret you created
+#   #     as the DD_API_KEY env var, which pgdog reads. Nothing is written into
+#   #     pgdog.toml. Preferred for real secrets.
+#   datadogApiKeySecret:
+#     name: ""          # existing Secret name
+#     key: dd-api-key   # key within that Secret holding the API key
+
 # ServiceMonitor for Prometheus metrics
 serviceMonitor:
   enabled: false

From fc93ab3ddca319e2917364f8e30ac7682be395ed Mon Sep 17 00:00:00 2001
From: Lev Kokotov <lev.kokotov@gmail.com>
Date: Fri, 12 Jun 2026 10:18:30 -0700
Subject: [PATCH 2/2] add test

---
 test/values-existing-secrets.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 test/values-existing-secrets.yaml

diff --git a/test/values-existing-secrets.yaml b/test/values-existing-secrets.yaml
new file mode 100644
index 0000000..0ebd417
--- /dev/null
+++ b/test/values-existing-secrets.yaml
@@ -0,0 +1,22 @@
+# Test referencing existing, user-created Secrets instead of chart-rendered
+# ones. Covers:
+#   - usersSecret: mount users.toml from an existing Secret, with a custom key
+#     remapped to users.toml
+#   - otel.datadogApiKeySecret: inject the Datadog API key as the DD_API_KEY
+#     env var, keeping it out of pgdog.toml
+
+usersSecret:
+  name: my-pgdog-users
+  key: my-users-key.toml
+
+otel:
+  endpoint: https://otlp.example.com/v1/metrics
+  namespace: pgdog
+  datadogApiKeySecret:
+    name: my-datadog
+    key: api-key
+
+databases:
+  - name: primary
+    host: db.example.com
+    port: 5432