fix: use correct secret name when credentials are overridden

chart/templates/_helpers.tpl

@@ -84,6 +84,27 @@ app.kubernetes.io/version: {{ default $root.Chart.Version $root.Chart.AppVersion
 helm.sh/chart: {{ include "kubecf.chart" $root }}
 {{- end }}
 
+{{- /*
+==========================================================================================
+| kubecf.varSecretName (list $ $var_name)
++-----------------------------------------------------------------------------------------
+| Returns the name of the kube secret for $var_name. This is normally the variable name
+| prefixed with "var-", unless the value is overridden via $.Values.credentials, in which
+| case it is prefixed with `cred-`.
+==========================================================================================
+*/ -}}
+{{- define "kubecf.varSecretName" }}
+  {{- $root := first . }}
+  {{- $var_name := index . 1 }}
+  {{- $prefix := "var" }}
+  {{- range $name, $value := $root.Values.credentials }}
+    {{- if eq $var_name (splitList "." $name | first) }}
+      {{- $prefix = "cred" }}
+    {{- end }}
+  {{- end }}
+  {{- printf "%s-%s" $prefix $var_name | replace "_" "-" }}
+{{- end }}
+
 {{- /*
 ==========================================================================================
 | Add imagePullSecrets to service accounts.

chart/templates/apps_dns.yaml

@@ -119,7 +119,7 @@ spec:
         emptyDir: {}
       - name: client-tls
         secret:
-          secretName: var-cf-app-sd-client-tls
+          secretName: {{ include "kubecf.varSecretName" (list $ "cf_app_sd_client_tls") }}
           items:
           - key: ca
             path: ca.pem

chart/templates/database/db-migrate-charset.yaml

@@ -61,7 +61,7 @@ spec:
           {{- range $secret := $.kubecf.databases }}
           - name: {{ printf  "%s-database-password" $secret | quote }}
             secret:
-              secretName: {{ printf "var-%s-database-password" $secret | quote }}
+              secretName: {{ include "kubecf.varSecretName" (list $ (printf "%s_database_password" $secret)) }}
           {{- end }}
           restartPolicy: Never
 

chart/templates/database/db-secrets.yaml

@@ -10,7 +10,7 @@ metadata:
     {{- list . "database" | include "component.labels" | nindent 4 }}
 spec:
   type: password
-  secretName: var-pxc-root-password
+  secretName: {{ include "kubecf.varSecretName" (list $ "pxc_root_password") }}
 ---
 apiVersion: quarks.cloudfoundry.org/v1alpha1
 kind: QuarksSecret
@@ -21,6 +21,6 @@ metadata:
     {{- list . "database" | include "component.labels" | nindent 4 }}
 spec:
   type: password
-  secretName: var-pxc-password
+  secretName: {{ include "kubecf.varSecretName" (list $ "pxc_password") }}
 
 {{- end }}{{/* .Values.features.embedded_database.enabled */}}

chart/templates/database/db-seeder.yaml

@@ -71,7 +71,7 @@ spec:
           {{- range $secret := $.kubecf.databases }}
           - name: {{ printf  "%s-database-password" $secret | quote }}
             secret:
-              secretName: {{ printf "var-%s-database-password" $secret | quote }}
+              secretName: {{ include "kubecf.varSecretName" (list $ (printf "%s_database_password" $secret)) }}
           {{- end }}
           restartPolicy: Never
 

chart/templates/database/db-statefulset.yaml

@@ -120,7 +120,7 @@ spec:
               name: database-startup-scripts
           - name: pxc-tls
             secret:
-              secretName: var-pxc-tls
+              secretName: {{ include "kubecf.varSecretName" (list $ "pxc_tls") }}
       volumeClaimTemplates:
       - metadata:
           name: pxc-data

mixins/eirini/config/eirini.yaml

@@ -32,18 +32,18 @@ eirini:
     # The TLS secrets are generated by quarks-operator and should be HIDDEN from the user.
     tls:
       opiCapiClient:
-        secretName: "var-eirini-tls-client-cert"
+        secretName: {{ include "kubecf.varSecretName" (list $ "eirini_tls_client_cert") }}
         keyPath: "private_key"
         certPath: "certificate"
       opiServer:
-        secretName: "var-eirini-tls-server-cert"
+        secretName: {{ include "kubecf.varSecretName" (list $ "eirini_tls_server_cert") }}
         certPath: "certificate"
         keyPath: "private_key"
       capi:
-        secretName: "var-eirini-tls-server-cert"
+        secretName: {{ include "kubecf.varSecretName" (list $ "eirini_tls_server_cert") }}
         caPath: "ca"
       eirini:
-        secretName: "var-eirini-tls-server-cert"
+        secretName: {{ include "kubecf.varSecretName" (list $ "eirini_tls_server_cert") }}
         caPath: "ca"
 
     # components
@@ -54,11 +54,11 @@ eirini:
       # here to adapt the Eirini helm chart for KubeCF use.
       tls:
         capiClient:
-          secretName: "var-cc-tls"
+          secretName: {{ include "kubecf.varSecretName" (list $ "cc_tls") }}
           keyPath: "private_key"
           certPath: "certificate"
         capi:
-          secretName: "var-cc-tls"
+          secretName: {{ include "kubecf.varSecretName" (list $ "cc_tls") }}
           caPath: "ca"
 
     logs:
@@ -71,19 +71,19 @@ eirini:
       enable: true
       tls:
         client:
-          secretName: "var-loggregator-tls-doppler"
+          secretName: {{ include "kubecf.varSecretName" (list $ "loggregator_tls_doppler") }}
           keyPath: "private_key"
           certPath: "certificate"
         server:
-          secretName: "var-loggregator-tls-doppler"
+          secretName: {{ include "kubecf.varSecretName" (list $ "loggregator_tls_doppler") }}
           caPath: "ca"
 
     # All configs in this section should be HIDDEN from the user; they are here
     # to adapt the Eirini helm chart for KubeCF use.
     routing:
       enable: true
       nats:
-        secretName: "var-nats-password"
+        secretName: {{ include "kubecf.varSecretName" (list $ "nats_password") }}
         passwordPath: "password"
         serviceName: "nats"
 
@@ -100,18 +100,18 @@ eirini:
       # The TLS secrets are generated by quarks-operator and should be HIDDEN from the user.
       tls:
         client:
-          secretName: "var-eirini-tls-client-cert"
+          secretName: {{ include "kubecf.varSecretName" (list $ "eirini_tls_client_cert") }}
           certPath: "certificate"
           keyPath: "private_key"
         cc_uploader:
-          secretName: "var-cc-bridge-cc-uploader"
+          secretName: {{ include "kubecf.varSecretName" (list $ "cc_bridge_cc_uploader") }}
           certPath: "certificate"
           keyPath: "private_key"
         ca:
-          secretName: "var-eirini-tls-client-cert"
+          secretName: {{ include "kubecf.varSecretName" (list $ "eirini_tls_client_cert") }}
           path: "ca"
         stagingReporter:
-          secretName: "var-eirini-tls-client-cert"
+          secretName: {{ include "kubecf.varSecretName" (list $ "eirini_tls_client_cert") }}
           certPath: "certificate"
           keyPath: "private_key"
           caPath: "ca"