From 96cac0519114be38ce93fc433bf6c637698a2998 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 30 Apr 2026 12:23:18 +0900 Subject: [PATCH] fix: always inject PMA_BLOWFISH_SECRET and preserve it across upgrades Two bugs caused the "temporary key" warning in phpMyAdmin: 1. deployment.yaml: PMA_BLOWFISH_SECRET env var was only injected when blowfishSecret or existingSecret was explicitly set. With default empty values, the env var was never passed to the container, so phpMyAdmin fell back to an empty string and auto-generated a temporary key. Fix: always inject PMA_BLOWFISH_SECRET since the Secret is always created. 2. secret.yaml: randAlphaNum generated a new random value on every helm upgrade, invalidating all cookies and logging out users on every deployment. Fix: use lookup to check if the Secret already exists and reuse its value; only generate a new random value on first install. Also add checksum/secret annotation to trigger pod rollout when the secret changes (e.g. when blowfishSecret value is updated in values.yaml). Co-Authored-By: Claude Sonnet 4.6 --- templates/deployment.yaml | 4 ++-- templates/secret.yaml | 31 +++++++++++++++++-------------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/templates/deployment.yaml b/templates/deployment.yaml index 1bfa2f7..c91b18b 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -16,6 +16,7 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} checksum/nginx-config: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -117,13 +118,12 @@ spec: value: {{ .Values.phpmyadmin.env.MEMORY_LIMIT | quote }} - name: MAX_EXECUTION_TIME value: {{ .Values.phpmyadmin.env.MAX_EXECUTION_TIME | quote }} - {{- if or .Values.phpmyadmin.blowfishSecret .Values.phpmyadmin.existingSecret }} + {{- /* Secretは常に存在する(自動生成 or existingSecret)ため、常に注入する */}} - name: PMA_BLOWFISH_SECRET valueFrom: secretKeyRef: name: {{ .Values.phpmyadmin.existingSecret | default (include "phpmyadmin-nginx.fullname" .) }} key: blowfish-secret - {{- end }} ports: - name: php-fpm containerPort: 9000 diff --git a/templates/secret.yaml b/templates/secret.yaml index 4fcd1e1..4f8bc70 100644 --- a/templates/secret.yaml +++ b/templates/secret.yaml @@ -1,21 +1,24 @@ -{{- if and (not .Values.phpmyadmin.existingSecret) .Values.phpmyadmin.blowfishSecret }} +{{- if not .Values.phpmyadmin.existingSecret }} +{{- $fullname := include "phpmyadmin-nginx.fullname" . }} +{{- $secret := lookup "v1" "Secret" .Release.Namespace $fullname }} +{{- $blowfishSecret := "" }} +{{- if $secret }} + {{- /* 既存のSecretが存在する場合はその値を再利用(helm upgradeで値が変わらないように) */}} + {{- $blowfishSecret = index $secret.data "blowfish-secret" | b64dec }} +{{- else if .Values.phpmyadmin.blowfishSecret }} + {{- /* values.yamlに明示的に指定された値を使用 */}} + {{- $blowfishSecret = .Values.phpmyadmin.blowfishSecret }} +{{- else }} + {{- /* 初回インストール時のみランダム生成 */}} + {{- $blowfishSecret = randAlphaNum 32 }} +{{- end }} apiVersion: v1 kind: Secret metadata: - name: {{ include "phpmyadmin-nginx.fullname" . }} + name: {{ $fullname }} labels: {{- include "phpmyadmin-nginx.labels" . | nindent 4 }} type: Opaque data: - blowfish-secret: {{ .Values.phpmyadmin.blowfishSecret | b64enc | quote }} -{{- else if not .Values.phpmyadmin.existingSecret }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "phpmyadmin-nginx.fullname" . }} - labels: - {{- include "phpmyadmin-nginx.labels" . | nindent 4 }} -type: Opaque -data: - blowfish-secret: {{ randAlphaNum 32 | b64enc | quote }} -{{- end }} \ No newline at end of file + blowfish-secret: {{ $blowfishSecret | b64enc | quote }} +{{- end }}