helmchart/phpmyadmin
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: always inject PMA_BLOWFISH_SECRET and preserve it across upgrades
Helm Chart Release / release-chart (push) Successful in 4s
Details
Update Docker Image Tags and Release Helm Chart / update-and-release (push) Successful in 10s
Details

Browse Source 
Two bugs caused the "temporary key" warning in phpMyAdmin:

1. deployment.yaml: PMA_BLOWFISH_SECRET env var was only injected when
   blowfishSecret or existingSecret was explicitly set. With default empty
   values, the env var was never passed to the container, so phpMyAdmin
   fell back to an empty string and auto-generated a temporary key.
   Fix: always inject PMA_BLOWFISH_SECRET since the Secret is always created.

2. secret.yaml: randAlphaNum generated a new random value on every
   helm upgrade, invalidating all cookies and logging out users on every
   deployment.
   Fix: use lookup to check if the Secret already exists and reuse its
   value; only generate a new random value on first install.

Also add checksum/secret annotation to trigger pod rollout when the
secret changes (e.g. when blowfishSecret value is updated in values.yaml).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-04-30 12:23:18 +09:00
parent be7671b55b
commit 96cac05191
2 changed files with 19 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
templates/deployment.yaml
+2 -2
View File
@@ -16,6 +16,7 @@ spec:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/nginx-config: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
@@ -117,13 +118,12 @@ spec:
value: {{ .Values.phpmyadmin.env.MEMORY_LIMIT | quote }}
- name: MAX_EXECUTION_TIME
value: {{ .Values.phpmyadmin.env.MAX_EXECUTION_TIME | quote }}
{{- if or .Values.phpmyadmin.blowfishSecret .Values.phpmyadmin.existingSecret }}
{{- /* Secretは常に存在する(自動生成 or existingSecret)ため、常に注入する */}}
- name: PMA_BLOWFISH_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.phpmyadmin.existingSecret | default (include "phpmyadmin-nginx.fullname" .) }}
key: blowfish-secret
{{- end }}
ports:
- name: php-fpm
containerPort: 9000