helmchart/phpmyadmin
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: always inject PMA_BLOWFISH_SECRET and preserve it across upgrades
Helm Chart Release / release-chart (push) Successful in 4s
Details
Update Docker Image Tags and Release Helm Chart / update-and-release (push) Successful in 10s
Details

Browse Source 
Two bugs caused the "temporary key" warning in phpMyAdmin:

1. deployment.yaml: PMA_BLOWFISH_SECRET env var was only injected when
   blowfishSecret or existingSecret was explicitly set. With default empty
   values, the env var was never passed to the container, so phpMyAdmin
   fell back to an empty string and auto-generated a temporary key.
   Fix: always inject PMA_BLOWFISH_SECRET since the Secret is always created.

2. secret.yaml: randAlphaNum generated a new random value on every
   helm upgrade, invalidating all cookies and logging out users on every
   deployment.
   Fix: use lookup to check if the Secret already exists and reuse its
   value; only generate a new random value on first install.

Also add checksum/secret annotation to trigger pod rollout when the
secret changes (e.g. when blowfishSecret value is updated in values.yaml).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Claude
2026-04-30 12:23:18 +09:00
parent be7671b55b
commit 96cac05191
2 changed files with 19 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
templates/secret.yaml
+17 -14
View File
@@ -1,21 +1,24 @@
{{- if and (not .Values.phpmyadmin.existingSecret) .Values.phpmyadmin.blowfishSecret }}
{{- if not .Values.phpmyadmin.existingSecret }}
{{- $fullname := include "phpmyadmin-nginx.fullname" . }}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $fullname }}
{{- $blowfishSecret := "" }}
{{- if $secret }}
{{- /* 既存のSecretが存在する場合はその値を再利用(helm upgradeで値が変わらないように) */}}
{{- $blowfishSecret = index $secret.data "blowfish-secret" | b64dec }}
{{- else if .Values.phpmyadmin.blowfishSecret }}
{{- /* values.yamlに明示的に指定された値を使用 */}}
{{- $blowfishSecret = .Values.phpmyadmin.blowfishSecret }}
{{- else }}
{{- /* 初回インストール時のみランダム生成 */}}
{{- $blowfishSecret = randAlphaNum 32 }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "phpmyadmin-nginx.fullname" . }}
name: {{ $fullname }}
labels:
{{- include "phpmyadmin-nginx.labels" . | nindent 4 }}
type: Opaque
data:
blowfish-secret: {{ .Values.phpmyadmin.blowfishSecret | b64enc | quote }}
{{- else if not .Values.phpmyadmin.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "phpmyadmin-nginx.fullname" . }}
labels:
{{- include "phpmyadmin-nginx.labels" . | nindent 4 }}
type: Opaque
data:
blowfish-secret: {{ randAlphaNum 32 | b64enc | quote }}
{{- end }}
blowfish-secret: {{ $blowfishSecret | b64enc | quote }}
{{- end }}