Two bugs caused the "temporary key" warning in phpMyAdmin:
1. deployment.yaml: PMA_BLOWFISH_SECRET env var was only injected when
blowfishSecret or existingSecret was explicitly set. With default empty
values, the env var was never passed to the container, so phpMyAdmin
fell back to an empty string and auto-generated a temporary key.
Fix: always inject PMA_BLOWFISH_SECRET since the Secret is always created.
2. secret.yaml: randAlphaNum generated a new random value on every
helm upgrade, invalidating all cookies and logging out users on every
deployment.
Fix: use lookup to check if the Secret already exists and reuse its
value; only generate a new random value on first install.
Also add checksum/secret annotation to trigger pod rollout when the
secret changes (e.g. when blowfishSecret value is updated in values.yaml).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Fix MYSQL_HOST/PORT: were referencing non-existent .Values.backup.mysql.host/port;
now correctly read from .Values.phpmyadmin.hosts[0] as documented in README
- Remove broken BACKUP_TIMESTAMP env var (shell command substitution does not
execute in k8s env vars; timestamp is already defined inside the script)
- Fix NFS readOnly: was always outputting "readOnly: false" even when
.Values.backup.nfs.readOnly was true; now renders the actual value
- Add MYSQL_HISTFILE=/dev/null to prevent mysql client from writing history
file when readOnlyRootFilesystem: true
- Fix variable name collision: renamed shell var DATABASES -> DB_LIST in the
all-databases branch to avoid conflict with the DATABASES env var
- Use /bin/bash (available in mysql:8.0 Debian image) for set -euo pipefail
and local keyword support
- Split retention find into separate *.sql and *.sql.gz patterns
- Add -mindepth 1 to empty dir cleanup to avoid removing the root backup dir
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
claude
pieter
helmchart