From 307c5c84f8e4234d19200ac4b6ce5a210d85cf7b Mon Sep 17 00:00:00 2001
From: dahoud <41957584+DahoudG@users.noreply.github.com>
Date: Wed, 22 Apr 2026 14:51:48 +0000
Subject: [PATCH] feat: transition Secrets K8s existants (extraEnvFrom) en
 attendant Vault root token

---
 Chart.yaml  |  2 +-
 values.yaml | 33 +++++++++++++++++----------------
 2 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index 85df8cc..49eb1a7 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -16,7 +16,7 @@ sources:
   - https://git.lions.dev/lionsdev/unionflow-server-impl-quarkus-k1    # ce repo (deploy)
 dependencies:
   - name: lions-app
-    version: "1.0.0"
+    version: "1.0.1"
     repository: "https://git.lions.dev/api/packages/lionsdev/helm"
     # Alternative pour dev local sans registry :
     # repository: "file://../helm-chart-lions-app"
diff --git a/values.yaml b/values.yaml
index 9a86fd3..795b735 100644
--- a/values.yaml
+++ b/values.yaml
@@ -60,10 +60,21 @@ lions-app:
       JAVA_OPTS: -Xms256m -Xmx512m
 
   # --------------------------------------------------------
-  # Secrets depuis Vault (via External Secrets Operator)
+  # Secrets — phase de transition : référencer les Secrets K8s existants
+  #
+  # TODO: quand Vault root token sera disponible, migrer vers externalSecret.
+  # Les Secrets existants (db-secret, oidc-secret) seront alors
+  # régénérés par ESO depuis Vault automatiquement.
   # --------------------------------------------------------
+  extraEnvFrom:
+    - secretRef:
+        name: unionflow-server-impl-quarkus-db-secret
+    - secretRef:
+        name: unionflow-server-oidc-secret
+
   externalSecret:
-    enabled: true
+    enabled: false
+    # Configuration prête pour activation future :
     secretStoreRef:
       kind: ClusterSecretStore
       name: vault-backend
@@ -72,24 +83,14 @@ lions-app:
       creationPolicy: Owner
       deletionPolicy: Retain
     data:
-      # Base de données
       - secretKey: QUARKUS_DATASOURCE_USERNAME
-        remoteRef:
-          key: lions/applications/unionflow-server/db
-          property: username
+        remoteRef: { key: lions/applications/unionflow-server/db, property: username }
       - secretKey: QUARKUS_DATASOURCE_PASSWORD
-        remoteRef:
-          key: lions/applications/unionflow-server/db
-          property: password
-      # Keycloak OIDC
+        remoteRef: { key: lions/applications/unionflow-server/db, property: password }
       - secretKey: KEYCLOAK_CLIENT_SECRET
-        remoteRef:
-          key: lions/applications/unionflow-server/oidc
-          property: client-secret
+        remoteRef: { key: lions/applications/unionflow-server/oidc, property: client-secret }
       - secretKey: KEYCLOAK_ADMIN_SERVICE_SECRET
-        remoteRef:
-          key: lions/applications/unionflow-server/oidc
-          property: admin-service-secret
+        remoteRef: { key: lions/applications/unionflow-server/oidc, property: admin-service-secret }
 
   # --------------------------------------------------------
   # Ingress