Support `brokerK8sSecret` in Helm values for GitOps deployments

[jdaln]

The Submariner CRD has a spec.brokerK8sSecret field that allows referencing a secret instead of inline credentials, but the Helm chart doesn't expose this in values.yaml.

Currently, the chart only supports inline broker credentials:

broker:
  token: "eyJhbGci..."
  ca: "-----BEGIN CERTIFICATE-----..."

This doesn't work well for GitOps workflows where secrets shouldn't be in Git.

Request: Please add submariner.brokerK8sSecret to values.yaml so users can do:

submariner:
  brokerK8sSecret: "my-broker-secret"

Implementation suggestion:
In templates/submariner.yaml, change:

spec:
  brokerK8sApiServerToken: {{ .Values.broker.token }}
  brokerK8sCA: {{ .Values.broker.ca }}

to:

spec:
  {{- if .Values.submariner.brokerK8sSecret }}
  brokerK8sSecret: {{ .Values.submariner.brokerK8sSecret }}
  {{- else if .Values.broker.token }}
  brokerK8sApiServerToken: {{ .Values.broker.token }}
  brokerK8sCA: {{ .Values.broker.ca }}
  {{- end }}

or something similar

Workaround:
Currently using my Kustomize patches to inject the field after helm template rendering, which requires --enable-helm and is more complex than needed.

This would align with how other operators (cert-manager, external-dns) handle secret references.

PS: @skitt sorry to ping you here but I messaged you on the CNCF slack but you seem to have notifications off. Just wanted to make sure you see my message.

Best,
J

[tpantelis]

The developers aren't currently focused on helm so we don't have a timeline for this but we welcome contributions.