From 7234e304834f6d199e813611a24cfd22e4be4bbc Mon Sep 17 00:00:00 2001 From: Daniil Drazdouski Date: Wed, 22 Apr 2026 10:07:03 +0300 Subject: [PATCH] Add support for using existing secret keys for OPENAI_APIKEY/AZURE_APIKEY --- .cicd/test.sh | 12 +++ weaviate/templates/apiKeyOpenAISecret.yaml | 94 +++++++++++++++++---- weaviate/templates/weaviateStatefulset.yaml | 26 +++++- weaviate/values.yaml | 33 ++++++++ 4 files changed, 148 insertions(+), 17 deletions(-) diff --git a/.cicd/test.sh b/.cicd/test.sh index afcbaead..fc9215b7 100755 --- a/.cicd/test.sh +++ b/.cicd/test.sh @@ -217,6 +217,18 @@ function check_creates_template() { check_modules "--set modules.reranker-contextualai.enabled=true --set modules.generative-contextualai.enabled=true" "value: generative-contextualai,reranker-contextualai" check_string_existence "--set modules.generative-xai.enabled=true --set modules.generative-xai.apiKey=apiKey" "name: XAI_APIKEY" check_string_existence "--set modules.text2vec-morph.enabled=true --set modules.text2vec-morph.apiKey=apiKey" "name: MORPH_APIKEY" + check_string_existence "--set modules.text2vec-openai.enabled=true --set modules.text2vec-openai.apiKeySecretName=text2vec-openai-secret" "name: OPENAI_APIKEY" + check_string_existence "--set modules.text2vec-openai.enabled=true --set modules.text2vec-openai.apiKeySecretName=text2vec-openai-secret" "name: text2vec-openai-secret" + check_string_existence "--set modules.text2vec-openai.enabled=true --set modules.text2vec-openai.azureApiKeySecretName=text2vec-openai-azure-secret" "name: AZURE_APIKEY" + check_string_existence "--set modules.text2vec-openai.enabled=true --set modules.text2vec-openai.azureApiKeySecretName=text2vec-openai-azure-secret" "name: text2vec-openai-azure-secret" + check_string_existence "--set modules.qna-openai.enabled=true --set modules.qna-openai.apiKeySecretName=qna-openai-secret" "name: OPENAI_APIKEY" + check_string_existence "--set modules.qna-openai.enabled=true --set modules.qna-openai.apiKeySecretName=qna-openai-secret" "name: qna-openai-secret" + check_string_existence "--set modules.qna-openai.enabled=true --set modules.qna-openai.azureApiKeySecretName=qna-openai-azure-secret" "name: AZURE_APIKEY" + check_string_existence "--set modules.qna-openai.enabled=true --set modules.qna-openai.azureApiKeySecretName=qna-openai-azure-secret" "name: qna-openai-azure-secret" + check_string_existence "--set modules.generative-openai.enabled=true --set modules.generative-openai.apiKeySecretName=generative-openai-secret" "name: OPENAI_APIKEY" + check_string_existence "--set modules.generative-openai.enabled=true --set modules.generative-openai.apiKeySecretName=generative-openai-secret" "name: generative-openai-secret" + check_string_existence "--set modules.generative-openai.enabled=true --set modules.generative-openai.azureApiKeySecretName=generative-openai-azure-secret" "name: AZURE_APIKEY" + check_string_existence "--set modules.generative-openai.enabled=true --set modules.generative-openai.azureApiKeySecretName=generative-openai-azure-secret" "name: generative-openai-azure-secret" check_string_existence "--set modules.text2vec-openai.enabled=true --set modules.text2vec-openai.azureApiKey=azureApiKey" "name: AZURE_APIKEY" check_string_existence "--set modules.qna-openai.enabled=true --set modules.qna-openai.azureApiKey=azureApiKey" "name: AZURE_APIKEY" check_string_existence "--set modules.generative-openai.enabled=true --set modules.generative-openai.azureApiKey=azureApiKey" "name: AZURE_APIKEY" diff --git a/weaviate/templates/apiKeyOpenAISecret.yaml b/weaviate/templates/apiKeyOpenAISecret.yaml index 30725029..d32b4aa1 100644 --- a/weaviate/templates/apiKeyOpenAISecret.yaml +++ b/weaviate/templates/apiKeyOpenAISecret.yaml @@ -1,35 +1,99 @@ -{{- $t2vOpenAI := and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "apiKey") -}} -{{- $qnaOpenAI := and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "apiKey") }} -{{- $generativeOpenAI := and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "apiKey") }} -{{- $t2vAzureOpenAI := and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "azureApiKey") -}} -{{- $qnaAzureOpenAI := and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "azureApiKey") }} -{{- $generativeAzureOpenAI := and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "azureApiKey") }} -{{- $openAI := or ($t2vOpenAI) ($qnaOpenAI) ($generativeOpenAI) }} -{{- $azureOpenAI := or ($t2vAzureOpenAI) ($qnaAzureOpenAI) ($generativeAzureOpenAI) }} +{{- $t2vOpenAIDirect := and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "apiKey") -}} +{{- $qnaOpenAIDirect := and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "apiKey") }} +{{- $generativeOpenAIDirect := and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "apiKey") }} +{{- $t2vAzureOpenAIDirect := and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "azureApiKey") -}} +{{- $qnaAzureOpenAIDirect := and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "azureApiKey") }} +{{- $generativeAzureOpenAIDirect := and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "azureApiKey") }} + +{{- $t2vOpenAISecret := and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "apiKeySecretName") -}} +{{- $qnaOpenAISecret := and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "apiKeySecretName") }} +{{- $generativeOpenAISecret := and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "apiKeySecretName") }} +{{- $t2vAzureOpenAISecret := and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "azureApiKeySecretName") -}} +{{- $qnaAzureOpenAISecret := and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "azureApiKeySecretName") }} +{{- $generativeAzureOpenAISecret := and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "azureApiKeySecretName") }} + +{{- $openAIDirect := or ($t2vOpenAIDirect) ($qnaOpenAIDirect) ($generativeOpenAIDirect) }} +{{- $azureOpenAIDirect := or ($t2vAzureOpenAIDirect) ($qnaAzureOpenAIDirect) ($generativeAzureOpenAIDirect) }} +{{- $openAI := or ($openAIDirect) ($t2vOpenAISecret) ($qnaOpenAISecret) ($generativeOpenAISecret) }} +{{- $azureOpenAI := or ($azureOpenAIDirect) ($t2vAzureOpenAISecret) ($qnaAzureOpenAISecret) ($generativeAzureOpenAISecret) }} + +{{- if and ($t2vOpenAIDirect) ($t2vOpenAISecret) -}} + {{- fail "text2vec-openai uses both apiKey and apiKeySecretName. Please choose one source for OPENAI_APIKEY." }} +{{- end }} +{{- if and ($qnaOpenAIDirect) ($qnaOpenAISecret) -}} + {{- fail "qna-openai uses both apiKey and apiKeySecretName. Please choose one source for OPENAI_APIKEY." }} +{{- end }} +{{- if and ($generativeOpenAIDirect) ($generativeOpenAISecret) -}} + {{- fail "generative-openai uses both apiKey and apiKeySecretName. Please choose one source for OPENAI_APIKEY." }} +{{- end }} +{{- if and ($t2vAzureOpenAIDirect) ($t2vAzureOpenAISecret) -}} + {{- fail "text2vec-openai uses both azureApiKey and azureApiKeySecretName. Please choose one source for AZURE_APIKEY." }} +{{- end }} +{{- if and ($qnaAzureOpenAIDirect) ($qnaAzureOpenAISecret) -}} + {{- fail "qna-openai uses both azureApiKey and azureApiKeySecretName. Please choose one source for AZURE_APIKEY." }} +{{- end }} +{{- if and ($generativeAzureOpenAIDirect) ($generativeAzureOpenAISecret) -}} + {{- fail "generative-openai uses both azureApiKey and azureApiKeySecretName. Please choose one source for AZURE_APIKEY." }} +{{- end }} + +{{- $openAISecretRefs := list }} +{{- if $t2vOpenAISecret -}} + {{- $openAISecretRefs = append $openAISecretRefs (printf "%s/%s" (index .Values "modules" "text2vec-openai" "apiKeySecretName") (default "apiKey" (index .Values "modules" "text2vec-openai" "apiKeySecretKey"))) -}} +{{- end -}} +{{- if $qnaOpenAISecret -}} + {{- $openAISecretRefs = append $openAISecretRefs (printf "%s/%s" (index .Values "modules" "qna-openai" "apiKeySecretName") (default "apiKey" (index .Values "modules" "qna-openai" "apiKeySecretKey"))) -}} +{{- end -}} +{{- if $generativeOpenAISecret -}} + {{- $openAISecretRefs = append $openAISecretRefs (printf "%s/%s" (index .Values "modules" "generative-openai" "apiKeySecretName") (default "apiKey" (index .Values "modules" "generative-openai" "apiKeySecretKey"))) -}} +{{- end -}} + +{{- $azureOpenAISecretRefs := list }} +{{- if $t2vAzureOpenAISecret -}} + {{- $azureOpenAISecretRefs = append $azureOpenAISecretRefs (printf "%s/%s" (index .Values "modules" "text2vec-openai" "azureApiKeySecretName") (default "apiKey" (index .Values "modules" "text2vec-openai" "azureApiKeySecretKey"))) -}} +{{- end -}} +{{- if $qnaAzureOpenAISecret -}} + {{- $azureOpenAISecretRefs = append $azureOpenAISecretRefs (printf "%s/%s" (index .Values "modules" "qna-openai" "azureApiKeySecretName") (default "apiKey" (index .Values "modules" "qna-openai" "azureApiKeySecretKey"))) -}} +{{- end -}} +{{- if $generativeAzureOpenAISecret -}} + {{- $azureOpenAISecretRefs = append $azureOpenAISecretRefs (printf "%s/%s" (index .Values "modules" "generative-openai" "azureApiKeySecretName") (default "apiKey" (index .Values "modules" "generative-openai" "azureApiKeySecretKey"))) -}} +{{- end -}} + +{{- if gt (len ($openAISecretRefs | uniq)) 1 -}} + {{- fail "OpenAI modules activated, but their existing secret references for OPENAI_APIKEY differ. Use the same secret name/key on all activated OpenAI modules." }} +{{- end }} +{{- if gt (len ($azureOpenAISecretRefs | uniq)) 1 -}} + {{- fail "OpenAI modules activated, but their existing secret references for AZURE_APIKEY differ. Use the same secret name/key on all activated OpenAI modules." }} +{{- end }} +{{- if and ($openAIDirect) (gt (len $openAISecretRefs) 0) -}} + {{- fail "OpenAI modules activated, but with both inline apiKey and apiKeySecretName. Choose one source for OPENAI_APIKEY across all activated OpenAI modules." }} +{{- end }} +{{- if and ($azureOpenAIDirect) (gt (len $azureOpenAISecretRefs) 0) -}} + {{- fail "OpenAI modules activated, but with both inline azureApiKey and azureApiKeySecretName. Choose one source for AZURE_APIKEY across all activated OpenAI modules." }} +{{- end }} {{- if and ($openAI) ($azureOpenAI) -}} {{- fail "OpenAI modules activated, but with both OpenAI and Azure OpenAI keys. Please choose one configuration to pass either OpenAI or Azure OpenAI api key." }} {{- end }} -{{- if or ($openAI) ($azureOpenAI) }} +{{- if or ($openAIDirect) ($azureOpenAIDirect) }} {{- $apiKeys := list }} -{{- if $t2vOpenAI }} +{{- if $t2vOpenAIDirect -}} {{- $apiKeys = append $apiKeys (index .Values "modules" "text2vec-openai" "apiKey") -}} {{- end }} -{{- if $qnaOpenAI }} +{{- if $qnaOpenAIDirect -}} {{- $apiKeys = append $apiKeys (index .Values "modules" "qna-openai" "apiKey") -}} {{- end }} -{{- if $generativeOpenAI }} +{{- if $generativeOpenAIDirect -}} {{- $apiKeys = append $apiKeys (index .Values "modules" "generative-openai" "apiKey") -}} {{- end }} -{{- if $t2vAzureOpenAI }} +{{- if $t2vAzureOpenAIDirect -}} {{- $apiKeys = append $apiKeys (index .Values "modules" "text2vec-openai" "azureApiKey") -}} {{- end }} -{{- if $qnaAzureOpenAI }} +{{- if $qnaAzureOpenAIDirect -}} {{- $apiKeys = append $apiKeys (index .Values "modules" "qna-openai" "azureApiKey") -}} {{- end }} -{{- if $generativeAzureOpenAI }} +{{- if $generativeAzureOpenAIDirect -}} {{- $apiKeys = append $apiKeys (index .Values "modules" "generative-openai" "azureApiKey") -}} {{- end }} diff --git a/weaviate/templates/weaviateStatefulset.yaml b/weaviate/templates/weaviateStatefulset.yaml index 117ef5ae..12281615 100644 --- a/weaviate/templates/weaviateStatefulset.yaml +++ b/weaviate/templates/weaviateStatefulset.yaml @@ -210,19 +210,41 @@ spec: - name: RERANKER_INFERENCE_API value: {{ index .Values "modules" "reranker-transformers" "inferenceUrl" }} {{- end }} - {{ if or (and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "apiKey")) (and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "apiKey")) (and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "apiKey")) }} + {{ if or (and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "apiKey")) (and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "apiKeySecretName")) (and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "apiKey")) (and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "apiKeySecretName")) (and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "apiKey")) (and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "apiKeySecretName")) }} - name: OPENAI_APIKEY valueFrom: secretKeyRef: + {{- if and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "apiKeySecretName") }} + name: {{ index .Values "modules" "text2vec-openai" "apiKeySecretName" }} + key: {{ default "apiKey" (index .Values "modules" "text2vec-openai" "apiKeySecretKey") }} + {{- else if and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "apiKeySecretName") }} + name: {{ index .Values "modules" "qna-openai" "apiKeySecretName" }} + key: {{ default "apiKey" (index .Values "modules" "qna-openai" "apiKeySecretKey") }} + {{- else if and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "apiKeySecretName") }} + name: {{ index .Values "modules" "generative-openai" "apiKeySecretName" }} + key: {{ default "apiKey" (index .Values "modules" "generative-openai" "apiKeySecretKey") }} + {{- else }} name: weaviate-openai key: apiKey + {{- end }} {{- end }} - {{ if or (and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "azureApiKey")) (and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "azureApiKey")) (and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "azureApiKey")) }} + {{ if or (and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "azureApiKey")) (and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "azureApiKeySecretName")) (and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "azureApiKey")) (and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "azureApiKeySecretName")) (and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "azureApiKey")) (and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "azureApiKeySecretName")) }} - name: AZURE_APIKEY valueFrom: secretKeyRef: + {{- if and (index .Values "modules" "text2vec-openai" "enabled") (index .Values "modules" "text2vec-openai" "azureApiKeySecretName") }} + name: {{ index .Values "modules" "text2vec-openai" "azureApiKeySecretName" }} + key: {{ default "apiKey" (index .Values "modules" "text2vec-openai" "azureApiKeySecretKey") }} + {{- else if and (index .Values "modules" "qna-openai" "enabled") (index .Values "modules" "qna-openai" "azureApiKeySecretName") }} + name: {{ index .Values "modules" "qna-openai" "azureApiKeySecretName" }} + key: {{ default "apiKey" (index .Values "modules" "qna-openai" "azureApiKeySecretKey") }} + {{- else if and (index .Values "modules" "generative-openai" "enabled") (index .Values "modules" "generative-openai" "azureApiKeySecretName") }} + name: {{ index .Values "modules" "generative-openai" "azureApiKeySecretName" }} + key: {{ default "apiKey" (index .Values "modules" "generative-openai" "azureApiKeySecretKey") }} + {{- else }} name: weaviate-openai key: apiKey + {{- end }} {{- end }} {{- if and (index .Values "modules" "text2vec-huggingface" "enabled") (index .Values "modules" "text2vec-huggingface" "apiKey") }} - name: HUGGINGFACE_APIKEY diff --git a/weaviate/values.yaml b/weaviate/values.yaml index 01b70ebf..68ec2724 100644 --- a/weaviate/values.yaml +++ b/weaviate/values.yaml @@ -1056,7 +1056,18 @@ modules: # an environment variable. You can set either the OpenAI's Service API key # OR the Azure OpenAI's Service Key. Note that you cannot set both of the at the same time. apiKey: '' + # Use an existing Kubernetes secret for OpenAI API key instead of `apiKey`. + # If set, the chart will not create `weaviate-openai` for this key. + apiKeySecretName: '' + # Secret key inside `apiKeySecretName`. + apiKeySecretKey: 'apiKey' + azureApiKey: '' + # Use an existing Kubernetes secret for Azure OpenAI API key instead of `azureApiKey`. + # If set, the chart will not create `weaviate-openai` for this key. + azureApiKeySecretName: '' + # Secret key inside `azureApiKeySecretName`. + azureApiKeySecretKey: 'apiKey' # The text2vec-huggingface module uses HuggingFace API # to dynamically compute vector embeddings based on the @@ -1619,7 +1630,18 @@ modules: # an environment variable. You can set either the OpenAI's Service API key # OR the Azure OpenAI's Service Key. Note that you cannot set both of the at the same time. apiKey: '' + # Use an existing Kubernetes secret for OpenAI API key instead of `apiKey`. + # If set, the chart will not create `weaviate-openai` for this key. + apiKeySecretName: '' + # Secret key inside `apiKeySecretName`. + apiKeySecretKey: 'apiKey' + azureApiKey: '' + # Use an existing Kubernetes secret for Azure OpenAI API key instead of `azureApiKey`. + # If set, the chart will not create `weaviate-openai` for this key. + azureApiKeySecretName: '' + # Secret key inside `azureApiKeySecretName`. + azureApiKeySecretKey: 'apiKey' # The generative-openai module uses OpenAI Completions API # along with text-davinci-003 model to behave as ChatGPT. @@ -1634,7 +1656,18 @@ modules: # an environment variable. You can set either the OpenAI's Service API key # OR the Azure OpenAI's Service Key. Note that you cannot set both of the at the same time. apiKey: '' + # Use an existing Kubernetes secret for OpenAI API key instead of `apiKey`. + # If set, the chart will not create `weaviate-openai` for this key. + apiKeySecretName: '' + # Secret key inside `apiKeySecretName`. + apiKeySecretKey: 'apiKey' + azureApiKey: '' + # Use an existing Kubernetes secret for Azure OpenAI API key instead of `azureApiKey`. + # If set, the chart will not create `weaviate-openai` for this key. + azureApiKeySecretName: '' + # Secret key inside `azureApiKeySecretName`. + azureApiKeySecretKey: 'apiKey' # The generative-cohere module uses Cohere Generate API # More information about Cohere's Generate API can be found here: