From 8fa2b2f97eccf762a635277eba4a4ef93e19bb9f Mon Sep 17 00:00:00 2001
From: Daniil Drazdouski <rabbidby@gmail.com>
Date: Wed, 22 Apr 2026 11:32:49 +0300
Subject: [PATCH 1/2] Added support for specifying an existing secret for
 weaviate-cluster-api-basic-auth

---
 .cicd/test.sh                                    | 3 +++
 weaviate/templates/_helpers.tpl                  | 3 ++-
 weaviate/templates/weaviateSecretClusterAPI.yaml | 4 +++-
 weaviate/templates/weaviateStatefulset.yaml      | 4 ++--
 weaviate/values.yaml                             | 8 ++++++++
 5 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/.cicd/test.sh b/.cicd/test.sh
index afcbaead..4cbdef6a 100755
--- a/.cicd/test.sh
+++ b/.cicd/test.sh
@@ -76,6 +76,9 @@ function check_creates_template() {
   check_no_setting "" "name: ENABLE_MODULES"
   check_setting_has_value "" "name: DEFAULT_VECTORIZER_MODULE" "value: none"
   check_no_setting "" "serviceAccountName"
+  check_string_existence "" "type: kubernetes.io/basic-auth"
+  check_no_setting "--set clusterApi.basicAuth.secret.create=false" "type: kubernetes.io/basic-auth"
+  check_string_existence "--set clusterApi.basicAuth.secret.name=external-cluster-api-basic-auth" "name: external-cluster-api-basic-auth"
   check_setting_has_value "--set serviceAccountName=my-service-account-test" "serviceAccountName" "my-service-account-test"
   check_setting_has_value "--set modules.default_vectorizer_module=text2vec-openai" "name: DEFAULT_VECTORIZER_MODULE" "value: text2vec-openai"
   check_modules "--set modules.text2vec-contextionary.enabled=true" "value: text2vec-contextionary"
diff --git a/weaviate/templates/_helpers.tpl b/weaviate/templates/_helpers.tpl
index 031048af..f49a9503 100644
--- a/weaviate/templates/_helpers.tpl
+++ b/weaviate/templates/_helpers.tpl
@@ -234,7 +234,8 @@ imagePullSecrets:
 Cluster API Secrets
 */}}
 {{- define "cluster_api.secret" -}}
-{{- $secret := lookup "v1" "Secret" .Release.Namespace "weaviate-cluster-api-basic-auth" -}}
+{{- $secretName := .Values.clusterApi.basicAuth.secret.name -}}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
 {{- if $secret -}}
 {{/*
    Reusing value of secret if exist
diff --git a/weaviate/templates/weaviateSecretClusterAPI.yaml b/weaviate/templates/weaviateSecretClusterAPI.yaml
index 8256dc88..4b04ff7a 100644
--- a/weaviate/templates/weaviateSecretClusterAPI.yaml
+++ b/weaviate/templates/weaviateSecretClusterAPI.yaml
@@ -1,7 +1,9 @@
+{{- if (index .Values.clusterApi.basicAuth.secret.create) }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: weaviate-cluster-api-basic-auth
+  name: {{ .Values.clusterApi.basicAuth.secret.name }}
 type: kubernetes.io/basic-auth
 data:
 {{- ( include "cluster_api.secret" . ) | indent 2 -}}
+{{- end }}
diff --git a/weaviate/templates/weaviateStatefulset.yaml b/weaviate/templates/weaviateStatefulset.yaml
index 117ef5ae..294ee433 100644
--- a/weaviate/templates/weaviateStatefulset.yaml
+++ b/weaviate/templates/weaviateStatefulset.yaml
@@ -105,12 +105,12 @@ spec:
           - name: CLUSTER_BASIC_AUTH_USERNAME
             valueFrom:
               secretKeyRef:
-                name: weaviate-cluster-api-basic-auth
+                name: {{ .Values.clusterApi.basicAuth.secret.name }}
                 key: username
           - name: CLUSTER_BASIC_AUTH_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: weaviate-cluster-api-basic-auth
+                name: {{ .Values.clusterApi.basicAuth.secret.name }}
                 key: password
           - name: PERSISTENCE_DATA_PATH
             value: '/var/lib/weaviate'
diff --git a/weaviate/values.yaml b/weaviate/values.yaml
index 01b70ebf..af6aaec6 100644
--- a/weaviate/values.yaml
+++ b/weaviate/values.yaml
@@ -296,6 +296,14 @@ query_defaults:
   limit: 100
 debug: false
 
+clusterApi:
+  basicAuth:
+    secret:
+      # Set to false when the Secret is created/managed externally (for example via a secrets operator).
+      create: true
+      # Existing Secret name to read CLUSTER_BASIC_AUTH_USERNAME/CLUSTER_BASIC_AUTH_PASSWORD from.
+      name: weaviate-cluster-api-basic-auth
+
 
 # Insert any custom environment variables or envSecrets by putting the exact name
 # and desired value into the settings below. Any env name passed will be automatically

From e34a13036304558f84e4657a37b61cadf5690282 Mon Sep 17 00:00:00 2001
From: Daniil Drazdouski <rabbidby@gmail.com>
Date: Wed, 22 Apr 2026 11:46:54 +0300
Subject: [PATCH 2/2] Added support for specifying usernameKey/passwordKey
 within clusterApi.basicAuth.secret

---
 weaviate/templates/_helpers.tpl             | 8 ++++----
 weaviate/templates/weaviateStatefulset.yaml | 4 ++--
 weaviate/values.yaml                        | 3 ++-
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/weaviate/templates/_helpers.tpl b/weaviate/templates/_helpers.tpl
index f49a9503..220ec203 100644
--- a/weaviate/templates/_helpers.tpl
+++ b/weaviate/templates/_helpers.tpl
@@ -240,14 +240,14 @@ Cluster API Secrets
 {{/*
    Reusing value of secret if exist
 */}}
-username: {{ $secret.data.username }}
-password: {{ $secret.data.password }}
+{{ .Values.clusterApi.basicAuth.secret.usernameKey }}: {{ $secret.data.username }}
+{{ .Values.clusterApi.basicAuth.secret.passwordKey }}: {{ $secret.data.password }}
 {{- else -}}
 {{/*
     add new data
 */}}
-username: {{ randAlphaNum 32 | b64enc | quote }}
-password: {{ randAlphaNum 32 | b64enc | quote }}
+{{ .Values.clusterApi.basicAuth.secret.usernameKey }}: {{ randAlphaNum 32 | b64enc | quote }}
+{{ .Values.clusterApi.basicAuth.secret.passwordKey }}: {{ randAlphaNum 32 | b64enc | quote }}
 {{- end -}}
 {{- end -}}
 
diff --git a/weaviate/templates/weaviateStatefulset.yaml b/weaviate/templates/weaviateStatefulset.yaml
index 294ee433..350f5248 100644
--- a/weaviate/templates/weaviateStatefulset.yaml
+++ b/weaviate/templates/weaviateStatefulset.yaml
@@ -106,12 +106,12 @@ spec:
             valueFrom:
               secretKeyRef:
                 name: {{ .Values.clusterApi.basicAuth.secret.name }}
-                key: username
+                key: {{ .Values.clusterApi.basicAuth.secret.usernameKey }}
           - name: CLUSTER_BASIC_AUTH_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: {{ .Values.clusterApi.basicAuth.secret.name }}
-                key: password
+                key: {{ .Values.clusterApi.basicAuth.secret.passwordKey }}
           - name: PERSISTENCE_DATA_PATH
             value: '/var/lib/weaviate'
           - name: DEFAULT_VECTORIZER_MODULE
diff --git a/weaviate/values.yaml b/weaviate/values.yaml
index af6aaec6..2d7bc791 100644
--- a/weaviate/values.yaml
+++ b/weaviate/values.yaml
@@ -303,7 +303,8 @@ clusterApi:
       create: true
       # Existing Secret name to read CLUSTER_BASIC_AUTH_USERNAME/CLUSTER_BASIC_AUTH_PASSWORD from.
       name: weaviate-cluster-api-basic-auth
-
+      usernameKey: username
+      passwordKey: password
 
 # Insert any custom environment variables or envSecrets by putting the exact name
 # and desired value into the settings below. Any env name passed will be automatically