[#11696] improvement(helm): Make init-postgresql secret name configurable via postgresql.existingSecretName

[dennismdejong]

What changes were proposed in this pull request?

Make the Kubernetes secret name used by the init-postgresql init container configurable via a new postgresql.auth.existingSecretName values field, falling back to the Bitnami default {{ .Release.Name }}-postgresql when not set.

Why are the changes needed?

The Helm chart's init-postgresql init container hardcodes the secret name as {{ .Release.Name }}-postgresql, which assumes the Bitnami PostgreSQL subchart is always used. This breaks compatibility with external PostgreSQL providers (CloudNativePG, CrunchyData, AWS RDS) where the secret name is user-defined.

Fix: #11696

Does this PR introduce any user-facing change?

Yes, adds postgresql.auth.existingSecretName (default: "") to values.yaml.

How was this patch tested?

• Existing helm unit tests pass (31 tests, 5 suites)
• New test case: default behavior produces gravitino-postgresql
• New test case: existingSecretName=gravitino-cnpg-secret produces that name

[danhuawang]

Thanks for the PR! I see the motivation — making the init container work with external PostgreSQL providers (CloudNativePG, CrunchyData, AWS RDS) is a legitimate need. However, there's a structural issue that makes this change ineffective in that scenario.

The init-postgresql init container is gated on {{ if .Values.postgresql.enabled }} (deployment.yaml L128). This means:

• postgresql.enabled=true → The Bitnami subchart is deployed, it creates the secret {{ .Release.Name }}-postgresql automatically, and the hardcoded name already works. The override has no use here.
• postgresql.enabled=false → The init container is not rendered at all, so the new existingSecretName field is never evaluated — this is precisely the scenario where an external PostgreSQL provider would be in play.

In other words, the override can never fire in the use case it's designed for.

To properly support external PostgreSQL providers, the init container's condition would need to be decoupled from postgresql.enabled — for example, rendering it whenever the Gravitino entity store targets PostgreSQL, regardless of whether the Bitnami subchart is active. That's a broader change (likely involving an externalPostgresql config section, similar to how many Bitnami-based charts handle this pattern).

I'd suggest either:

1. Expanding the scope to decouple the init container guard (e.g. {{- if or .Values.postgresql.enabled .Values.externalPostgresql.enabled }}), with a corresponding external-postgres values section that holds the secret name/key; or
2. Closing this in favor of a design discussion on the linked issue about how external PostgreSQL should be supported end-to-end in the chart.

[github-actions]

Code Coverage Report

Overall Project	67.1% +0.01%	🟢
Files changed	68.25%	🟢

Module	Coverage
aliyun	1.72%	🔴
api	46.82%	🟢
authorization-common	85.96%	🟢
aws	3.66%	🔴
azure	2.47%	🔴
catalog-common	10.4%	🔴
catalog-fileset	80.23%	🟢
catalog-glue	66.91%	🟢
catalog-hive	79.44% +2.43%	🟢
catalog-jdbc-clickhouse	80.02%	🟢
catalog-jdbc-common	44.22%	🟢
catalog-jdbc-doris	80.28%	🟢
catalog-jdbc-hologres	54.03%	🟢
catalog-jdbc-mysql	79.23%	🟢
catalog-jdbc-oceanbase	78.38%	🟢
catalog-jdbc-postgresql	82.29%	🟢
catalog-jdbc-starrocks	78.51%	🟢
catalog-kafka	77.01%	🟢
catalog-lakehouse-generic	58.53%	🟢
catalog-lakehouse-hudi	79.1%	🟢
catalog-lakehouse-iceberg	85.86%	🟢
catalog-lakehouse-paimon	82.14%	🟢
catalog-model	77.72%	🟢
cli	44.51%	🟢
client-java	78.01%	🟢
common	50.17% -0.04%	🟢
core	82.45% -0.37%	🟢
filesystem-hadoop3	77.27%	🟢
flink	0.0%	🔴
flink-common	46.84% -0.33%	🟢
flink-runtime	0.0%	🔴
gcp	14.12%	🔴
hadoop-common	10.88%	🔴
hive-metastore-common	53.77%	🟢
iceberg-common	58.15%	🟢
iceberg-rest-server	73.98%	🟢
idp-basic	86.18% -2.36%	🟢
integration-test-common	0.0%	🔴
jobs	66.17%	🟢
lance-common	20.83%	🔴
lance-rest-server	60.13%	🟢
lineage	53.02%	🟢
optimizer	82.95%	🟢
optimizer-api	21.95%	🔴
server	85.96%	🟢
server-common	74.21% -0.64%	🟢
spark	28.57%	🔴
spark-common	41.66%	🟢
trino-connector	40.13%	🟢

Files

Module	File	Coverage
catalog-hive	HiveCatalogOperations.java	81.74%	🟢
common	AuthenticatorType.java	0.0%	🔴
core	CaffeineEntityCache.java	81.87%	🟢
	RelationalEntityStore.java	55.17%	🔴
	IsolatedClassLoader.java	47.96%	🔴
	NoOpsCache.java	26.32%	🔴
	SupportsRelationEntityCache.java	0.0%	🔴
flink-common	GravitinoIcebergCatalogFactory.java	32.43%	🔴
idp-basic	BasicAuthenticator.java	89.8%	🟢
	IdpRESTFeature.java	22.22%	🔴
server-common	AuthenticatorFactory.java	0.0%	🔴