From f54f1aca01d51aa9f2e8e53fec7c10ad27c87ba8 Mon Sep 17 00:00:00 2001
From: Markus Pesch <markus.pesch@cryptic.systems>
Date: Sun, 30 Nov 2025 13:58:34 +0100
Subject: [PATCH] feat(pod): support roll deployment for external TLS
 certificates

---
 templates/_pod.tpl                    |  5 +++-
 unittests/deployment/certificate.yaml | 35 +++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/templates/_pod.tpl b/templates/_pod.tpl
index ccbf23c..c2d48c7 100644
--- a/templates/_pod.tpl
+++ b/templates/_pod.tpl
@@ -4,8 +4,11 @@
 
 {{- define "athens-proxy.pod.annotations" }}
 {{- include "athens-proxy.annotations" . }}
-{{- if and .Values.certificate.enabled (not .Values.certificate.existingSecret.enabled) }}
+{{- if and .Values.certificate.enabled }}
 {{- $secretName := include "athens-proxy.certificates.server.name" $ }}
+{{- if and .Values.certificate.existingSecret.enabled (gt (len .Values.certificate.existingSecret.secretName) 0) }}
+{{- $secretName = .Values.certificate.existingSecret.secretName }}
+{{- end }}
 {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName }}
 {{ printf "checksum/secret-%s: %s" $secretName ($secret | toYaml | sha256sum) }}
 {{- end }}
diff --git a/unittests/deployment/certificate.yaml b/unittests/deployment/certificate.yaml
index f3fb7e5..de36cf0 100644
--- a/unittests/deployment/certificate.yaml
+++ b/unittests/deployment/certificate.yaml
@@ -67,6 +67,41 @@ tests:
           name: tls
           mountPath: /etc/athens-proxy/tls
       template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.volumes
+        content:
+          name: tls
+          secret:
+            secretName: athens-proxy-unittest-tls
+      template: templates/deployment.yaml
+
+- it: Rendering with external TLS config
+  set:
+    certificate.enabled: true
+    certificate.existingSecret.enabled: true
+    certificate.existingSecret.secretName: my-own-secret
+  asserts:
+    - exists:
+        path: spec.template.metadata.annotations["checksum/secret-my-own-secret"]
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSCERT_FILE
+          value: /etc/athens-proxy/tls/tls.crt
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: ATHENS_TLSKEY_FILE
+          value: /etc/athens-proxy/tls/tls.key
+      template: templates/deployment.yaml
+    - contains:
+        path: spec.template.spec.containers[0].volumeMounts
+        content:
+          name: tls
+          mountPath: /etc/athens-proxy/tls
+      template: templates/deployment.yaml
     - contains:
         path: spec.template.spec.volumes
         content: