[bitnami/milvus] Do not expose externalKafka.tls.keyPassword (#27145)

* fix: 🔀 Undo rebase

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

* Update CHANGELOG.md

Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com>
Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
Co-authored-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>

bitnami/milvus/templates/_helpers.tpl

@@ -1007,7 +1007,7 @@ Init container definition for waiting for the database to be ready
       yq e -i '.kafka.ssl.tlsCaCert = "/opt/bitnami/milvus/configs/cert/kafka/client/{{ .context.Values.externalKafka.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
       {{- end }}
       {{- if .context.Values.externalKafka.tls.keyPassword }}
-      yq e -i '.kafka.ssl.tlsKeyPassword = "{{ .context.Values.externalKafka.tls.keyPassword }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
+      yq e -i '.kafka.ssl.tlsKeyPassword = {{ print "{{ MILVUS_KAFKA_TLS_KEY_PASSWORD }}" | quote }}' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
       {{- end }}
       {{- end }}
       {{- else }}
@@ -1030,13 +1030,22 @@ Init container definition for waiting for the database to be ready
   env:
     - name: BITNAMI_DEBUG
       value: {{ ternary "true" "false" (or .context.Values.milvus.image.debug .context.Values.diagnosticMode.enabled) | quote }}
-    {{- if and (include "milvus.kafka.deployed" .context) (include "milvus.kafka.authEnabled" .context) }}
+    {{- if (include "milvus.kafka.deployed" .context) }}
+    {{- if (include "milvus.kafka.authEnabled" .context) }}
     - name: MILVUS_KAFKA_PASSWORD
       valueFrom:
         secretKeyRef:
           name: {{ include "milvus.kafka.secretName" .context }}
           key: {{ include "milvus.kafka.secretPasswordKey" .context }}
     {{- end }}
+    {{- if and .context.Values.externalKafka.tls.enabled .context.Values.externalKafka.tls.keyPassword .context.Values.externalKafka.tls.existingSecret }}
+    - name: MILVUS_KAFKA_TLS_KEY_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: {{ printf "%s-external-kafka-tls-passwords" (include "common.names.fullname" .context) }}
+          key: key-password
+    {{- end }}
+    {{- end }}
     {{- if and (include "milvus.s3.deployed" .context) }}
     - name: MILVUS_S3_ACCESS_ID
       valueFrom:

bitnami/milvus/templates/externalkafka-tls-password-secret.yaml

@@ -0,0 +1,20 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.externalKafka.tls.enabled .Values.externalKafka.tls.keyPassword .Values.externalKafka.tls.existingSecret }}
+{{- $secretName := printf "%s-external-kafka-tls-passwords" (include "common.names.fullname" .) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  key-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "key-password" "providedValues" (list "externalKafka.tls.keyPassword") "context" $) }}
+{{- end }}