From bf3c581da8ae1f0c725ae89a944ea1dfdd81f217 Mon Sep 17 00:00:00 2001
From: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
Date: Tue, 24 Feb 2026 00:03:23 +0100
Subject: [PATCH] fix(helm): prevent JWT secret regeneration on upgrade

---
 helm/cv-app/templates/secret.yaml | 6 +++---
 helm/cv-app/values.yaml           | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/helm/cv-app/templates/secret.yaml b/helm/cv-app/templates/secret.yaml
index 69b36d7..705ed1b 100644
--- a/helm/cv-app/templates/secret.yaml
+++ b/helm/cv-app/templates/secret.yaml
@@ -1,3 +1,4 @@
+{{- if eq .Values.backend.auth.mode "simple" }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -6,6 +7,5 @@ metadata:
     {{- include "cv-app.labels" . | nindent 4 }}
 type: Opaque
 data:
-  {{- if eq .Values.backend.auth.mode "simple" }}
-  JWT_SECRET: {{ randAlphaNum 32 | b64enc | quote }}
-  {{- end }}
+  JWT_SECRET: {{ .Values.backend.auth.jwtSecret | default (randAlphaNum 32) | b64enc | quote }}
+{{- end }}
diff --git a/helm/cv-app/values.yaml b/helm/cv-app/values.yaml
index eb6627a..ba1166e 100644
--- a/helm/cv-app/values.yaml
+++ b/helm/cv-app/values.yaml
@@ -14,6 +14,7 @@ backend:
     pullPolicy: IfNotPresent
   auth:
     mode: simple
+    jwtSecret: ""
   keycloak:
     url: ""
     realm: ""