From f4325f153ef3a313a0cbd61f2a58307d8ed99f36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathieu=20Gagn=C3=A9?= <mgagne@calavera.ca>
Date: Thu, 26 Feb 2026 15:25:24 -0500
Subject: [PATCH] feat(barbican): allow users to provide configs in
 barbican.conf.d
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Allow users to provide additional projected volumes to be mounted into
the various deployments, statefulsets, and jobs that the barbican chart has
in the /etc/barbican/barbican.conf.d/ path. This allows for users to provide
service account or database secrets via different operators as well as
provide ways to use the chart to define common deployments while being
able to have site specific overrides.

Change-Id: Icef323e873c0182bebffbcc17bbfb5f171763edc
Signed-off-by: Mathieu Gagné <mgagne@calavera.ca>
---
 barbican/templates/deployment-api.yaml            | 12 ++++++++++++
 barbican/values.yaml                              |  6 ++++++
 releasenotes/notes/barbican-669168de73ab5847.yaml |  7 +++++++
 3 files changed, 25 insertions(+)
 create mode 100644 releasenotes/notes/barbican-669168de73ab5847.yaml

diff --git a/barbican/templates/deployment-api.yaml b/barbican/templates/deployment-api.yaml
index 90b63668a9..44c8dcb6be 100644
--- a/barbican/templates/deployment-api.yaml
+++ b/barbican/templates/deployment-api.yaml
@@ -25,6 +25,7 @@ httpGet:
 
 {{- $mounts_barbican_api := .Values.pod.mounts.barbican_api.barbican_api }}
 {{- $mounts_barbican_api_init := .Values.pod.mounts.barbican_api.init_container }}
+{{- $etcSources := .Values.pod.etcSources.barbican_api }}
 
 {{- $serviceAccountName := "barbican-api" }}
 {{ tuple $envAll "api" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
@@ -106,6 +107,9 @@ spec:
               mountPath: /etc/barbican/barbican.conf
               subPath: barbican.conf
               readOnly: true
+            - name: barbican-etc-snippets
+              mountPath: /etc/barbican/barbican.conf.d/
+              readOnly: true
             {{- if .Values.conf.barbican.DEFAULT.log_config_append }}
             - name: barbican-etc
               mountPath: {{ .Values.conf.barbican.DEFAULT.log_config_append }}
@@ -144,6 +148,14 @@ spec:
           secret:
             secretName: barbican-etc
             defaultMode: 0444
+        - name: barbican-etc-snippets
+{{- if $etcSources }}
+          projected:
+            sources:
+{{ toYaml $etcSources | indent 14 }}
+{{- else }}
+          emptyDir: {}
+{{ end }}
         - name: barbican-bin
           configMap:
             name: barbican-bin
diff --git a/barbican/values.yaml b/barbican/values.yaml
index a8fc3b8668..518f93c504 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -108,6 +108,12 @@ pod:
       barbican_db_sync:
         volumeMounts:
         volumes:
+  # -- This allows users to add Kubernetes Projected Volumes to be mounted at /etc/barbican/barbican.conf.d/
+  ## This is a list of projected volume source objects for each deployment/statefulset/daemonset/cronjob
+  ## https://kubernetes.io/docs/concepts/storage/projected-volumes/
+  etcSources:
+    barbican_api: []
+    barbican_db_sync: []
   replicas:
     api: 1
   lifecycle:
diff --git a/releasenotes/notes/barbican-669168de73ab5847.yaml b/releasenotes/notes/barbican-669168de73ab5847.yaml
new file mode 100644
index 0000000000..c92768abdc
--- /dev/null
+++ b/releasenotes/notes/barbican-669168de73ab5847.yaml
@@ -0,0 +1,7 @@
+---
+barbican:
+  - |
+    Allow users to add additional sources to the Projected Volume that is mounted
+    at /etc/barbican/barbican.conf.d/ so they may more easily override configs or provide
+    additional configs for the various services in the chart.
+...