Use CI variable for stage admin password

- Remove Secrets Manager config from values-stage.yaml - Pass STAGE_ADMIN_PASSWORD via --set in deploy_stage - Consistent with feature branch approach Single source of truth: STAGE_ADMIN_PASSWORD CI variable is used by deploy, reset, and integration test jobs.
2026-01-27 20:36:21 +00:00
parent fe07638485
commit aa853b5b32
2 changed files with 3 additions and 5 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -430,6 +430,7 @@ deploy_stage:
        --namespace $NAMESPACE \
        -f $VALUES_FILE \
        --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
+        --set orchard.auth.adminPassword=$STAGE_ADMIN_PASSWORD \
        --wait \
        --atomic \
        --timeout 10m
--- a/helm/orchard/values-stage.yaml
+++ b/helm/orchard/values-stage.yaml
@@ -96,11 +96,8 @@ orchard:
    port: 8080

  # Authentication settings
-  auth:
-    # Admin password from AWS Secrets Manager
-    secretsManager:
-      enabled: true
-      secretArn: "arn:aws-us-gov:secretsmanager:us-gov-west-1:052673043337:secret:orchard-stage-creds-SMqvQx"
+  # Admin password is set via CI variable (STAGE_ADMIN_PASSWORD) passed as --set flag
+  # This keeps the password out of version control

  # Database configuration - uses AWS Secrets Manager via CSI driver
  database: