From aa853b5b329af9c598bd701af4dd831da4acc638 Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Tue, 27 Jan 2026 20:36:21 +0000
Subject: [PATCH] Use CI variable for stage admin password

- Remove Secrets Manager config from values-stage.yaml
- Pass STAGE_ADMIN_PASSWORD via --set in deploy_stage
- Consistent with feature branch approach

Single source of truth: STAGE_ADMIN_PASSWORD CI variable is used by
deploy, reset, and integration test jobs.
---
 .gitlab-ci.yml                 | 1 +
 helm/orchard/values-stage.yaml | 7 ++-----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 20c0cac..b28100e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -430,6 +430,7 @@ deploy_stage:
         --namespace $NAMESPACE \
         -f $VALUES_FILE \
         --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
+        --set orchard.auth.adminPassword=$STAGE_ADMIN_PASSWORD \
         --wait \
         --atomic \
         --timeout 10m
diff --git a/helm/orchard/values-stage.yaml b/helm/orchard/values-stage.yaml
index 7e8cbcf..422cd49 100644
--- a/helm/orchard/values-stage.yaml
+++ b/helm/orchard/values-stage.yaml
@@ -96,11 +96,8 @@ orchard:
     port: 8080
 
   # Authentication settings
-  auth:
-    # Admin password from AWS Secrets Manager
-    secretsManager:
-      enabled: true
-      secretArn: "arn:aws-us-gov:secretsmanager:us-gov-west-1:052673043337:secret:orchard-stage-creds-SMqvQx"
+  # Admin password is set via CI variable (STAGE_ADMIN_PASSWORD) passed as --set flag
+  # This keeps the password out of version control
 
   # Database configuration - uses AWS Secrets Manager via CSI driver
   database: