[scalar-manager] Support mounting user created secret

[kota2and3kan]

Description

This PR adds a new feature, which mounts a user created secret on a pod. You can specify the secret name in scalarManager.api.secretName.

Now, users can set credentials via secret (environment variables) in application.properties.

Basically, this new feature is the same implementation as ScalarDB Cluster's feature.

• https://github.com/scalar-labs/helm-charts/blob/scalardb-cluster-1.10.1/charts/scalardb-cluster/values.yaml#L178-L179
• https://github.com/scalar-labs/helm-charts/blob/scalardb-cluster-1.10.1/charts/scalardb-cluster/templates/scalardb-cluster/deployment.yaml#L68-L72

Please take a look!

Related issues and/or PRs

N/A

Changes made

• Add a new value scalarManager.api.secretName.
• Mount the specified secret by using envFrom on the Scalar Manager API container.

Checklist

• I have commented my code, particularly in hard-to-understand areas.
• I have updated the documentation to reflect the changes.
• Any remaining open issues linked to this PR are documented and up-to-date (Jira, GitHub, etc.).
• Tests (unit, integration, etc.) have been added for the changes.
• My changes generate no new warnings.
• Any dependent changes in other PRs have been merged and published.

Additional notes (optional)

You can use this new feature as follows:

• Set scalarManager.api.secretName and set environment variable name in application.properties.

  scalarManager:
    api:
      secretName: "psim-scalar-manager-credentials-secret"
      applicationProperties: |
        app.initial-admin-user.enabled=true
        app.initial-admin-user.email=${APP_INITIAL_ADMIN_USER_EMAIL}
        app.initial-admin-user.name=${APP_INITIAL_ADMIN_USER_NAME}
        app.initial-admin-user.password=${APP_INITIAL_ADMIN_USER_PASSWORD}

• Create a secret resource.

  kubectl create secret generic psim-scalar-manager-credentials-secret \
    [email protected] \
    --from-literal=APP_INITIAL_ADMIN_USER_NAME=admin \
    --from-literal=APP_INITIAL_ADMIN_USER_PASSWORD=admin

• Deploy Scalar Manager.

  $ helm install scalar-manager ~/github.com/scalar-labs/helm-charts/charts/scalar-manager/ -f ./scalar-manager.yaml
  NAME: scalar-manager
  LAST DEPLOYED: Tue Jan 20 17:38:02 2026
  NAMESPACE: scalar-manager
  STATUS: deployed
  REVISION: 1
  DESCRIPTION: Install complete
  TEST SUITE: None

• Check if the environment variables are set in the container.

  $ kubectl exec -it scalar-manager-85d98d958d-nxpdz -c scalar-manager-api -- env | grep APP_INITIAL_ADMIN_USER
  APP_INITIAL_ADMIN_USER_PASSWORD=admin
  [email protected]
  APP_INITIAL_ADMIN_USER_NAME=admin

  $ kubectl exec -it scalar-manager-85d98d958d-nxpdz -c scalar-manager-api -- cat application.properties | grep APP_INITIAL_ADMIN_USER
  app.initial-admin-user.email=${APP_INITIAL_ADMIN_USER_EMAIL}
  app.initial-admin-user.name=${APP_INITIAL_ADMIN_USER_NAME}
  app.initial-admin-user.password=${APP_INITIAL_ADMIN_USER_PASSWORD}

• Check if the values are applied via environment variables (the admin user is registered in the backend database).

  postgres=# select * from users;
  -[ RECORD 1 ]-+-------------------------------------------------------------
  id            | 8ab70aa7-4fb3-40b4-b1c5-007e707374d7
  created_at    | 2026-01-20 08:23:27.876+00
  created_by    |
  email         | admin@example.com
  name          | admin
  password_hash | $2a$10$UVYW.kDXSiKuJpGT.8hlGuOnGfXsKpLHxxAflaIfmyxk9zJ2E6req
  role          | ADMINISTRATOR
  updated_at    | 2026-01-20 08:23:27.876+00
  updated_by    |

Release notes

N/A

[gemini-code-assist]

Summary of Changes

Hello @kota2and3kan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the Scalar Manager's deployment capabilities by allowing users to securely inject sensitive configuration data, such as credentials, into the Scalar Manager API pods. By integrating Kubernetes Secrets via a new secretName parameter, the system can now dynamically load environment variables from user-defined secrets, improving security and operational flexibility for credential management within application.properties.

Highlights

• New Configuration Parameter: Introduced a new configuration option, scalarManager.api.secretName, allowing users to specify a Kubernetes Secret to be mounted.
• Secure Credential Management: Enabled the Scalar Manager API pod to securely load sensitive data, such as credentials, from the specified Secret's keys as environment variables using envFrom.
• Application Properties Integration: Facilitates the use of environment variables derived from Kubernetes Secrets within application.properties for dynamic and secure configuration.
• Consistency with ScalarDB Cluster: The implementation aligns with a similar secret mounting feature already present in ScalarDB Cluster's Helm chart.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new feature to mount a user-created secret into the Scalar Manager API pod, which is a valuable addition for managing sensitive data like credentials. The implementation is clean and consistent with existing patterns in the Helm charts. My review includes one suggestion to improve the robustness of the Helm template by using the quote function, which is a recommended best practice.

[feeblefakie]

LGTM! Thank you!

[thongdk8]

LGTM! Thank you!