From 37012c17de1a00387ddf3f0bb3cd45e4291beae1 Mon Sep 17 00:00:00 2001
From: Beraldo Leal <bleal@redhat.com>
Date: Wed, 25 Feb 2026 14:12:35 -0500
Subject: [PATCH 1/3] feat: add kbs.extraSecrets for non-ESO secrets

Allow adding pre-existing K8s Secrets to kbsSecretResources
without creating ExternalSecrets. Useful for secrets created
by imperative jobs or other controllers outside the Vault flow.

Signed-off-by: Beraldo Leal <bleal@redhat.com>
---
 templates/kbs.yaml | 3 +++
 values.yaml        | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/templates/kbs.yaml b/templates/kbs.yaml
index 95fb974..c0e3644 100644
--- a/templates/kbs.yaml
+++ b/templates/kbs.yaml
@@ -14,6 +14,9 @@ spec:
     {{- range .Values.kbs.secretResources }}
     - "{{ .name }}"
     {{- end }}
+    {{- range .Values.kbs.extraSecrets }}
+    - "{{ . }}"
+    {{- end }}
     {{- if eq .Values.global.coco.securityPolicyFlavour "signed" }}
     - "cosign-keys"
     {{- end }}
diff --git a/values.yaml b/values.yaml
index 8f70490..fa1a3af 100644
--- a/values.yaml
+++ b/values.yaml
@@ -36,6 +36,13 @@ kbs:
       key: "secret/data/hub/kbsres1"
     - name: "passphrase"
       key: "secret/data/hub/passphrase"
+  # Pre-existing secrets to add to kbsSecretResources without creating
+  # ExternalSecrets. Use this for secrets that are created outside the
+  # Vault/ESO flow (e.g. by imperative jobs, cert-manager, or other
+  # controllers). Only the secret name is needed; the secret must already
+  # exist in the trustee-operator-system namespace.
+  extraSecrets: []
+
   # Intel TDX (Trust Domain Extensions) configuration
   tdx:
     # Enable TDX attestation support

From 28e89a1cdf148ca321ec9a2c1ba39ea2a4108b45 Mon Sep 17 00:00:00 2001
From: Beraldo Leal <bleal@redhat.com>
Date: Fri, 6 Mar 2026 09:30:20 -0500
Subject: [PATCH 2/3] chore: bump to 0.2.1

IIUC, the semantic ver is not triggered yet. And we need a 0.2.1

Signed-off-by: Beraldo Leal <bleal@redhat.com>
---
 Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Chart.yaml b/Chart.yaml
index 5f71b50..a031cc1 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -7,4 +7,4 @@ keywords:
 - confidential-containers
 name: trustee
 # DO NOT EDIT VERSION HERE, IT IS AUTO-GENERATED BY SEMANTIC-RELEASE
-version: 0.2.0
+version: 0.2.1

From 6dd88ffa45db11407ec2ee3568cd31003771277a Mon Sep 17 00:00:00 2001
From: Beraldo Leal <bleal@redhat.com>
Date: Fri, 6 Mar 2026 09:31:26 -0500
Subject: [PATCH 3/3] chore: update docs

just a make helm-docs

Signed-off-by: Beraldo Leal <bleal@redhat.com>
---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2d8334a..9d7fba2 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # trustee
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square)
+![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square)
 
 A Helm chart to provide an opinionated deployment of Trustee in a validated pattern
 
@@ -32,6 +32,7 @@ In order to use this chart, you will need to:
 | global.coco.securityPolicyFlavour | string | `"insecure"` |  |
 | global.secretStore.backend | string | `""` |  |
 | kbs.cosignKeys | string | `"secret/data/hub/coSignKeys"` |  |
+| kbs.extraSecrets | list | `[]` |  |
 | kbs.publicKey | string | `"secret/data/hub/kbsPublicKey"` |  |
 | kbs.secretResources[0].key | string | `"secret/data/hub/kbsres1"` |  |
 | kbs.secretResources[0].name | string | `"kbsres1"` |  |