Create namespace and secret, do patch only if not existing

In my CI I'm running a helm upgrade command to release an app. But if it is a non existing app, I have to create the namespace, a secret and patch the serviceaccount. So I come up with this:

kubectl create namespace ${namespace} --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret docker-registry gitlab-registry --namespace ${namespace} --docker-server="\${CI_REGISTRY}" --docker-username="\${CI_DEPLOY_USER}" --docker-password="\${CI_DEPLOY_PASSWORD}" --docker-email="\${GITLAB_USER_EMAIL}" -o yaml --dry-run=client | kubectl apply -f -
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"gitlab-registry"}]}' --namespace ${namespace}

This is working, but I think it is not the perfect way as these three steps should only be done once. : Only if app/namespace/secret is not existing

Solution 1:

Helm provides the --create-namespace switch that will create the namespace of the release if it does not already exist.

The secret can be added in your helm chart and you can pass the variables (CI_REGISTRY, CI_DEPLOY_USER, etc.) in as helm chart values either as --set values or via the values.yaml file and using --values

The service account patching you can do as a post-install and/or a post-upgrade job (https://helm.sh/docs/topics/charts_hooks/)