feat(chart): add ability for extra objects, reading database user from secret, gcp service account for workload identity

[Mberga14]

Pull Request

Description

Added extraManifests to enable provisioning of additional kubernetes objects, added ability to read the database.user from a kubernetes secret, added serviceAccount.gcpServiceAccount to enable workload identity for GCP

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Example/configuration update
• CI/CD improvements

Related Issues

Fixes # (issue)
Relates to # (issue)

Changes Made

Testing Performed

Chart Validation

• helm lint charts/n8n passes: no, with an unrelated issue
• ./scripts/validate-examples.sh passes
• Template rendering works with all examples

Deployment Testing (if applicable)

• Tested with minimal configuration
• Tested with production configuration
• Tested upgrade path from previous version
• All pods start successfully
• Application is accessible
• Tested in GKE cluster

Specific Testing for Changes

Describe any specific testing you performed for your changes:

• Clean deploy of N8n with postgres in single replica mode

Documentation Updates

• Updated Chart.yaml version (if needed)
• Updated CHANGELOG.md
• Updated README.md (if needed)
• Updated examples (if needed)
• Updated CONTRIBUTING.md (if needed)

Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• I have added examples that demonstrate the changes (if applicable)
• All new and existing tests pass

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Notes

Any additional information that reviewers should know.

---

Summary by cubic

Adds extraManifests, Secret-based DB user, GKE Workload Identity, and support for custom podLabels to the n8n Helm chart. This lets you ship extra K8s objects, secure DB credentials, use GCP auth without node-scoped keys, and label pods for integrations and policies.

• New Features
  • extraManifests: render additional Kubernetes objects from values.
  • database.userSecret: read the DB username from a Secret; falls back to database.user.
  • serviceAccount.gcpServiceAccount: adds iam.gke.io/gcp-service-account for GKE Workload Identity.

^{Written for commit 70fc029. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 9 files

Architecture diagram

sequenceDiagram
    participant Helm as Helm / K8s API
    participant SA as ServiceAccount
    participant Secret as DB Secret
    participant Pod as n8n Pod
    participant GCP as GCP IAM / Metadata
    participant DB as PostgreSQL

    Note over Helm, DB: Deployment & Runtime Flow

    Helm->>Helm: Render templates
    opt NEW: extraManifests defined
        Helm->>K8s API: Provision custom Kubernetes objects
    end

    Helm->>SA: Create ServiceAccount
    opt NEW: gcpServiceAccount provided
        SA->>SA: CHANGED: Add iam.gke.io/gcp-service-account annotation
    end

    Helm->>Pod: Deploy n8n (main component)
    Note right of Pod: NEW: podLabels applied to metadata

    Pod->>Secret: CHANGED: Inject DB_POSTGRESDB_USER
    Note over Pod,Secret: via secretKeyRef (if database.userSecret.name set)

    alt NEW: GCP Workload Identity active
        Pod->>GCP: Request identity token
        GCP-->>Pod: Return GCP IAM credentials
        Pod->>DB: Connect using IAM / Cloud SQL Proxy
    else Standard Auth
        Pod->>DB: Connect using Secret-based credentials
    end

    alt Connection Success
        DB-->>Pod: Session established
    else Connection Failure
        Pod->>Pod: Retry / CrashLoopBackOff
    end

Loading