Portkey-AI · avaya09 · May 20, 2026 · May 20, 2026 · May 21, 2026 · May 21, 2026
diff --git a/charts/portkey-app/docs/secret-manager-integration.md b/charts/portkey-app/docs/secret-manager-integration.md
@@ -157,6 +157,33 @@ spec:
             objectAlias: smtpPassword
           - path: smtpFrom
             objectAlias: smtpFrom
+      # Example for S3-compatible log storage. Adjust keys for your backend
+      # (mongo / s3_assume / azure). See the table at the bottom of this section.
+      - objectName: "arn:aws:secretsmanager:<REGION>:<ACCOUNT_ID>:secret:myapp/portkey-log-storage"
+        objectType: "secretsmanager"
+        jmesPath:
+          - path: logStore
+            objectAlias: logStore
+          - path: logStoreAccessKey
+            objectAlias: logStoreAccessKey
+          - path: logStoreSecretKey
+            objectAlias: logStoreSecretKey
+          - path: logStoreRegion
+            objectAlias: logStoreRegion
+          - path: logStoreGenerationsBucket
+            objectAlias: logStoreGenerationsBucket
+          - path: logStoreBasePath
+            objectAlias: logStoreBasePath
+      # Optional — only if bedrockAssumed.enabled = true.
+      - objectName: "arn:aws:secretsmanager:<REGION>:<ACCOUNT_ID>:secret:myapp/portkey-bedrock"
+        objectType: "secretsmanager"
+        jmesPath:
+          - path: bedrockAssumedAccessKey
+            objectAlias: bedrockAssumedAccessKey
+          - path: bedrockAssumedSecretKey
+            objectAlias: bedrockAssumedSecretKey
+          - path: bedrockAssumedRegion
+            objectAlias: bedrockAssumedRegion
   secretObjects:
     - secretName: portkey-mysql
       type: Opaque
@@ -230,6 +257,31 @@ spec:
           key: smtpPassword
         - objectName: smtpFrom
           key: smtpFrom
+    - secretName: portkey-log-storage
+      type: Opaque
+      data:
+        - objectName: logStore
+          key: logStore
+        - objectName: logStoreAccessKey
+          key: logStoreAccessKey
+        - objectName: logStoreSecretKey
+          key: logStoreSecretKey
+        - objectName: logStoreRegion
+          key: logStoreRegion
+        - objectName: logStoreGenerationsBucket
+          key: logStoreGenerationsBucket
+        - objectName: logStoreBasePath
+          key: logStoreBasePath
+    # Optional — only if bedrockAssumed.enabled = true.
+    - secretName: portkey-bedrock
+      type: Opaque
+      data:
+        - objectName: bedrockAssumedAccessKey
+          key: bedrockAssumedAccessKey
+        - objectName: bedrockAssumedSecretKey
+          key: bedrockAssumedSecretKey
+        - objectName: bedrockAssumedRegion
+          key: bedrockAssumedRegion
 ```
 
 Apply:
@@ -305,8 +357,34 @@ config:
     enabled: true
   smtp:
     enabled: true
+
+logStorage:
+  # Re-use an existing Kubernetes Secret for log storage credentials.
+  existingSecretName: "portkey-log-storage"
+  s3Compat:
+    enabled: true
+
+bedrockAssumed:
+  enabled: true
+  # Optional — re-use an existing Kubernetes Secret for bedrockAssumed.
+  existingSecretName: "portkey-bedrock"
 ```
 
+### Expected keys per existing Secret
+
+| Override                              | Secret must contain                                                                                                                            |
+| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
+| `logStorage.existingSecretName`       | The keys for whichever backend is enabled:                                                                                                     |
+| · `s3Compat.enabled: true`            | `logStore`, `logStoreAccessKey`, `logStoreSecretKey`, `logStoreRegion`, `logStoreGenerationsBucket`, `logStoreBasePath`                         |
+| · `s3Assume.enabled: true`            | `logStore`, `logStoreAccessKey`, `logStoreSecretKey`, `logStoreRegion`, `logStoreGenerationsBucket`, `logStoreAwsRoleArn`, `logStoreExternalId` |
+| · `mongo.enabled: true`               | `logStore`, `mongoConnectionUrl`, `mongoDatabase`, `mongoGenerationsCollection`, `mongoHooksCollection`                                         |
+| · `azure.enabled: true`               | `logStore`, `azureAuthMode`, `azureManagedClientId`, `azureStorageAccount`, `azureStorageKey`, `azureStorageContainer`                          |
+| `bedrockAssumed.existingSecretName`   | `bedrockAssumedAccessKey`, `bedrockAssumedSecretKey`, `bedrockAssumedRegion`                                                                   |
+
+The `logStore` key value encodes the backend type — one of `s3`, `s3_custom`,
+`s3_assume`, `mongo`, or `azure`. The two overrides are independent: you can
+use an existing Secret for one and let the chart manage the other.
+
 ## Option B: Mount-only (read from files; no Kubernetes Secrets sync)
 Create a `SecretProviderClass` without `secretObjects` (files only):
 ```yaml

diff --git a/charts/portkey-app/templates/_helpers.tpl b/charts/portkey-app/templates/_helpers.tpl
@@ -156,6 +156,31 @@ the user or some other secret provisioning mechanism
 {{- include "portkey.fullname" . }}-{{ .Values.gateway.name }}
 {{- end }}
 
+{{/*
+Name of the Secret holding log storage credentials.
+Overridable via logStorage.existingSecretName.
+*/}}
+{{- define "portkey.logStoreSecretsName" -}}
+{{- if .Values.logStorage.existingSecretName }}
+{{- .Values.logStorage.existingSecretName }}
+{{- else }}
+{{- include "portkey.gatewaySecretsName" . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Name of the Secret holding bedrockAssumed credentials.
+Overridable via bedrockAssumed.existingSecretName; otherwise the keys
+live in the chart-managed gateway Secret.
+*/}}
+{{- define "portkey.bedrockSecretsName" -}}
+{{- if .Values.bedrockAssumed.existingSecretName }}
+{{- .Values.bedrockAssumed.existingSecretName }}
+{{- else }}
+{{- include "portkey.gatewaySecretsName" . }}
+{{- end }}
+{{- end }}
+
 {{- define "portkey.gatewayClientAuth" -}}
 {{- .Values.config.defaultGatewayClientAuth | default "client_auth-PRIVATE_SEVICE" | quote }}
 {{- end }}
@@ -352,96 +377,96 @@ Template containing common environment variables that are used by several servic
 - name: LOG_STORE
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStore
 {{- if .Values.logStorage.mongo.enabled}}
 - name: MONGO_DB_CONNECTION_URL
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: mongoConnectionUrl
 - name: MONGO_DATABASE
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: mongoDatabase
 - name: MONGO_COLLECTION_NAME
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: mongoGenerationsCollection
 - name: MONGO_GENERATION_HOOKS_COLLECTION_NAME
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: mongoHooksCollection
 {{- end }}
 {{- if or .Values.logStorage.s3Compat.enabled }}
 - name: LOG_STORE_BASEPATH
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreBasePath
 {{- end }}      
 {{- if or .Values.logStorage.s3Compat.enabled .Values.logStorage.s3Assume.enabled }}
 - name: LOG_STORE_ACCESS_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreAccessKey
 - name: LOG_STORE_SECRET_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreSecretKey
 - name: LOG_STORE_REGION
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreRegion
 - name: LOG_STORE_GENERATIONS_BUCKET
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreGenerationsBucket
 {{- end }}
 {{- if .Values.logStorage.s3Assume.enabled }}
 - name: LOG_STORE_AWS_ROLE_ARN
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreAwsRoleArn
 - name: LOG_STORE_AWS_EXTERNAL_ID
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: logStoreExternalId
 {{- end }}
 {{- if .Values.logStorage.azure.enabled}}
 - name: AZURE_AUTH_MODE
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureAuthMode
 - name: AZURE_MANAGED_CLIENT_ID
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureManagedClientId
 - name: AZURE_STORAGE_ACCOUNT
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureStorageAccount
 - name: AZURE_STORAGE_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureStorageKey
 - name: AZURE_STORAGE_CONTAINER
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.logStoreSecretsName" . }}
       key: azureStorageContainer
 {{- end }}
 {{- end }}
@@ -454,17 +479,17 @@ Template containing common environment variables that are used by several servic
 - name: AWS_ASSUME_ROLE_ACCESS_KEY_ID
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.bedrockSecretsName" . }}
       key: bedrockAssumedAccessKey
 - name: AWS_ASSUME_ROLE_SECRET_ACCESS_KEY
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.bedrockSecretsName" . }}
       key: bedrockAssumedSecretKey
 - name: AWS_ASSUME_ROLE_REGION
   valueFrom:
     secretKeyRef:
-      name: {{ include "portkey.gatewaySecretsName" . }}
+      name: {{ include "portkey.bedrockSecretsName" . }}
       key: bedrockAssumedRegion
 {{- end }}
 - name: ALBUS_BASEPATH

diff --git a/charts/portkey-app/templates/gateway/secrets.yaml b/charts/portkey-app/templates/gateway/secrets.yaml
@@ -1,3 +1,4 @@
+{{- if or (not .Values.logStorage.existingSecretName) (and .Values.bedrockAssumed.enabled (not .Values.bedrockAssumed.existingSecretName)) }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,6 +9,7 @@ metadata:
     {{- include "portkey.annotations" . | nindent 4 }}
 type: Opaque
 data:
+  {{- if not .Values.logStorage.existingSecretName }}
   {{- if .Values.logStorage.s3Compat.enabled}}
   logStore: {{ .Values.logStorage.logStore | b64enc | quote }}
   logStoreAccessKey: {{ .Values.logStorage.s3Compat.LOG_STORE_ACCESS_KEY | b64enc | quote }}
@@ -40,8 +42,10 @@ data:
   azureStorageKey: {{ .Values.logStorage.azure.AZURE_STORAGE_KEY | b64enc | quote }}
   azureStorageContainer: {{ .Values.logStorage.azure.AZURE_STORAGE_CONTAINER | b64enc | quote }}
   {{- end }}
-  {{- if .Values.bedrockAssumed.enabled}}
+  {{- end }}
+  {{- if and .Values.bedrockAssumed.enabled (not .Values.bedrockAssumed.existingSecretName) }}
   bedrockAssumedAccessKey: {{ .Values.bedrockAssumed.AWS_ASSUME_ROLE_ACCESS_KEY_ID | b64enc | quote }}
   bedrockAssumedSecretKey: {{ .Values.bedrockAssumed.AWS_ASSUME_ROLE_SECRET_ACCESS_KEY | b64enc | quote }}
   bedrockAssumedRegion: {{ .Values.bedrockAssumed.AWS_ASSUME_ROLE_REGION | b64enc | quote }}
-  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/portkey-app/values.yaml b/charts/portkey-app/values.yaml
@@ -118,6 +118,9 @@ config:
 # logStorage:
   # -- S3 specific configuration
 logStorage:
+  # -- Existing Kubernetes Secret holding log storage credentials.
+  # See docs/secret-manager-integration.md for the required keys per backend.
+  existingSecretName: ""
   logStore: ""
   s3Compat:
     enabled: false
@@ -160,6 +163,9 @@ logStorage:
 
 bedrockAssumed:
   enabled: false
+  # -- Existing Kubernetes Secret holding bedrockAssumed credentials.
+  # See docs/secret-manager-integration.md for required keys.
+  existingSecretName: ""
   AWS_ASSUME_ROLE_ACCESS_KEY_ID: ""
   AWS_ASSUME_ROLE_SECRET_ACCESS_KEY: ""
   AWS_ASSUME_ROLE_REGION: ""