Add support for existing Secrets and External Secrets Operator

Enhanced secret management for API7 Gateway credentials with support
for existing Secrets and External Secrets Operator integration.

Changes:

1. Secret Configuration:
   - Added api7.gateway.existingSecret parameter for using existing secrets
   - Added api7.gateway.existingSecretKeys for custom key names
   - Modified secret-api7.yaml to only create secret if existingSecret is empty
   - Updated job-adc-sync.yaml to reference configurable secret name

2. Values.yaml Documentation:
   - Added comprehensive documentation for secret configuration options
   - Documented two approaches: inline config (dev) vs existing secret (prod)
   - Added example kubectl command for creating secrets manually
   - Included instructions for obtaining admin key from API7 EE

3. External Secrets Support:
   - Created externalsecret-api7.yaml.example with complete examples
   - Included examples for AWS Secrets Manager and HashiCorp Vault
   - Documented SecretStore configuration patterns

4. Documentation:
   - Created SECRET-MANAGEMENT.md comprehensive guide
   - Covered all secret management options (inline, manual, external)
   - Added security best practices and troubleshooting guide
   - Included examples for External Secrets Operator setup

Benefits:
- Improved security: Secrets not stored in values.yaml
- Flexibility: Support for any secret management tool
- Production-ready: Works with External Secrets Operator
- Better practices: Clear separation of config vs secrets

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

helm/api7ee-demo-k8s/templates/externalsecret-api7.yaml.example

@@ -0,0 +1,93 @@
+# Example ExternalSecret for API7 Gateway credentials
+# This file is not deployed by default - it serves as an example.
+#
+# To use External Secrets Operator:
+# 1. Install External Secrets Operator in your cluster
+# 2. Configure a SecretStore (e.g., AWS Secrets Manager, Vault, etc.)
+# 3. Rename this file to remove .example extension
+# 4. Set api7.gateway.existingSecret to the secret name below
+# 5. Adjust the backend configuration to match your SecretStore
+#
+# Documentation: https://external-secrets.io/
+
+{{- if false }}  # Change to 'if .Values.api7.gateway.useExternalSecret' to enable
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: {{ include "api7ee.fullname" . }}-api7-admin-external
+  labels:
+    {{- include "api7ee.labels" . | nindent 4 }}
+    app.kubernetes.io/component: api7
+spec:
+  # Refresh interval for fetching secrets from external provider
+  refreshInterval: 1h
+
+  # Reference to SecretStore
+  secretStoreRef:
+    name: vault-backend  # Name of your SecretStore
+    kind: SecretStore    # or ClusterSecretStore
+
+  # Target Secret configuration
+  target:
+    name: {{ include "api7ee.fullname" . }}-api7-admin
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        # Map external secret keys to Kubernetes secret keys
+        admin-url: "{{ `{{ .adminUrl }}` }}"
+        admin-key: "{{ `{{ .adminKey }}` }}"
+        gateway-group: "{{ `{{ .group }}` }}"
+
+  # Data to fetch from external provider
+  data:
+    - secretKey: adminUrl
+      remoteRef:
+        key: api7/gateway    # Path in external secret store
+        property: admin_url  # Property name
+
+    - secretKey: adminKey
+      remoteRef:
+        key: api7/gateway
+        property: admin_key
+
+    - secretKey: group
+      remoteRef:
+        key: api7/gateway
+        property: gateway_group
+
+---
+# Example for AWS Secrets Manager
+# apiVersion: external-secrets.io/v1beta1
+# kind: SecretStore
+# metadata:
+#   name: aws-secretsmanager
+# spec:
+#   provider:
+#     aws:
+#       service: SecretsManager
+#       region: us-east-1
+#       auth:
+#         jwt:
+#           serviceAccountRef:
+#             name: external-secrets-sa
+
+---
+# Example for HashiCorp Vault
+# apiVersion: external-secrets.io/v1beta1
+# kind: SecretStore
+# metadata:
+#   name: vault-backend
+# spec:
+#   provider:
+#     vault:
+#       server: "https://vault.example.com"
+#       path: "secret"
+#       version: "v2"
+#       auth:
+#         kubernetes:
+#           mountPath: "kubernetes"
+#           role: "api7-role"
+#           serviceAccountRef:
+#             name: {{ include "api7ee.serviceAccountName" . }}
+{{- end }}

helm/api7ee-demo-k8s/templates/job-adc-sync.yaml

@@ -47,18 +47,18 @@ spec:
             - name: API7_ADMIN_URL
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "api7ee.fullname" . }}-api7-admin
-                  key: admin-url
+                  name: {{ .Values.api7.gateway.existingSecret | default (printf "%s-api7-admin" (include "api7ee.fullname" .)) }}
+                  key: {{ .Values.api7.gateway.existingSecretKeys.adminUrl | default "admin-url" }}
             - name: API7_ADMIN_KEY
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "api7ee.fullname" . }}-api7-admin
-                  key: admin-key
+                  name: {{ .Values.api7.gateway.existingSecret | default (printf "%s-api7-admin" (include "api7ee.fullname" .)) }}
+                  key: {{ .Values.api7.gateway.existingSecretKeys.adminKey | default "admin-key" }}
             - name: API7_GATEWAY_GROUP
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "api7ee.fullname" . }}-api7-admin
-                  key: gateway-group
+                  name: {{ .Values.api7.gateway.existingSecret | default (printf "%s-api7-admin" (include "api7ee.fullname" .)) }}
+                  key: {{ .Values.api7.gateway.existingSecretKeys.group | default "gateway-group" }}
           volumeMounts:
             - name: adc-config
               mountPath: /config

helm/api7ee-demo-k8s/templates/secret-api7.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.api7.enabled }}
+{{- if and .Values.api7.enabled (not .Values.api7.gateway.existingSecret) }}
 apiVersion: v1
 kind: Secret
 metadata: