livekit · siddimore · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/egress-sample.yaml b/egress-sample.yaml
@@ -4,9 +4,6 @@ replicaCount: 1
 terminationGracePeriodSeconds: 3600
 
 egress:
-  api_key: "server-api-key"
-  api_secret: "server-api-secret"
-  ws_url: "ws://livekit-host:<port>"
   log_level: info
   health_port: 8080
   prometheus_port: 9090
@@ -16,26 +13,32 @@ egress:
     address: <redis_host:port>
     # db: 0
     # username:
-    # password:
     # use_tls: false
+  # Non-sensitive S3 config (bucket, region) can stay here
   s3:
-    access_key: "access_key"
-    secret: "secret"
     region: "us-west-2"
     # endpoint:
     bucket: "my-egress"
-  # azure:
-    # account_name:
-    # account_key:
-    # container_name:
-  # gcp:
-    # credentials_json:
-    # bucket:
   # cpu_cost:
     # room_composite_cpu_cost: 3
     # track_composite_cpu_cost: 2
     # track_cpu_cost: 1
 
+  # Sensitive values — stored in a Kubernetes Secret, not in ConfigMap
+  secrets:
+    api_key: "server-api-key"
+    api_secret: "server-api-secret"
+    ws_url: "ws://livekit-host:<port>"
+    redis:
+      password: ""
+    s3:
+      access_key: "access_key"
+      secret: "secret"
+    # azure:
+    #   account_key: ""
+    # gcp:
+    #   credentials_json: ""
+
 # autoscaling requires resources to be defined
 autoscaling:
   # set to true to enable autoscaling. when set, ignores replicaCount
@@ -90,3 +93,7 @@ securityContext: {}
 tolerations: []
 
 affinity: {}
+
+# Use a pre-existing secret for the full egress config (e.g. from External Secrets Operator or Vault)
+# existingSecret: "my-egress-secret"
+
diff --git a/egress/templates/configmap.yaml b/egress/templates/configmap.yaml
@@ -1,7 +1,13 @@
+{{- if not .Values.existingSecret }}
+{{- $config := deepCopy .Values.egress }}
+{{- $_ := unset $config "secrets" }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "egress.fullname" . }}
+  labels:
+    {{- include "egress.labels" . | nindent 4 }}
 data:
   config.yaml: |
-{{ toYaml .Values.egress | indent 4 }}
+{{ toYaml $config | indent 4 }}
+{{- end }}
diff --git a/egress/templates/deployment.yaml b/egress/templates/deployment.yaml
@@ -17,7 +17,10 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+        {{- if not .Values.existingSecret }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- end }}
       labels:
         {{- include "egress.selectorLabels" . | nindent 8 }}
     spec:
@@ -34,8 +37,8 @@ spec:
           env:
             - name: EGRESS_CONFIG_BODY
               valueFrom:
-                configMapKeyRef:
-                  name: {{ include "egress.fullname" . }}
+                secretKeyRef:
+                  name: {{ .Values.existingSecret | default (include "egress.fullname" .) }}
                   key: config.yaml
           ports:
             {{- if .Values.egress.health_port }}

diff --git a/egress/templates/secret.yaml b/egress/templates/secret.yaml
@@ -0,0 +1,15 @@
+{{- if not .Values.existingSecret }}
+{{- $config := deepCopy .Values.egress }}
+{{- $secrets := $config.secrets | default dict }}
+{{- $_ := unset $config "secrets" }}
+{{- $merged := mustMergeOverwrite $config $secrets }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "egress.fullname" . }}
+  labels:
+    {{- include "egress.labels" . | nindent 4 }}
+type: Opaque
+data:
+  config.yaml: {{ toYaml $merged | b64enc }}
+{{- end }}
diff --git a/egress/values.yaml b/egress/values.yaml
@@ -12,6 +12,21 @@ egress:
   log_level: info
   health_port: 8080
   prometheus_port: 9090
+  # Sensitive values go under 'secrets' — these are stored in a Kubernetes Secret,
+  # never in the ConfigMap. The Secret merges these into the full config at deploy time.
+  secrets: {}
+    # api_key: ""
+    # api_secret: ""
+    # ws_url: ""
+    # redis:
+    #   password: ""
+    # s3:
+    #   access_key: ""
+    #   secret: ""
+    # gcp:
+    #   credentials_json: ""
+    # azure:
+    #   account_key: ""
 
 terminationGracePeriodSeconds: 3600
 
@@ -40,4 +55,9 @@ securityContext: {}
 
 tolerations: []
 
+# Use a pre-existing secret for the full egress config (e.g. from External Secrets Operator or Vault).
+# When set, neither the chart's Secret nor ConfigMap will contain config — the deployment reads
+# from this secret directly.
+existingSecret: ""
+
 affinity: {}
diff --git a/examples/egress.yaml b/examples/egress.yaml
@@ -1,16 +1,20 @@
 replicaCount: 2
 
 egress:
-  ws_url: <ws_url>
-  api_key: <api_key>
-  api_secret: <secret>
   log_level: info
   health_port: 8080
   prometheus_port: 9090
   redis:
     address: <redis_host:port>
   s3:
-    access_key: <access_key>
-    secret: <secret>
     region: "us-west-2"
     bucket: "my-egress"
+
+  # Sensitive values — stored in a Kubernetes Secret, never in ConfigMap
+  secrets:
+    api_key: <api_key>
+    api_secret: <secret>
+    ws_url: <ws_url>
+    s3:
+      access_key: <access_key>
+      secret: <secret>
diff --git a/ingress-sample.yaml b/ingress-sample.yaml
@@ -4,9 +4,6 @@ replicaCount: 1
 terminationGracePeriodSeconds: 10800
 
 ingress:
-  api_key: "server-api-key"
-  api_secret: "server-api-secret"
-  ws_url: "ws://livekit-host:<port>"
   logging:
     level: info
   health_port: 7888
@@ -22,7 +19,6 @@ ingress:
     address: <redis_host:port>
     # db: 0
     # username:
-    # password:
     # use_tls: false
 
   cpu_cost:
@@ -33,6 +29,14 @@ ingress:
   # See kubernetes serviceTypes on official documentation: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
   serviceType: "LoadBalancer"
 
+  # Sensitive values — stored in a Kubernetes Secret, not in ConfigMap
+  secrets:
+    api_key: "server-api-key"
+    api_secret: "server-api-secret"
+    ws_url: "ws://livekit-host:<port>"
+    redis:
+      password: ""
+
 # autoscaling requires resources to be defined
 autoscaling:
   # set to true to enable autoscaling. when set, ignores replicaCount
@@ -88,3 +92,7 @@ securityContext:
 tolerations: []
 
 affinity: {}
+
+# Use a pre-existing secret for the full ingress config (e.g. from External Secrets Operator or Vault)
+# existingSecret: "my-ingress-secret"
+
diff --git a/ingress/templates/configmap.yaml b/ingress/templates/configmap.yaml
@@ -1,7 +1,13 @@
+{{- if not .Values.existingSecret }}
+{{- $config := deepCopy .Values.ingress }}
+{{- $_ := unset $config "secrets" }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "ingress.fullname" . }}
+  labels:
+    {{- include "ingress.labels" . | nindent 4 }}
 data:
   config.yaml: |
-{{ toYaml .Values.ingress | indent 4 }}
+{{ toYaml $config | indent 4 }}
+{{- end }}
diff --git a/ingress/templates/deployment.yaml b/ingress/templates/deployment.yaml
@@ -17,7 +17,10 @@ spec:
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+        {{- if not .Values.existingSecret }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- end }}
       labels:
         {{- include "ingress.selectorLabels" . | nindent 8 }}
     spec:
@@ -38,8 +41,8 @@ spec:
           env:
             - name: INGRESS_CONFIG_BODY
               valueFrom:
-                configMapKeyRef:
-                  name: {{ include "ingress.fullname" . }}
+                secretKeyRef:
+                  name: {{ .Values.existingSecret | default (include "ingress.fullname" .) }}
                   key: config.yaml
           ports:
             {{- if .Values.ingress.health_port }}

diff --git a/ingress/templates/secret.yaml b/ingress/templates/secret.yaml
@@ -0,0 +1,15 @@
+{{- if not .Values.existingSecret }}
+{{- $config := deepCopy .Values.ingress }}
+{{- $secrets := $config.secrets | default dict }}
+{{- $_ := unset $config "secrets" }}
+{{- $merged := mustMergeOverwrite $config $secrets }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ingress.fullname" . }}
+  labels:
+    {{- include "ingress.labels" . | nindent 4 }}
+type: Opaque
+data:
+  config.yaml: {{ toYaml $merged | b64enc }}
+{{- end }}
diff --git a/ingress/values.yaml b/ingress/values.yaml
@@ -26,6 +26,15 @@ ingress:
     whip_cpu_cost: 2
     whip_bypass_transcoding_cpu_cost: 0.1
 
+  # Sensitive values go under 'secrets' — these are stored in a Kubernetes Secret,
+  # never in the ConfigMap. The Secret merges these into the full config at deploy time.
+  secrets: {}
+    # api_key: ""
+    # api_secret: ""
+    # ws_url: ""
+    # redis:
+    #   password: ""
+
 loadBalancer:
   servicePort: 7888
   annotations: {}
@@ -60,3 +69,8 @@ securityContext: {}
 tolerations: []
 
 affinity: {}
+
+# Use a pre-existing secret for the full ingress config (e.g. from External Secrets Operator or Vault).
+# When set, neither the chart's Secret nor ConfigMap will contain config — the deployment reads
+# from this secret directly.
+existingSecret: ""
diff --git a/livekit-server/values.yaml b/livekit-server/values.yaml
@@ -49,7 +49,7 @@ livekit:
 
 # Set this option to true if you want to store your API keys in a secret instead of the config file
 storeKeysInSecret:
-  enabled: false
+  enabled: true
   # Use a pre existing secret, useful to combine with external secret managers
   # as GCP External Secrets or Hashicorp Vault
   existingSecret: ""