From 89e98071ddaa536b788f14b3061c0b012c557361 Mon Sep 17 00:00:00 2001
From: jatin <jatin@retool.com>
Date: Fri, 5 Jun 2026 14:22:26 -0400
Subject: [PATCH 1/2] rrGitServer: also accept blob-storage env vars from
 .Values.env

validateBlobStorage only scanned environmentVariables and environmentSecrets
for RR_BLOB_STORAGE_PROVIDER / RR_DEFAULT_*, so deployments that configure
those via the .Values.env map had to duplicate them into environmentVariables
to satisfy the check. Range over .Values.env (keyed by var name) as well, and
mention env in the doc comment and failure message.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 charts/retool/templates/_helpers.tpl | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl
index 660fe32..f8f978b 100644
--- a/charts/retool/templates/_helpers.tpl
+++ b/charts/retool/templates/_helpers.tpl
@@ -684,13 +684,18 @@ Set MCP server service name
 {{/*
 Validate that exactly one blob-storage provider is configured when rrGitServer
 is enabled. Skipped when the user has plumbed the RR_BLOB_STORAGE_PROVIDER /
-RR_DEFAULT_*_* env vars in directly via environmentVariables/environmentSecrets,
+RR_DEFAULT_*_* env vars in directly via env/environmentVariables/environmentSecrets,
 which is treated as an opt-out from the first-class blobStorage config.
 No-op when rrGitServer is disabled.
 */}}
 {{- define "retool.rrGitServer.validateBlobStorage" -}}
 {{- if .Values.rrGitServer.enabled -}}
 {{- $hasDirectEnv := false -}}
+{{- range $name, $value := .Values.env -}}
+{{- if or (hasPrefix "RR_DEFAULT_" $name) (eq $name "RR_BLOB_STORAGE_PROVIDER") -}}
+{{- $hasDirectEnv = true -}}
+{{- end -}}
+{{- end -}}
 {{- range .Values.environmentVariables -}}
 {{- if or (hasPrefix "RR_DEFAULT_" .name) (eq .name "RR_BLOB_STORAGE_PROVIDER") -}}
 {{- $hasDirectEnv = true -}}
@@ -708,7 +713,7 @@ No-op when rrGitServer is disabled.
 {{- if $bs.gcs }}{{ $providers = append $providers "gcs" }}{{ end -}}
 {{- if $bs.azure }}{{ $providers = append $providers "azure" }}{{ end -}}
 {{- if ne (len $providers) 1 -}}
-{{- fail "rrGitServer.enabled requires exactly one of blobStorage.s3, blobStorage.gcs, blobStorage.azure to be configured, or set RR_BLOB_STORAGE_PROVIDER / RR_DEFAULT_* directly via environmentVariables / environmentSecrets" -}}
+{{- fail "rrGitServer.enabled requires exactly one of blobStorage.s3, blobStorage.gcs, blobStorage.azure to be configured, or set RR_BLOB_STORAGE_PROVIDER / RR_DEFAULT_* directly via env / environmentVariables / environmentSecrets" -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}

From b0dd64bb0c9c21cf20745dfd06bb611f4be59bc0 Mon Sep 17 00:00:00 2001
From: jatin <jatin@retool.com>
Date: Fri, 5 Jun 2026 15:30:32 -0400
Subject: [PATCH 2/2] rrGitServer: add skipBlobStorageValidation escape hatch

The blob-storage guard can only inspect blobStorage / env /
environmentVariables / environmentSecrets at template time. Env vars injected
via envFrom (a Secret/ConfigMap splat) are invisible to it, so a valid
configuration that supplies RR_BLOB_STORAGE_PROVIDER / RR_DEFAULT_* that way
would fail the check with no way out.

Add rrGitServer.skipBlobStorageValidation (default false) to bypass the check
entirely, and point at it from the failure message.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 charts/retool/templates/_helpers.tpl | 7 +++++--
 charts/retool/values.yaml            | 7 +++++++
 values.yaml                          | 7 +++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl
index f8f978b..6f71906 100644
--- a/charts/retool/templates/_helpers.tpl
+++ b/charts/retool/templates/_helpers.tpl
@@ -686,10 +686,13 @@ Validate that exactly one blob-storage provider is configured when rrGitServer
 is enabled. Skipped when the user has plumbed the RR_BLOB_STORAGE_PROVIDER /
 RR_DEFAULT_*_* env vars in directly via env/environmentVariables/environmentSecrets,
 which is treated as an opt-out from the first-class blobStorage config.
+Also skipped entirely when rrGitServer.skipBlobStorageValidation is true, which
+is the escape hatch for sources we cannot inspect at template time (e.g. env
+vars injected via envFrom from a Secret/ConfigMap).
 No-op when rrGitServer is disabled.
 */}}
 {{- define "retool.rrGitServer.validateBlobStorage" -}}
-{{- if .Values.rrGitServer.enabled -}}
+{{- if and .Values.rrGitServer.enabled (not .Values.rrGitServer.skipBlobStorageValidation) -}}
 {{- $hasDirectEnv := false -}}
 {{- range $name, $value := .Values.env -}}
 {{- if or (hasPrefix "RR_DEFAULT_" $name) (eq $name "RR_BLOB_STORAGE_PROVIDER") -}}
@@ -713,7 +716,7 @@ No-op when rrGitServer is disabled.
 {{- if $bs.gcs }}{{ $providers = append $providers "gcs" }}{{ end -}}
 {{- if $bs.azure }}{{ $providers = append $providers "azure" }}{{ end -}}
 {{- if ne (len $providers) 1 -}}
-{{- fail "rrGitServer.enabled requires exactly one of blobStorage.s3, blobStorage.gcs, blobStorage.azure to be configured, or set RR_BLOB_STORAGE_PROVIDER / RR_DEFAULT_* directly via env / environmentVariables / environmentSecrets" -}}
+{{- fail "rrGitServer.enabled requires exactly one of blobStorage.s3, blobStorage.gcs, blobStorage.azure to be configured, or set RR_BLOB_STORAGE_PROVIDER / RR_DEFAULT_* directly via env / environmentVariables / environmentSecrets. If those vars are supplied another way (e.g. envFrom), set rrGitServer.skipBlobStorageValidation=true to bypass this check." -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}
diff --git a/charts/retool/values.yaml b/charts/retool/values.yaml
index 33f80bb..9e63f3b 100644
--- a/charts/retool/values.yaml
+++ b/charts/retool/values.yaml
@@ -728,6 +728,13 @@ rrGitServer:
   # Backend default is 100; unset to inherit it.
   repackThreshold: ~
 
+  # Escape hatch for the blob-storage validation below. The chart can only
+  # inspect blobStorage, env, environmentVariables, and environmentSecrets at
+  # template time; it cannot see env vars injected via envFrom (Secret/ConfigMap
+  # splat). Set this to true to bypass the check when RR_BLOB_STORAGE_PROVIDER /
+  # RR_DEFAULT_* are provided that way.
+  skipBlobStorageValidation: false
+
 # Shared blob-storage config used by git_server (and other features that
 # need object storage, e.g. snapshots). Set exactly one of s3, gcs, azure.
 # Renders RR_BLOB_STORAGE_PROVIDER + RR_DEFAULT_<provider>_* env vars on
diff --git a/values.yaml b/values.yaml
index 33f80bb..9e63f3b 100644
--- a/values.yaml
+++ b/values.yaml
@@ -728,6 +728,13 @@ rrGitServer:
   # Backend default is 100; unset to inherit it.
   repackThreshold: ~
 
+  # Escape hatch for the blob-storage validation below. The chart can only
+  # inspect blobStorage, env, environmentVariables, and environmentSecrets at
+  # template time; it cannot see env vars injected via envFrom (Secret/ConfigMap
+  # splat). Set this to true to bypass the check when RR_BLOB_STORAGE_PROVIDER /
+  # RR_DEFAULT_* are provided that way.
+  skipBlobStorageValidation: false
+
 # Shared blob-storage config used by git_server (and other features that
 # need object storage, e.g. snapshots). Set exactly one of s3, gcs, azure.
 # Renders RR_BLOB_STORAGE_PROVIDER + RR_DEFAULT_<provider>_* env vars on