Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret value not referenced if upstream chart doesn't use tpl function #103

Closed
megakoresh opened this issue Apr 7, 2021 · 4 comments
Closed

Secret value not referenced if upstream chart doesn't use tpl function #103

megakoresh opened this issue Apr 7, 2021 · 4 comments

Comments

@megakoresh
Copy link

In a use-case where I have my secrets.yaml like this

postgresPassword: !vault secrets/superset#postgresPassword

and then I am trying to deploy superset chart and in my values I set

postgresql:
  postgresqlPassword: '{{ .Values.postgresPassword }}'

for the dependency chart, the generated secret is

# Source: superset/charts/postgresql/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: superset-postgresql
  labels:
    app.kubernetes.io/name: postgresql
    helm.sh/chart: postgresql-10.2.0
    app.kubernetes.io/instance: superset
    app.kubernetes.io/managed-by: Helm
type: Opaque
data:
  postgresql-password: "e3sgLlZhbHVlcy5wb3N0Z3Jlc1Bhc3N3b3JkIH19"

which corresponds literally to {{ .Values.postgresPassword }}. This is because the dependency chart doesn't use tpl to refer to this value and of course I can't control it. Same issue exists for the superset chart itself. Where the chart templates refer to values via tpl function, the value from secret is correctly rendered.

I am using the following command to check:

helm secrets -d vault upgrade --install superset .tmp/superset-master/helm/superset -f superset/prod/secrets.yaml -f superset/prod/values.yaml --dry-run

Am I just doing something wrong or is this an issue with the plugin?
@megakoresh
Copy link
Author

Seems this is a problem with Helm in general - helm/helm#6876

I found a workaround: in the secrets file you have to precisely repeat the structure of the values.yaml to get the secret values:

With secrets.yaml like that

postgresql:
  postgresqlPassword: !vault secrets/superset#postgresPassword

I was able to get it working. This is very inconvenient and will probably not work with lists, but I guess the plugin developers shouldn't be the ones trying to fix such issues.

@jkroepke
Copy link
Owner

jkroepke commented Apr 8, 2021

in the secrets file you have to precisely repeat the structure of the values.yaml

Thats correct. I guess thats the only way no matter if you are using plugins or not.

A better workaround:

This is because the dependency chart

Try to fix there dependency charts by doing pull requests ;-)

@megakoresh
Copy link
Author

Try to fix there dependency charts by doing pull requests ;-)

It is not feasible to fix every single upstream chart by replacing every reference to a user variable with a tpl version, not to mention that many maintainers will not be willing to accept such changes for the sake of one plugin. But I think this current approach is fine if it could be also made to work with lists.

@jkroepke
Copy link
Owner

@megakoresh

Take a look at https://github.com/variantdev/vals, It may helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jkroepke @megakoresh