Ability to insert secretgen-generated passwords into a helmTemplate step in a PackageInstall

[aaronshurley]

Describe the problem/challenge you have Reporting on the behalf of @voor. I want the ability to pass values to ytt and helm for Packages. This works for App CRs but not PackageInstall.

Describe the solution you'd like I want to insert SecretGen generated passwords into a helmTemplate step in a PackageInstall. I see how I could do that with:

    - helmTemplate:
      ...
        valuesFrom:
          - secretRef:
              name: secret-name

Just basically put that into spec.template.spec for the Package, except I don't know what the secret-name would be ahead of time, and I need to support multiple installs of the package into the same namespace.

Anything else you would like to add: Please take a look at the initial conversation or reach out to @voor directly. This may require work in secretgen-controller.

---

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

[voor]

Another snippet from the code that might show the pain a little more clearly, we generate a lot of secrets for Postgres, and to fit those into a package install right now looks like this:

kind: PackageInstall
metadata:
  name: tesseract-postgres
  annotations:
    ext.packaging.carvel.dev/ytt-paths-from-secret-name.0: tesseract-postgres-values
    ext.packaging.carvel.dev/ytt-paths-from-secret-name.1: tesseract-postgres-generated-postgres-password
    ext.packaging.carvel.dev/ytt-paths-from-secret-name.2: tesseract-postgres-generated-repmgr-password
    ext.packaging.carvel.dev/ytt-paths-from-secret-name.3: tesseract-postgres-generated-pgpool-password
    ext.packaging.carvel.dev/ytt-paths-from-secret-name.4: tesseract-postgres-generated-pgpool-user-appdata-password
    ext.packaging.carvel.dev/helm-template-values-from-secret-name.0: tesseract-postgres-values
    ext.packaging.carvel.dev/helm-template-values-from-secret-name.1: tesseract-postgres-generated-postgres-password
    ext.packaging.carvel.dev/helm-template-values-from-secret-name.2: tesseract-postgres-generated-repmgr-password
    ext.packaging.carvel.dev/helm-template-values-from-secret-name.3: tesseract-postgres-generated-pgpool-password
    ext.packaging.carvel.dev/helm-template-values-from-secret-name.4: tesseract-postgres-generated-pgpool-user-appdata-password
    ext.packaging.carvel.dev/helm-template-name: postgresql-ha
    ext.packaging.carvel.dev/helm-template-namespace: tesseract

This is rough, and since PackageInstall is considered part of the "consumers" persona and not the package author, it feels like it's violating the design, and is not really idea.

[github-actions[bot]]

This issue is being marked as stale due to a long period of inactivity and will be closed in 5 days if there is no response.

[cmoulliard]

Ideally we should have the possibility to use var substitution to change within the helm values.yml file the proper value

Dummy example of a values.yml file

VM_IP: <IP_ADDRESS_OF_THE_VM>

where <IP_ADDRESS_OF_THE_VM> should be passed as PackageInstall parameter to perform the variable substitution

[voor]

Just revisiting this thread since now there is SecretTemplate which can make this a little cleaner, but you're still stuck passing things into both ytt and helm using annotations (since there's no way to pass something to multiple template steps), redirecting folks over to https://github.com/vmware-tanzu/carvel-kapp-controller/issues/515 for further discussion.