search

fluxcd / helm-controller

The GitOps Toolkit Helm reconciler, for declarative Helming
https://fluxcd.io
Apache License 2.0
408 stars 160 forks source link

FEATURE: First-class support for secret decryption #928

Open davejbax opened 6 months ago

davejbax commented 6 months ago

Problem

Flux currently lacks first-class support for SOPS-encrypted secret decryption in Helm charts. If, for example, I wanted to load a Helm chart via a HelmRelease into my cluster and have it create some Kubernetes secrets from encrypted secrets stored in the Helm chart itself, the solutions available as I understand are:

  1. Use a Flux Kustomization which creates the HelmRelease and uses a secret generator to create the secrets, or
  2. Use an external secrets operator

Approach 1 ends up being slightly messy in a multi-cluster, multi-tenant scenario. Where Flux is used from a single centralised repo to pull application repos via HelmRelease resources and GitRepository sources, it becomes necessary to either:

Approach 2 is feasible, but comes with its own disadvantages, which are covered fairly well in the Flux documentation on this topic.

Related issues

This issue has been raised in the past and discussed elsewhere online:

Proposal

I'd like to propose a cleaner solution for handling this case:

  1. Add an additional field to HelmRelease, named something such as valuesFilesEncrypted
  2. Decrypt these values files with SOPS when building the Helm chart

The ostensible benefits of this approach would be:

I'm happy to open a PR to implement the above, if the maintainers believe it is an acceptable idea to implement.

souleb commented 5 months ago

This question has been partly answered in https://github.com/fluxcd/flux2/issues/4075. We have no plan to implement it ourselves this year.

About the feature itself, I think it is an acceptable one, but the decryption and values merging should all be done by the helm-controller, as it should support all the sources types (we are adding ociRepository as a source).

Sebor commented 2 months ago

As I understood @davejbax is ready to implement this feature ownself. And I completely agree with his arguments. For our company, this is a big limitation for migrating to flux, because we have a lot of helm charts in monorepo and almost every chart has the following structure:

.
├── Chart.yaml
├── secrets-dev.yaml
├── secrets-prod.yaml
├── templates
│   ├── configmap.yaml
│   ├── deployment.yaml
│   ├── secret.yaml
│   ├── ...
├── values-dev.yaml
├── values-prod.yaml
└── values.yaml

The secret/configmap:

...
data:
  {{- range $key, $val := .Values.secrets }}    # or   {{- range $key, $val := .Values.config }}
  {{ $key }}: {{ $val | b64enc | quote }}
  {{- end }}

The container inside deployment:

...
envFrom:
  - configMapRef:
      name: {{ include "tempi-back.fullname" . }}
  - secretRef:
      name: {{ include "tempi-back.fullname" . }}

In that case it would be nice to have HelmRelease definition something like:

valuesFiles:
  - ./charts/chart1/values.yaml
  - ./charts/chart1/values-dev.yaml
valuesEncryptedFiles:
  - ./charts/chart1/secrets-dev.yaml