search

jkroepke / helm-secrets

A helm plugin that help manage secrets with Git workflow and store them anywhere
https://github.com/jkroepke/helm-secrets/wiki
Apache License 2.0
1.53k stars 129 forks source link

vals expression is not evaluated in named template #430

Closed stockersky closed 10 months ago

stockersky commented 10 months ago

Current Behavior

I have a Helm template for creating dockerconfigjson kind of Secret : Secret to pull image from private registry.

Secret is stored in Hashicorp Vault. I use vals as stated in the doc to retrieve those secrets and the technique reference in Tips and Tricks section of the Helm documentation for Image Pull Secret

{{- define "secretDockerRegistry" }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.secretDockerRegistry.registry (printf "%s:%s" .Values.secretDockerRegistry.username .Values.secretDockerRegistry.password | b64enc) | b64enc }}
{{ end -}}

{{- if and .Values.secretDockerRegistry .Values.secretDockerRegistry.enabled -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .Values.secretDockerRegistry.name }}
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: {{ template "secretDockerRegistry" . }}
{{- end -}}

And the associated Values:

secretDockerRegistry:
  enabled: true
  name: docker-creds
  registry: registry-docker.myapp.com
  username: "ref+vault://docker/DOCKER_USER"
  password: "ref+vault://docker/DOCKER_PASS"

The vals expression is not evaluated by vals and the secrets ends up containing the vals expressions (when I base64 decode the .dockerconfigjson it contains ref+vault://docker/DOCKER_USER and ref+vault://docker/DOCKER_PASS instead of the secrets.

Actually, as a test, if I set the metadata.name to use the vals secret : name: {{ .Values.secretDockerRegistry.username }}, this is correctly evaluated and the secret Value is displayed. I assume, this does not come from Vals but from the evaluation of the vals expression in the named template string.

{{- if and .Values.secretDockerRegistry .Values.secretDockerRegistry.enabled -}}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .Values.secretDockerRegistry.username }}
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: {{ template "secretDockerRegistry" . }}
{{- end -}}

Expected Behavior

the vals expression should be evaluated in the define template instruction : secret stored on Vault should be retrieved. Then the template should generate the right string.

Steps To Reproduce

No response

Environment

Anything else?

No response

jkroepke commented 10 months ago

inside a Helm named template.

It can't be the issue. Under the hood, --evaluate-templates= is using the helm post-render function.

It means, helm-secret configures helm to pipe the rendered manifest into vals binary. At at point, it should not matter, if the manifest are coming from a named templates or other sources.

Since --evaluate-templates=true works after the helm render and the vals expression in encoded inside a base64 string, vals will never evaluate the value.

Could you explain, why you need to use --evaluate-templates=true here?

Normally, helm-secrets will evaluate the expression from value files which should be sufficient here?

stockersky commented 10 months ago

Well, this is my first steps with helm-secrets & vals. And clearly, it works in other user-cases. Great !

Here I apply the technique suggested in the Tips and Tricks section of the Helm documentation for Image Pull Secret

I did some experimentations:

{{- define "secretDockerRegistry2" }}
{{- $username := .Values.secretDockerRegistry.username -}}
{{- printf "auth %s" $username  }}
{{ end -}}

This would work. Only if --evaluate-templates=true is specified.

But it does not work with the named template provided by Helm. At least, not "as it".

stockersky commented 10 months ago

Wait wait ! I forgot to initialize the vals bakend : HELM_SECRET_BACKEND=vals Sorry. My bad :(