helm-vault icon indicating copy to clipboard operation
helm-vault copied to clipboard

Published 20 hours ago verified publisher icon Just-Insane

Question: using combination of encrypted and unencrypted values.yml files

Open tgoehler opened this issue 4 years ago • 6 comments

you described the usage of a wrapper "helm vault install ..... -f values.yaml" where values.yml is the encrypted values file. usually helm supports multiple values files like "helm install .... -f values1.yaml -f values2.yaml" etc.

with using the warpper vault is it still to use multiple values files? can there be a combination of i.e. " -f vault_values.yaml -f values.yaml" where vault_values.yaml is encrypted and values.yaml containing unencrypted values?

if so, how would the regarding command to issue helm install look like then?

Cheers Torsten

tgoehler avatar Sep 28 '20 13:09 tgoehler

Hello!

I haven’t tested this, but I do not think it would work currently with multiple files specified.

That being said, the difference between “encrypted” and “decrypted” files is at the value level, not the file level. You could probably make a YAML file that contains all of the needed YAML and just encrypt the values as needed. It should parse fine, but I haven’t specifically tested it.

If this is of interest, I will look into adding support for it.

Just-Insane avatar Oct 04 '20 16:10 Just-Insane

These two lines are what loads the YAML file to be worked on:

https://github.com/Just-Insane/helm-vault/blob/babcd2fac23ec0bfa24ae34e4070272fe5e4f0eb/src/vault.py#L430-L431

I think changing this to be able to know about multiple passed YAML files and then parse them sequentially would be fairly simple.

Just-Insane avatar Oct 04 '20 16:10 Just-Insane

the idea behind this is to have a hirachical configuration and to avoid to maintain same values at different places. A couple of helmcharts which each shall get three different categories of values.yaml file:

  • individual values for a helm chart (clear text)
  • global values, same file valid for all helm charts (clear text)
  • vault values (encrypted)

So, usual helm can be given muitiple values file with mutiple -f options at the command line. maybe you coud keep -f for unencrypted files and enhance with an option like -e --encrypted-values to pass only files behind -e to the vault.

-e isn't yet being used by helm install | upgrade as far as I can see

tgoehler avatar Oct 13 '20 13:10 tgoehler

I like this idea. Once I get some time I’ll look into implementing it.

Just-Insane avatar Oct 13 '20 14:10 Just-Insane

Looping back on this, sorry it took so long.

Just to clarify, (since I’ve never used multiple values files with Helm), what is the purpose of the multiple values files?

I would imagine that you could combine the values into a single file and then pass that values file into the enc/dec statements?

With the addition of Vault Path Templating you would be able to set the location of your global variables to one spot in Vault, and then always use that templated vault path for the global values in the values file?

Would it be fine to just accept and parse multiple values files and just ignore files that don’t have any deliminators?

Just-Insane avatar Nov 11 '20 05:11 Just-Insane

We need to be able to provide few values files through -f args too. Use case: We have one file with shared global values per environment + one service-specific file per environment + default values in chart. It would be great to be able to do something like helm vault install release chart -f stage.yaml -f my-service.yaml

Tri0L avatar Sep 01 '22 22:09 Tri0L