Feeding sensitive values to Helm over standard input

[iverberk]

Context

I want to feed Helm with decrypted secrets, ideally without storing them to disk. My secrets are stored encrypted in the Git repository with SOPS. As a plain shell command it would look like this: sops --decrypt secrets.enc.yaml | helm template $name . -f -.

This would automatically pick up the values.yaml file in the directory but it would also pass the decrypted values in secrets.enc.yaml via stdin to helm, effectively merging the values together. Obviously the SOPS binary, configuration and keys would need to be in-place but that is not a concern for the plugin.

The problem

It seems that I cannot specify additional values files on disk for the Helm processor, let alone pass something to Helm via stdin. I need something to happen before the Helm command kicks off that generates values, which are then fed via stdin to Helm.

Options

I've looked at the options at my disposal.

ARGOCD_ENV_LOVELY_PREPROCESSORS

As far as I can see, this can only modify files on disk for further processing. My use-case is to not decrypt the secrets to disk. So the idea of a prepocessor is what I'm looking for, but it needs to be able to 'feed' the Helm command via stdin.

ARGOCD_ENV_LOVELY_HELM_MERGE

I do not know upfront what the contents of my secrets will be. Also, I'd rather not put it in ENV variables for additional security.

Plugins

Plugins seem to run after Helm/Kustomize which makes them useless for my use-case. All the magic is happening within the Helm chart. I don't want to patch/correct it afterwards. I don't want to dig into the Helm chart and see how they use the secret values to implement them on my own later in the 'pipeline'.

Since plugins implement the idea of Linux pipe, this is exactly what I need, only I need it to run before Helm kicks off. Passing the output of the previous plugins to Helm.

Next steps

Maybe I've overlooked/missed options that can work for my use case. Otherwise I'd be happy to collaborate on a design and help implement the code (I'm proficient in Go) if the added value is sufficient. I understand that we should probably design for the generic case, SOPS is just my implementation but others should be free to use whatever they want.

[Joibel]

Thanks for the clear issue description. I'm sure we can support your use case, but as you've concluded, can't do so right now. I'd like to think about the best way to support both this and plain additional values files as per #37, and will get back to you.

[iverberk]

I've decided to go ahead and create a specific implementation for my use-case: https://github.com/iverberk/argocd-secure-app-plugin . It's a simpler version of the lovely plugin with integrated SOPS decoding. It's not meant as a replacement or 'fork' of this plugin, I just needed something that works for me now and I couldn't see an easy way to add it to lovely without making it opinionated. Maybe we can converge at some point if we take some time to evaluate approaches.

For additional values files I've simply decided that a dedicated 'values' folder should exist in the Helm source, otherwise additional logic would need to be added to differentiate values and plan manifests.

If you'd like we can close this issue.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Joibel]

Would still like to fix this

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[tico24]

Stalebot poke.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.