Add values_sensitive option to set sensitive values as yaml

[ksvladimir]

Description

When using tools like sops or similar, multiple secrets are often managed in a single Yaml file. It's not possible to pass it using set_sensitive. This PR implements values_sensitive argument, which works just as values, but hides its content just as set_sensitive.

The PR includes tests and documentation, and closes #546.

Note: after implementing it, I realized it duplicates with PR #549 .

Acceptance tests

• [x] Have you added an acceptance test for the functionality being added?
• [x] Have you run the acceptance tests on this branch?

Output from acceptance testing:

$ make testacc TESTARGS='-run=[Cc]loak'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test "./helm" -v -run=[Cc]loak -timeout 120m -parallel=4
=== RUN   TestAccResourceRelease_cloakValues
=== PAUSE TestAccResourceRelease_cloakValues
=== RUN   TestAccResourceRelease_cloakValuesYaml
=== PAUSE TestAccResourceRelease_cloakValuesYaml
=== RUN   TestCloakSetValuesYaml
--- PASS: TestCloakSetValuesYaml (0.00s)
=== RUN   TestCloakSetValuesYamlNotMatching
--- PASS: TestCloakSetValuesYamlNotMatching (0.00s)
=== RUN   TestCloakSetValues
--- PASS: TestCloakSetValues (0.00s)
=== RUN   TestCloakSetValuesNested
--- PASS: TestCloakSetValuesNested (0.00s)
=== RUN   TestCloakSetValuesNotMatching
--- PASS: TestCloakSetValuesNotMatching (0.00s)
=== CONT  TestAccResourceRelease_cloakValues
=== CONT  TestAccResourceRelease_cloakValuesYaml
    provider_test.go:162: [DEBUG] Creating namespace terraform-acc-test-3xbfya6mvh
=== CONT  TestAccResourceRelease_cloakValues
    provider_test.go:162: [DEBUG] Creating namespace terraform-acc-test-ovemsbqlx3
--- PASS: TestAccResourceRelease_cloakValues (21.99s)
--- PASS: TestAccResourceRelease_cloakValuesYaml (24.82s)
PASS
ok      github.com/hashicorp/terraform-provider-helm/helm       24.970s

Release Note

- Adds `values_sensitive` option to set sensitive values as yaml

References

Resolves #546 Supersedes #549

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[ksvladimir]

It looks like engineerd/[email protected] needs to be upgraded to engineerd/[email protected] in https://github.com/hashicorp/terraform-provider-helm/blob/master/.github/workflows/tests.yaml for the tests to work.

[hashicorp-cla]

All committers have signed the CLA.

[mnaser]

It looks like engineerd/[email protected] needs to be upgraded to engineerd/[email protected] in https://github.com/hashicorp/terraform-provider-helm/blob/master/.github/workflows/tests.yaml for the tests to work.

It seems like this was fixed in #635

[hilariocoelho]

Any updates on this? This would be really helpful @jrhouston

Seems to fix #793 and #546.

[hilariocoelho]

update: I forked @ksvladimir PR in order to pull changes from master, did the necessary adjustments on unit tests, published the provider to Terraform registry and it worked as expected.

You can find the fork here and the published provider here

- resource "helm_release" "test_release" {
      - atomic                     = false -> null
      - chart                      = "oci://redacted.azurecr.io/helm/redacted" -> null
      - cleanup_on_fail            = false -> null
      - create_namespace           = false -> null
      - dependency_update          = false -> null
      - disable_crd_hooks          = false -> null
      - disable_openapi_validation = false -> null
      - disable_webhooks           = false -> null
      - force_update               = false -> null
      - id                         = "test_release" -> null
      - lint                       = false -> null
      - max_history                = 0 -> null
      - metadata                   = [
          - {
              - app_version = "6.1.0"
              - chart       = "redacted"
              - name        = "test"
              - namespace   = "test"
              - revision    = 1
              - values      = jsonencode(
                    {
                          - secret_key      = "(sensitive value)"
                          - secret_password = "(sensitive value)"
                    }
                )
              - version     = "6.1.0"
            },
        ] -> null
      - name                       = "redacted" -> null
      - namespace                  = "test" -> null
      - recreate_pods              = false -> null
      - render_subchart_notes      = true -> null
      - replace                    = false -> null
      - repository_password        = (sensitive value)
      - repository_username        = "redacted" -> null
      - reset_values               = false -> null
      - reuse_values               = false -> null
      - skip_crds                  = false -> null
      - status                     = "deployed" -> null
      - timeout                    = 300 -> null
      - values_sensitive           = (sensitive value)
      - verify                     = false -> null
      - version                    = "6.1.0" -> null
      - wait                       = true -> null
      - wait_for_jobs              = false -> null
    }

[hilariocoelho]

@alexsomesan can you take a look at this please? We have been using a custom provider version for some time and we haven't faced any issue. This should be included in the provider

[pndurette]

I hate to annoyingly +1 things, but anybody over at @hashicorp/terraform-ecosystem-kubernetes (sic CODEOWNERS) mind giving us a hand in pushing this towards an official release?

[NumenDivinum]

Please integrate this feature, it will really make handling helm releases easier.

[astorrs]

+1

[michelzanini]

+1