helmfile icon indicating copy to clipboard operation
helmfile copied to clipboard
verified publisher icon roboll

Values from secrets added in release object are not available in gotmpl file

Open MurzNN opened this issue 3 years ago • 3 comments

I have some secrets for specific chart, that not depend on environment, so I fill them into variables/my-chart/secrets.yaml file, and add link to this file into release configuration:

releases:
  - name: my-chart
    chart: my-chart
    namespace: my-chart
    secrets:
      - ./variables/my-chart/secrets.yaml
    values:
      - ./variables/my-chart/values.yaml.gotmpl

And they become not available in values.yaml.gotmpl file.

But if I move them to environments.default.secrets section - they become available.

Is this a bug, or normal behavior? How to make those secrets from releases available in Go templates?

MurzNN avatar Jan 28 '22 14:01 MurzNN

Here is my helmfile:

# environments:
#   default:
#     secrets:
#       - ./variables/my-chart/secrets.yaml

releases:
  - name: my-chart
    chart: my-chart
    namespace: my-chart
    secrets:
      - ./variables/my-chart/secrets.yaml
    values:
      - ./variables/my-chart/values.yaml.gotmpl

And other files:

  • ./variables/my-chart/secrets.yaml:
myPassword: superPa$$word
  • ./variables/my-chart/values.yaml.gotmpl:
myString: stringOverriden
myPassword: {{ .Values | get "myPassword" }}

And here is the error:

in ./helmfile.yaml: failed processing release my-chart: failed to render values files "variables/my-chart/values.yaml.gotmpl": failed to render [variables/my-chart/values.yaml.gotmpl], because of template: stringTemplate:1:23: executing "stringTemplate" at <get "myPassword">: error calling get: no value exist for key "myPassword" in map[]

MurzNN avatar Jan 28 '22 14:01 MurzNN

Storing release-specific secrets in environment files (eg environments/default/secrets.yaml) is not a good idea, because they become global for all releases charts.

Or it is a right way to make large single environments/default/secrets.yaml and environments/default/values.yaml files with structure like this?

global:
  globalVal1: value
releases:
  my-chart:
    var1: value
  my-chart2:
    var2: value

...and along the way catch Helm's issue with dashes :(

MurzNN avatar Feb 01 '22 10:02 MurzNN

secrets are just encrypted values, the secret of release are decrypted and merged into result of values of release. You can have secret.yaml.gotmpl as well if you want to do templating in secret. Per-release secret is not state values so is not available in .Values or statevalues

StateValues which is defined by environnement works in the same way, secrets are merged into values and provide the final SateValues to per-release templated values files.

Hope that my explanation is clear enough.

itscaro avatar Feb 23 '22 21:02 itscaro