3

I have two helm charts, I need to generate a random password in one of the charts, and I am required to use the same password in the second.

What would be the best practice to achieve this?

Thanks in advance!!

CodeWizard
  • 128,036
  • 21
  • 144
  • 167
raghu_manne
  • 71
  • 8

2 Answers2

2

Generate the password in a known secret name then refer to that secret in the other chart?

Blender Fox
  • 4,442
  • 2
  • 17
  • 30
  • Yes, what would be the best thing to refer in other chart? By adding the dependent chart as a subchart? – raghu_manne Jun 20 '22 at 07:24
  • You could make them dependent charts or keep them separate. It depends on how frequently they will change. Whichever way you choose, you just need to know which secret will be used by the first chart to save the password so the other chart can use it. If you want to be more secure you can look at something like Hashicorp Vault to store secrets more securely. – Blender Fox Jun 20 '22 at 07:26
  • Okay.. If i keep them as separate charts, how would i reference a secret created in one chart to other chart? – raghu_manne Jun 20 '22 at 07:40
  • You could set one chart to output to a specific secret name, for example "credentials" in the namespace, then set the second one to use the same named secret in its task. The second chart _would_ potentially fail to start up until that secret is created however. I'm guessing you would want that since without the password, you wouldn't be able to do whatever it is in you need to do in the second chart? – Blender Fox Jun 20 '22 at 08:41
  • It worked for my use case coz i had to deploy both the charts in same namespace. Also we have another issue with helm where it will update the random password every time we re-install/upgrade the chart, i got it solved by referring this https://stackoverflow.com/a/70875930/6877011. – raghu_manne Jun 21 '22 at 08:22
1

You have several options to achieve this requirement.

  1. If you are using Helm you can deploy resources to the same Namespace and store the password in a configMap or in Secret. The ConfigMap / Secret will be generated dynamically during the creation or deployment of the chart

  2. Another solution might be to use Helm Dependency. Helm dependency allows you to build up the charts with dependencies between each other so you can pass information between them.

  3. Use kubectl kustomization to generate the ConfigMap / Secret and share them between the charts. The best approach is to use kustomisation hierarchy which will allow you to share the content.

For example:

  • You can set up and .env with the random value
# Generate random number and store it inside `ConfigMap`
echo $RANDOM > .env
  • Use the .env to generate the different secrets per chart

# reference: [https://github.com/nirgeier/KubernetesLabs/tree/master/Labs/08-Kustomization/samples/03-generators/ConfigMap/01-FromEnv]


# kustomization.yaml for ConfigMap
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

configMapGenerator:
  # Generate config file from the env file which you 
  # created in teh previous step
  - name: configMapFromEnv
    env: .env
  • Now you will have the same "password" in both of the charts.
CodeWizard
  • 128,036
  • 21
  • 144
  • 167