1

I have created a secret.yaml file as follows:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
data:
  truststore.jks: {{ (.Files.Glob "../trust.jks").AsSecrets | b64enc }}

I am calling this as part of template .yaml file in HELM.

.yaml

apiVersion: v1
kind: DeploymentConfig
spec:
...
template:
  spec:
  ...
  container:
   - name: "my-container"
     ...
     volumeMounts:
        - name: secrets
          mountPath: /mnt/secrets
          readOnly: true

 volumes:
    - name: secrets
      secret:
        secretName: "my-secret"

When I run helm install command the pod gets created successfully, and the volume is also mounted, but if I check the truststore.jks in /mnt/secrets using cat command below is the output:

cat /mnt/secrets/truststore.jks
{}

I ran the dry run command to check the generated .yaml file, the secret is populted as below:

# Source: ag-saas/templates/tsSecret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
data:
  truststore.jks: e30=

How do I get the file into my secret?

David Maze
  • 130,717
  • 29
  • 175
  • 215
Q2Dev
  • 85
  • 1
  • 9
  • I did go through the following answer https://stackoverflow.com/questions/48423398/what-is-a-good-way-to-deploy-secret-java-key-stores-in-an-openshift-environment, but here the contents of the .jks file is manually copied into the data. I need data to be populated from the file while the secrete is created. – Q2Dev Sep 30 '22 at 08:03

1 Answers1

3

There's a couple of things going on here:

  • .Files.Glob is intended to retrieve multiple files, e.g. .Files.Glob "credentials/*.jks". For a single file .File.Get will retrieve its contents directly.
  • You can only access files inside the chart directory; referencing .Files.Get "../trust.jks" won't work.
  • .Files.Glob.AsSecret renders a list of files to the entire contents of the data: block; you just directly need the file content.

So your Secret should look like

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
data:
  truststore.jks: {{ .Files.Get "trust.jks" | b64enc }}

where in the last line I've used .Files.Get, I've not tried to refer to a "../..." path outside the chart, and I don't render it to ...AsSecret.

You also will need to move or copy (not symlink) the keyset file into the chart directory for this to work.

(In the current form, .Files.Glob won't match anything outside the chart directory, so you get an empty list of files. Then rendering that to .AsSecrets gets you an empty JSON object. You're using that string {} as the secret value, which gets correctly base64-encoded, but that's why {} comes out at the end.)

David Maze
  • 130,717
  • 29
  • 175
  • 215
  • Thanks! It worked. A follow up question, Inhad my .jks file file inside the Charts directory and the secret config file in the templates directory. So why did it not read when I referenced it as ../trust.jks? – Q2Dev Oct 02 '22 at 17:19
  • 1
    The paths used by `.Files.Get` (and `.Files.Glob`) are relative to the top-level chart directory, not the location of the template file. – David Maze Oct 03 '22 at 01:08