0

My search foo isn't strong on this question and I couldn't find any answers that helped. I have a bit of an inception-style question in setting up a helm chart with secrets keys that are files with protected information.

Trying to put together a helm chart for an app that requires a config.yml file to be stored in a secret, which is then mounted by the app container. Here's an example of what the raw yaml would look like:

kind: Secret
apiVersion: v1
metadata:
  name: myapp-config
  namespace: myapp
data:
  config.yml: >-
   property1: value1
   api_token: "somecrazyrandomlygeneratedtoken="
   api_credentials: "username:supersecretpassword"
   add_X_number_more_properties: "more values"
type: Opaque

Obviously I don't want the creds and token in plain text like that. I'd rather not base64 the entire file contents as that would make it difficult to manage when certain properties need to change and as the file could grow and be more complicated. Is there a way to use the Jinja syntax within the file contents? Maybe something like:

value.yml

api_token: "base64_version_of_token"
api_user: "username" (or base64 version)
api_pass: "base64_verison_of_password"

Secret Template:

data:
  config.yml: >-
   property1: value1
   api_token: "{{ .Values.api_token | b64 -d }}"
   api_credentials: "{{ .Values.api_user }}:{{ .Values.api_pass | b64 -d }}"

Another part of the chart is similar. rather than doing a standard range to build a set of key/value pairs, I need to "build" a yml file based on files stored in a directory that users populate with files that define custom processing rules for the app to follow. That resulting yml file then gets pushed out to a secret for mounting by the app.

kind: Secret
apiVersion: v1
metadata:
  name: {{ .Values.instance_name }}-customProcs
  namespace: {{ .Values.namespace }}
data:
  pipelines.yml: >-
{{ foreach files in source Directory }}
   - process.id: {{ filename minus extension }}
     path.config: "{{ file.name }}"
{{ end loop }}
type: Opaque

If this was a simple key-pair setup, it would be easy, but since its inside >- block as a text file, I'm not sure if the normal .Files loops would work

JScott
  • 73
  • 2
  • 9
  • 2
    Keep in mind that base64 encoding doesn't get you anything in terms of security. It's not "encryption"; it's just a different way of representing plain text. Generally what you want to do is *not* store the secret in your chart, and instead fetch it from an external secure vault (like AWS SecretStore or Hashicorp Vault) at deploy time. – larsks Aug 11 '23 at 16:37
  • Thanks. Yes, I do understand its not "encryption", but at least a level of protection beyond plain-text. Also - I can't use external sources at deploy-time. The chart is for defining yaml for an instance of an already-installed operator (OpenShift). So, its not like a normal app chart that I have a lot of control over. – JScott Aug 11 '23 at 16:48
  • 1
    Helm is not using Jinja, for the record, but Go templates: https://helm.sh/docs/chart_template_guide/ – β.εηοιτ.βε Aug 11 '23 at 18:04
  • @β.εηοιτ.βε - I think we are referring to the same thing. Your link is just the general documentation. Are you saying I need to somehow "build" this config.yml file in something like a helpers file? Then I can reference that in the actual secret template? – JScott Aug 11 '23 at 21:16

0 Answers0