Read secrets from file in Helm

13
votes

I've created some secrets and I'm trying to import the file in this way:

apiVersion: v1
kind: Secret
metadata:
  name: {{ template "amq.broker.fullname" . }}-tls
  labels:
    app: {{ template "amq.name" . }}
    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
    component: "{{ .Values.broker.name }}"
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
type: Opaque
data:
{{ (.Files.Glob "secrets/broker.ks").AsSecrets | indent 2 }}

The file is under the secrets dir. When I run the install, the broker.ks secret is not there. However the secret is under the secrets folder. Any idea?

Here the dir struct

├── Chart.yaml
├── README.md
├── secrets
│   ├── broker.ks
│   ├── broker_cert
│   ├── client.ks
│   └── client.ts
├── templates
│   ├── NOTES.txt
│   ├── _helpers.tpl
└── values.yaml
1
kuberneteskubernetes-helm
What exactly is the error message when you try to helm upgrade? What does the dir tree of your chart look like? - fishi0x01
No error during upgrade. - Mazzy
Does {{ .Files.Get "secrets/broker.ks" | b64enc | indent 2 }} work? Or do you require a glob pattern to target more secret files? - fishi0x01
Ah sorry. Misread the secret map. You want the whole content as key/value pairs. Forget my previous comment. - fishi0x01
Doesn't the glob .asSecrets mechanism create one key per file matching the pattern, with the value of that key being the file's content? In that case you could really try broker.ks: {{ .Files.Get "secrets/broker.ks" | b64enc }} - should lead to the same result, no matter what the content of secrets/broker.ks is. - fishi0x01

1 Answers

13
votes

The solution to this is, as per the docs, the following:

{{- $root := . -}}
{{- range $path, $bytes := .Files.Glob "secrets/broker.ks" }}
{{ base $path }}: '{{ $root.Files.Get $path | b64enc }}'
{{- end }}

You can also pull all the files of a specific type in the folder with .Files.Glob "secrets/*.ks"

Also make sure that the folder has not been added to .helmignore otherwise the files won't be accessible.