How to validate if K8s secrets are base64 encoded during helm diff?

[jaythamke]

In the K8s secret manifest I put the secret at data field as non-base64 encoded secret. The helm diff execution works great and returns exit code 2 for diff.

However for helm upgrade it failed exit code 1 because the secret data is non-base64 encoded.

I would like to know if there is a way to verify at helm diff stage that the secret is non-base64 encoded and return with 1. Or is there any plan to implement this check?

Thanks Jayesh

[mumoshu]

@jaythamke Hey! Thanks for reporting. This is an interesting case- helm-diff isn't designed from the ground up to do K8s validation on its own, so it's not surprising if helm-diff doesn't catch this kind of errors.

But I was wondering if helm-diff catches it when you run it with HELM_DIFF_THREE_WAY_MERGE=true?

It's implemented in https://github.com/databus23/helm-diff/pull/304 and available since helm-diff v3.3.0.

When HELM_DIFF_THREE_WAY_MERGE is enable helm-diff runs some client-side code of Helm and K8s to build internal representations of K8s resource objects for computing diff. It should catch simple type errors, at least. But I'm not sure if it is able to catch a more high-level errors(like secrets' data values not being base64 encoded).

[jaythamke]

Thanks for reply @mumoshu , I set HELM_DIFF_THREE_WAY_MERGE=true and executed helm diff .... but it does not catch when the secret is non base64 encoded.

[mumoshu]

Thanks! Then helm-diff seems to be not the right place to do such validations. Maybe a better approach would be to use --post-renderer in combination with a custom script/command that is designed to fail when the input k8s manifests had non-base 64 encoded secret values?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.