helm icon indicating copy to clipboard operation
helm copied to clipboard
verified publisher icon helm

add template to store env vars in secrets

Open itsmethemojo opened this issue 3 years ago • 13 comments

Signed-off-by: Marian Poeschmann [email protected]

closes #11284

What this PR does / why we need it:

This Feature enhances the default chart created with helm create. It adds the structure to add multiple environment variables and stores them in a separate secret. Because still most of the time developer still add sensitive configuration via environment variables and if there would be a out-of-the-box functionality storing those configuration the right way, a lot of future charts will be better by default. Most importently this also adds out-of-the-box pod recreation, when those secrets change, by adding an additional checksum environment parameter. By default Kubernetes will not recreate the pod if a secret changes, from which environment variables are referenced. This will be solved for those new environment variables.

unit test I did run the tests but was a bit confused that the unit test suite fails by default. Nevertheless the tests for the module modified look ok.

docker run --rm -v$(pwd):/app -w /app -e PKG=pkg/chart-util -e TESTS=pkg/chart-util -e GOLANGCI_LINT_VERSION=1.46.2 cimg/go:1.18 bash -c 'cd /tmp && /app/.circleci/bootstrap.sh && cd /app && make build test'
> /tmp/out.txt

to compare here is the unchanged master

$ cat /tmp/out-org.txt | grep -vE '^FAIL$' | grep FAIL
--- FAIL: TestDependencyBuildCmdWithHelmV2Hash (0.01s)
FAIL    helm.sh/helm/v3/cmd/helm        59.833s
--- FAIL: TestWalk (0.00s)
FAIL    helm.sh/helm/v3/internal/sympath        0.056s
--- FAIL: TestLoadDirWithSymlink (0.00s)
FAIL    helm.sh/helm/v3/pkg/chart/loader        0.695s
--- FAIL: TestDependentChartsWithSubChartsSymlink (0.00s)
FAIL    helm.sh/helm/v3/pkg/chartutil   1.569s
--- FAIL: TestTemplateIntegrationHappyPath (0.01s)
FAIL    helm.sh/helm/v3/pkg/lint/rules  0.853s
--- FAIL: TestRegistryClientTestSuite (1.41s)
FAIL    helm.sh/helm/v3/pkg/registry    1.481s
--- FAIL: TestIndex (0.05s)
FAIL    helm.sh/helm/v3/pkg/repo        0.235s

and here is my branch

$ cat /tmp/out.txt | grep -vE '^FAIL$' | grep FAIL
--- FAIL: TestDependencyBuildCmdWithHelmV2Hash (0.02s)
FAIL    helm.sh/helm/v3/cmd/helm        89.903s
--- FAIL: TestWalk (0.00s)
FAIL    helm.sh/helm/v3/internal/sympath        0.086s
--- FAIL: TestLoadDirWithSymlink (0.00s)
FAIL    helm.sh/helm/v3/pkg/chart/loader        0.845s
--- FAIL: TestDependentChartsWithSubChartsSymlink (0.00s)
FAIL    helm.sh/helm/v3/pkg/chartutil   1.768s
--- FAIL: TestTemplateIntegrationHappyPath (0.02s)
FAIL    helm.sh/helm/v3/pkg/lint/rules  0.881s
--- FAIL: TestRegistryClientTestSuite (1.85s)
FAIL    helm.sh/helm/v3/pkg/registry    1.986s
--- FAIL: TestIndex (0.08s)
FAIL    helm.sh/helm/v3/pkg/repo        0.487s

how to test the new template

I tested with 2 minimal configs. The test should show that the environment parameters are referenced properly and a change will result in a pod recreation.

$ mkdir bin
$ chmod 777 -R bin
$ docker run --rm -v$(pwd):/app -w /app -e PKG=pkg/chart-util -e TESTS=pkg/chart-util -e GOLANGCI_LINT_VERSION=1.46.2 cimg/go:1.18 bash -c 'cd /tmp && /app/.circleci/bootstrap.sh && cd /app && make build

$ bin/helm create env-chart

$ cat test.yaml
env:
  POSTGRES_PASSWORD: ""
image:
  repository: postgres
  tag: "latest"

$ cat reload.yaml
env:
  POSTGRES_PASSWORD: mysecretpassword
  
$ helm install env-test env-chart/ -f test.yaml
$ kubectl logs -l app.kubernetes.io/instance=env-test
# you will see that the database wont come up, because the parameter POSTGRES_PASSWORD is missing

$ helm upgrade env-test env-chart/ -f test.yaml -f reload.yaml
$ kubectl logs -l app.kubernetes.io/instance=env-test
# you should now see that the database will come up

itsmethemojo avatar Sep 15 '22 20:09 itsmethemojo

I think you should use the method using an annotation as describe in helm tips ans tricks : https://helm.sh/docs/howto/charts_tips_and_tricks/

jouve avatar Oct 04 '22 20:10 jouve

I think you should use the method using an annotation as describe in helm tips ans tricks : https://helm.sh/docs/howto/charts_tips_and_tricks/

yes this is definitely better since it will not add a usesless env parameter. i will change that

itsmethemojo avatar Oct 04 '22 22:10 itsmethemojo

i moved the checksum to the podAnnotations as suggested. for now i kept it in several commits to see the evolution. i can squash it later

itsmethemojo avatar Oct 05 '22 22:10 itsmethemojo

This! 👆 +1 I would love to see that in the newest release ^^

rojberr avatar Aug 31 '23 13:08 rojberr

@jouve @joejulian @mattfarina is this now ready?

itsmethemojo avatar Sep 01 '23 13:09 itsmethemojo

i worked in all review feedback

itsmethemojo avatar Sep 03 '23 20:09 itsmethemojo

is anything missing? do i have to do anything additionally?

@joejulian @mattfarina

itsmethemojo avatar Sep 14 '23 19:09 itsmethemojo

any feedback? @joejulian @mattfarina

itsmethemojo avatar Oct 12 '23 21:10 itsmethemojo

actually i stumbled over a nasty stringData bug the last 2 months. i will replace that with data

itsmethemojo avatar May 19 '24 19:05 itsmethemojo

This pull request has been marked as stale because it has been open for 90 days with no activity. This pull request will be automatically closed in 30 days if no further activity occurs.

github-actions[bot] avatar Aug 25 '25 00:08 github-actions[bot]

Needs rebase. Note Helm 3 is not accepting new features so this would be for Helm 4.

scottrigby avatar Sep 11 '25 21:09 scottrigby

If this Feature ist finally wanted i am happy to clean that PR up. 👍

itsmethemojo avatar Sep 11 '25 22:09 itsmethemojo

Please resolve conflicts.

TerryHowe avatar Oct 14 '25 12:10 TerryHowe