davidfrickert/onechart
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SealedSecrets support

Browse Source
This commit is contained in:
Laszlo Fogas
2020-10-14 14:05:43 +02:00
parent 1f10a80af0
commit 9befa35ccb
5 changed files with 74 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
charts/onechart/templates/deployment.yaml
+4
View File
@@ -47,6 +47,10 @@ spec:
- secretRef:
name: {{ .Release.Name }}
{{- end }}
{{- if .Values.sealedSecrets }}
- secretRef:
name: {{ .Release.Name }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.containerPort }}
charts/onechart/templates/sealed-secret.yaml
+18
View File
@@ -0,0 +1,18 @@
{{- if .Values.sealedSecrets }}
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "helm-chart.labels" . | nindent 4 }}
spec:
encryptedData:
{{- range $key, $val := .Values.sealedSecrets }}
{{ $key }}: {{ $val | quote }}
{{- end }}
template:
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}
charts/onechart/tests/deployment_secret_test.yaml
+10
View File
@@ -18,3 +18,13 @@ tests:
asserts:
- isNull:
path: spec.template.spec.containers[0].envFrom
- it: Should reference secret if sealedSecrets is set
set:
sealedSecrets:
secret1: supersecret
asserts:
- contains:
path: spec.template.spec.containers[0].envFrom
content:
secretRef:
name: RELEASE-NAME
charts/onechart/tests/sealed_secret_test.yaml
+15
View File
@@ -0,0 +1,15 @@
suite: test deployment
templates:
- sealed-secret.yaml
tests:
- it: Should put sealed secrets in SealedSecret
set:
sealedSecrets:
var1: value1
var2: value2
asserts:
- equal:
path: spec.encryptedData
value:
var1: value1
var2: value2
website/docs/examples/secrets.md
+26 -4
View File
@@ -1,4 +1,8 @@
OneChart can reference an existing secret:
Since secrets demand a distinct workflow, OneChart will not generate a Kubernetes `Secret` object, but can reference one.
OneChart can reference an existing Kubernetes `Secret` and it includes all entries in the deployment with the `EnvFrom` field.
The secret name must match the release name. `my-release` in this example.
```yaml
image:
@@ -24,8 +28,26 @@ EOF
helm template my-release onechart/onechart -f values.yaml
```
!!! note
### Using encrypted secret values
OneChart references an existing Kubernetes `Secret` and includes all entries in the deployment with the `EnvFrom` field.
OneChart can be used with [Bitnami's Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets), and it generates a `SealedSecret` resource that can be stored even in git.
The secret name must match the release name. `my-release` in the above example.
```yaml
image:
repository: nginx
tag: 1.19.3
sealedSecrets:
secret1: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq...
secret2: ewogICJjcmVk...
```
Where you have to generate the encrypted values with [Sealed Secrets "raw" workflow](https://github.com/bitnami-labs/sealed-secrets#raw-mode-experimental):
```bash
echo -n my-secret-value | kubeseal \
--raw \
--from-file=/dev/stdin \
--namespace bar \
--name my-release
```