Sealed file secret feature; Will allow external files too once https://github.com/helm/helm/pull/8841 is merged

charts/onechart/my-google-account-key.json

@@ -0,0 +1,3 @@
+{
+  "what": "this is a fixture"
+}

charts/onechart/templates/deployment.yaml

@@ -71,7 +71,7 @@ spec:
             - name: {{ .name }}
               mountPath: {{ .path }}
             {{- end }}
-            {{- range .Values.volumesFromSecretFiles }}
+            {{- range .Values.sealedFileSecrets }}
             - name: {{ .name }}
               mountPath: {{ .path }}
               readOnly: true
@@ -84,10 +84,10 @@ spec:
           persistentVolumeClaim:
             claimName: {{ printf "%s-%s" $.Release.Name .name }}
         {{- end }}
-        {{- range .Values.volumesFromSecretFiles }}
+        {{- range .Values.sealedFileSecrets }}
         - name: {{ .name }}
           secret:
-            secretName: {{ .name }}
+            secretName: {{ printf "%s-%s" $.Release.Name .name }}
         {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

charts/onechart/templates/sealed-file-secret.yaml

@@ -0,0 +1,23 @@
+{{- range .Values.sealedFileSecrets }}
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: {{ printf "%s-%s" $.Release.Name .name }}
+  namespace: {{ $.Release.Namespace }}
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+spec:
+  encryptedData:
+  {{- range $f := .filesToMount }}
+    {{ $f.name }}: |-
+      {{- $f.source | nindent 6 }}
+      {{- /*
+      {{- $.Files.Get $f.sourcePath | nindent 6 }}
+      */}}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ printf "%s-%s" $.Release.Name .name }}
+      namespace: {{ $.Release.Namespace }}
+{{- end }}

charts/onechart/tests/deployment_sealed_file_secrets2_test.yaml

@@ -0,0 +1,23 @@
+suite: test deployment
+templates:
+  - sealed-file-secret.yaml
+tests:
+  - it: Should generate a sealed secret with the file
+    set: &values
+      sealedFileSecrets:
+        - name: google-account-key
+          path: /google-account-key
+          filesToMount:
+            - name: key
+              source: |-
+                {
+                  "what": "this is a fixture"
+                }
+#              sourcePath: my-google-account-key.json
+    asserts:
+      - equal:
+          path: spec.encryptedData.key
+          value: |-
+            {
+              "what": "this is a fixture"
+            }

charts/onechart/tests/deployment_sealed_file_secrets_test.yaml

@@ -4,8 +4,8 @@ templates:
   - configmap.yaml
 tests:
   - it: Should mount volume
-    set:
+    set: &values
-      volumesFromSecretFiles:
+      sealedFileSecrets:
         - name: google-account-key
           path: /google-account-key
           filesToMount:
@@ -19,14 +19,11 @@ tests:
               mountPath: /google-account-key
               readOnly: true
   - it: Should reference volume
-    set:
+    set: *values
-      volumesFromSecretFiles:
-        - name: google-account-key
-          path: /google-account-key
     asserts:
       - equal:
           path: spec.template.spec.volumes
           value:
             - name: google-account-key
               secret:
-                secretName: google-account-key
+                secretName: RELEASE-NAME-google-account-key

values.yaml

@@ -1,9 +1,10 @@
-namespaces:
+sealedFileSecrets:
-  - name: staging
+  - name: google-account-key
-    annotations:
+    path: /google-account-key
-      linkerd.io/inject: enabled
+    filesToMount:
-    namespace:
+      - name: key
-      budget:
+#        sourcePath: README.md
-        cpu: 8
+        source: |-
-        memory: "16Gi"
+          {
-        storage: "100Gi"
+            "what": "this is a fixture"
+          }