simplify values + secret templating #4328

jstrachan · 2019-06-19T11:00:47Z

we need to make it easier to populate the Secrets from a smaller set of actual values stored in vault (or locally on the file system if need be).

see an early iteration here: #4323

but after various discussions we're thinking of a simpler approach.

when using jx step helm apply allow values.yaml files to use go/helm templates like templates/foo.yaml does inside helm charts so that we can generate value/secret strings which can use templating to compose things from smaller secret values. e.g. creating a maven settings.xml file or docker config.json which includes many user/passwords for different registries
we can then check in the values.yaml file which does all of this composition and reference the actual secret values via URLs (or template functions) to access vault or local vault files

Parameters

have a way to define common parameters used to inject into multiple charts values.yaml files. e.g. we use the pipelineUser.username and pipelineUser.token in many apps (prow, tekton, secret templates for jenkins x platform et al)
have a way to define the JSON schema of the parameters (like we do with values.yaml editing in Apps) and map the parameters to a URL for vault / local storage

Use go templating in `values.yaml`

So that we can easily reuse value or secret parameters (from vault / local files) in any values.yaml value expression we enable go templating in values.yaml files. This lets us refer to a named parameter anywhere in any value in any values.yaml file in any chart.

e.g. we can inject the login/pwd of a particular registry inside the maven settings.xml file in a values.yaml value - ditto for each user/pwd for each docker registry in the docker config.json secret.

To do this we use {{ .Parameter.pipelineUser.token }} syntax somewhere in the values.yaml file.

In addition we can use {{ secret "vault:/foo/bar" }} syntax to inject URLs from physical locations or disk etc

The text was updated successfully, but these errors were encountered:

and add support for `vault:` for the vault client and `local:` for the local file system client Signed-off-by: James Strachan <james.strachan@gmail.com> jenkins-x#4328

* also support referencing logical Parameters in a `parameters.yaml` file which can include a logical structure + schema (for nice install tooling) which then contains inline values for simple values or URLs to vault/local secret files for better secret management fixes jenkins-x#4328 Signed-off-by: James Strachan <james.strachan@gmail.com>

jstrachan · 2019-06-19T21:36:07Z

btw here's a test case showing

the expected results from the test case

jx/pkg/helm/values_tree_template_test.go

Lines 12 to 20 in 10b0675

    
           var expectedTemplatedValuesTree = `dummy: cheese 
        
           prow: 
        
             hmacToken: abc 
        
           tekton: 
        
             auth: 
        
               git: 
        
                 password: myPipelineUserToken 
        
                 username: james 
        
           `

which is generated from a this parameters file
which loads secret value from this local file system folder (change the URLs and it'd be vault)
here's the sample tekton/values.yaml which uses the {{ .Parameters.pipelineUser.password }} expression to inject the (secret) parameter

and add support for `vault:` for the vault client and `local:` for the local file system client Signed-off-by: James Strachan <james.strachan@gmail.com> jenkins-x#4328

* also support referencing logical Parameters in a `parameters.yaml` file which can include a logical structure + schema (for nice install tooling) which then contains inline values for simple values or URLs to vault/local secret files for better secret management fixes jenkins-x#4328 Signed-off-by: James Strachan <james.strachan@gmail.com>

@ccojocar

…enkins-x#4330) * fix: refactor out a sub-interface from Vault for VaultURL injection * so we can support local file system vault-like behaviour or real Vault from a small simple interface (which is a small subset of Vault client) * same URL structure works for vault + local file system referencing Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix hound warning Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: refactor vaulturl -> secreturl Signed-off-by: James Strachan <james.strachan@gmail.com> * fix: lets move URL handling into the secreturl.Client and add support for `vault:` for the vault client and `local:` for the local file system client Signed-off-by: James Strachan <james.strachan@gmail.com> jenkins-x#4328 * chore: fix hound warning Signed-off-by: James Strachan <james.strachan@gmail.com> * fix: allow `values.yaml` to include go template functions * also support referencing logical Parameters in a `parameters.yaml` file which can include a logical structure + schema (for nice install tooling) which then contains inline values for simple values or URLs to vault/local secret files for better secret management fixes jenkins-x#4328 Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix hound warning Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix failing tests due to refactor Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix failing tests due to refactor Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: avoid failing when bootstrapping a cluster and we don't yet have the install config ConfigMap setup Signed-off-by: James Strachan <james.strachan@gmail.com> * fix: lets populate the cluster information in the cluster/values.yaml Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix broken test Signed-off-by: James Strachan <james.strachan@gmail.com> * fix: lets allow templating in the root `values.yaml` too added a test + fix for templating in the root dir as well as any nested `values.yaml` files Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: polished the code thanks for the great feedback @ccojocar * renamed `vaultClient` -> `secretURLClient` * fixed up mock generation * zapped the `GetClusterName` and reused the existing helper Signed-off-by: James Strachan <james.strachan@gmail.com>

@ccojocar

…enkins-x#4330) * fix: refactor out a sub-interface from Vault for VaultURL injection * so we can support local file system vault-like behaviour or real Vault from a small simple interface (which is a small subset of Vault client) * same URL structure works for vault + local file system referencing Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix hound warning Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: refactor vaulturl -> secreturl Signed-off-by: James Strachan <james.strachan@gmail.com> * fix: lets move URL handling into the secreturl.Client and add support for `vault:` for the vault client and `local:` for the local file system client Signed-off-by: James Strachan <james.strachan@gmail.com> jenkins-x#4328 * chore: fix hound warning Signed-off-by: James Strachan <james.strachan@gmail.com> * fix: allow `values.yaml` to include go template functions * also support referencing logical Parameters in a `parameters.yaml` file which can include a logical structure + schema (for nice install tooling) which then contains inline values for simple values or URLs to vault/local secret files for better secret management fixes jenkins-x#4328 Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix hound warning Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix failing tests due to refactor Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix failing tests due to refactor Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: avoid failing when bootstrapping a cluster and we don't yet have the install config ConfigMap setup Signed-off-by: James Strachan <james.strachan@gmail.com> * fix: lets populate the cluster information in the cluster/values.yaml Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: fix broken test Signed-off-by: James Strachan <james.strachan@gmail.com> * fix: lets allow templating in the root `values.yaml` too added a test + fix for templating in the root dir as well as any nested `values.yaml` files Signed-off-by: James Strachan <james.strachan@gmail.com> * chore: polished the code thanks for the great feedback @ccojocar * renamed `vaultClient` -> `secretURLClient` * fixed up mock generation * zapped the `GetClusterName` and reused the existing helper Signed-off-by: James Strachan <james.strachan@gmail.com>

jstrachan mentioned this issue Jun 19, 2019

fix: add a step to generate secrets.yaml from a template #4323

Closed

jstrachan self-assigned this Jun 19, 2019

abayer added area/helm kind/enhancement An enhancement of an existing feature priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Jun 19, 2019

pmuir mentioned this issue Jun 20, 2019

feat: add jx step create values #4343

Merged

2 tasks

This was referenced Jun 20, 2019

feat: support for generated secrets in schemas #4347

Merged

feat: support looking for existing secrets in vault #4360

Merged

jstrachan mentioned this issue Jun 24, 2019

jx step helm apply should use a temporary directory #4383

Closed

This issue was closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

simplify values + secret templating #4328

simplify values + secret templating #4328

jstrachan commented Jun 19, 2019 •

edited

Loading

jstrachan commented Jun 19, 2019 •

edited

Loading

simplify values + secret templating #4328

simplify values + secret templating #4328

Comments

jstrachan commented Jun 19, 2019 • edited Loading

Parameters

Use go templating in values.yaml

jstrachan commented Jun 19, 2019 • edited Loading

jstrachan commented Jun 19, 2019 •

edited

Loading

Use go templating in `values.yaml`

jstrachan commented Jun 19, 2019 •

edited

Loading