-
Notifications
You must be signed in to change notification settings - Fork 564
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keeping Vault secrets encrypted in helmfile diff & apply #1210
Comments
Hey "helmfile diff" shows differences for kubernetes entities and uses "helm-diff" plugin. By default this plugin hides all values in "data" section of kubernetes kind "Secret" apiVersion: v1
kind: Secret
metadata:
name: cm-config
type: Opaque
data:
mypassword: {{ .Values.mypassword | b64enc | quote }} and then reference it in you environment value like this - name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: cm-config
key: mypassword Therefore you wiil see something like this in your diff output (your secret values are beeing replaced by '+++++++') + # Source: app/templates/cm-config.yaml
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: cm-config
+ data:
+ password: '++++++++ # (24 bytes)'
+ type: Opaque |
@Tlzps Hey! As @zam-zam has explained kindly, it doesn't happen when you limit your secret refs to be only placed as Secret resources' Where are you putting your secret ref on? |
@zam-zam Thank you very much for all these details. I am new to Kube and didn't experiment with Secrets yet. @mumoshu , I was just testing the Vault integration so I created a Value key in the env file associated with the environment that I specified in `helmfile -e myenv'. Which was then shown in a ConfigMap |
@Tlzps Yeah that's expected. I believe no K8s-related tool treats ConfigMap as to if I might contain credentials. ConfigMap isn't encrypted at rest before being persisted in Etcd. |
So use Secret instead of ConfigMap. |
Yeah, as @mumoshu said, using secret and adding |
We are using the hashicorp vault integration ( #906 ) with success, however the passwords are shown in clear text in the helmfile diff & helmfile apply outputs.
mypassword: 'ref+vault://secret/data/foo?proto=http#/mykey'
+ my_password: ismyclearpassword
Are there any way to instead show what has been set in helmfile's values or show a dummy value ?
Ex:
+ my_password: ref+vault://secret/data/foo?proto=http#/mykey
Or:
+ my_password: ***HIDDEN***
Thanks.
The text was updated successfully, but these errors were encountered: