Search code examples
kuberneteskubernetes-helm

How to set the "required" value in templates from --set option?

How to force to specify --set option on helm install|upgrade?

in my case, some required environment variables. (e.g. "database.password")

Files

.
|-- Chart.yaml
|-- templates
|   |-- NOTES.txt
|   |-- _helpers.tpl
|   |-- deployment.yaml
|   |-- ingress.yaml
|   |-- secret.yaml
|   `-- service.yaml
`-- values.yaml

values.yaml (snip)

#...
database:
  useExternal: no
  host: "pgsql"
  port: "5432"
  name: "myapp"
  userName: "myapp_user"
  # password shouldn't write here.
  # I want to be inject this value to secret.
  password: ""
#...

templates/secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: myapp-secrets
type: Opaque
data:
  app-database-password: {{required .Values.database.password | b64enc | quote }}

templates/deployment.yaml (snip)

#...
env:
  - name: APP_DATABASE_HOST
    value: {{ .Values.database.host | quote }}
  - name: APP_DATABASE_PORT
    value: {{ .Values.database.port | quote }}
  - name: APP_DATABASE_NAME
    value: {{ .Values.database.name | quote }}
  - name: APP_DATABASE_USERNAME
    value: {{ .Values.database.username | quote }}
  - name: APP_DATABASE_PASSWORD
    valueFrom:
      secretKeyRef:
        name: myapp-secrets
        key: app-database-password
#...

command

# Retrieve from GCP KMS(prod) or define directly(dev)
DATABASE_PASSWORD=$( ... )

# Deploy.
helm upgrade --install \
  -f ./values.yaml \
  --set database.password=$DATABASE_PASSWORD \
  myapp-dev ./ --dry-run --debug

It's failed with error.

Error: render error in "myapp/templates/secret.yaml": template: myapp/templates/secret.yaml:7:28: executing "myapp/templates/secret.yaml" at <required>: wrong number of args for required: want 2 got 1

It seems the required function is evaluate template file statically when parsing.

I need matters below:

  • database.password is switchable by env such as "prod" or "stage".
  • database.password should store to secret.
  • I want to set the actual database.password value using env vars on command execution.

Any ideas?

Solution

  • The Helm-specific required macro takes two parameters: the error message if the value isn't present, and the value that you're checking for. This syntax also lets it be used in pipeline form. In your example, the secret value could be

    app-database-password: {{.Values.database.password | required "database password is required" | b64enc | quote }}