Search code examples
kubernetes-helmkubernetes-secrets

Helm get value from secret

I was wondering if there is any workaround to set a value in a secret and let helm render it before install. The use case is this, I'm using the bitnami chart for rabbitmq and I want to add SSO with my azure active directory, there is the variable advancedConfiguration: |- ... for that purpose but I have to put the configuration in plain text and add it to version control. As you can imagine, I don't want to do that.

The SSO config is like the following json:

advancedConfiguration: |-
  [
    {rabbit, [
      {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
    ]},
    {rabbitmq_auth_backend_oauth2, [
      {resource_server_id, <<"CLIENT_ID">>},
      {extra_scopes_source, <<"roles">>},
      {key_config, [
        {jwks_url, <<"https://login.microsoftonline.com/PROVIDER_ID/discovery/v2.0/keys">>}
      ]}
    ]},
    {rabbitmq_management, [
      {oauth_enabled, true},
      {oauth_client_id, "CLIEND_ID"},
      {oauth_client_secret, "CLIENT_SECRET"},
      {oauth_provider_url, "https://login.microsoftonline.com/PROVIDER_ID"}
    ]}
  ].

The PROVIDER_ID, CLIEND_ID and CLIENT_SECRET are the values that I want to hide.

I have read about helm --post-renderer flag, but I am using argocd for deploys and it seems that it is not compatible with that flag.

What options do I have to solve this correctly? Thanks in advance.

This is what the chart does with the value:

apiVersion: v1
kind: Secret
metadata:
  name: {{ printf "%s-config" (include "common.names.fullname" .) }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" . | nindent 4 }}
    {{- if .Values.commonLabels }}
    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
    {{- end }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
  {{- end }}
type: Opaque
data:
  rabbitmq.conf: |-
    {{- include "common.tplvalues.render" (dict "value" .Values.configuration "context" $) | b64enc | nindent 4 }}
  {{- if .Values.advancedConfiguration }}
  advanced.config: |-
    {{- include "common.tplvalues.render" (dict "value" .Values.advancedConfiguration "context" $) | b64enc | nindent 4 }}
  {{- end }}
Solution

  • As I said, I update the chart and submit a PR. This is solved in the version 11.3.0 using the key advancedConfigurationExistingSecret instead of the previous key.

    If you are curious about this here are the details: