Actually I am testing a configmap using a vaul injector, but a got this error:
install.go:214: [debug] Original chart version: ""
install.go:231: [debug] CHART PATH: D:\code\app-chart
Error: parse error at (app-chart/templates/vault-configmap.yaml:29): function "secret" not defined
helm.go:84: [debug] parse error at (app-chart/templates/vault-configmap.yaml:29): function "secret" not defined
this is my configmap where I configure the secrets I need injecto to the pods:
apiVersion: v1
kind: ConfigMap
metadata:
name: my-configmap
data:
config.hcl: |-
"auto_auth" = {
"method" = {
"config" = {
"role" = "approle"
}
"type" = "approle"
}
"sink" = {
"config" = {
"path" = "/home/vault/.token"
}
"type" = "file"
}
}
"exit_after_auth" = false
"pid_file" = "/home/vault/.pid"
"template" = {
"contents" = |
{{- with secret "app-secrets/app-chart" -}}DB_PASSWORD: {{ .Data.DB_PASSWORD }}{{- end }}
"destination" = "/vault/secrets/db-creds"
}
"vault" = {
"address" = "https://vault-test.com"
"tls_skip_verify" = true
}
config-init.hcl: |
"auto_auth" = {
"method" = {
"config" = {
"role" = "approle"
}
"type" = "approle"
}
"sink" = {
"config" = {
"path" = "/home/vault/.token"
}
"type" = "file"
}
}
"exit_after_auth" = true
"pid_file" = "/home/vault/.pid"
"template" = {
"contents" = |
{{- with secret "app-secrets/app-chart" -}}DB_PASSWORD: {{ .Data.DB_PASSWORD }}{{- end }}
"destination" = "/vault/secrets/db-creds"
}
"vault" = {
"address" = "https://vault-test.com"
"tls_skip_verify" = true
}
I'm using the helm base example for this and modifying the annotations in the values.yaml:
app-chart> tree ./ /F
Listado de rutas de carpetas para el volumen Datos
El número de serie del volumen es 0000008F 306D:61EC
D:\CODE\APP-CHART
│ .helmignore
│ Chart.yaml
│ values.yaml
│
└───templates
│ deployment.yaml
│ hpa.yaml
│ ingress.yaml
│ NOTES.txt
│ service.yaml
│ serviceaccount.yaml
│ vault-configmap.yaml
│ _helpers.tpl
│
└───tests
test-connection.yaml
may I need to scape the template from vault configmap ? I have seen the documentation, but I think this is a nice idea to apply to my configuration.
Helm applies the Go text/template engine to all of the files in templates/*.yaml before sending them to the Kubernetes cluster. Anything that looks like a template expression {{ ... }} will be processed by Helm first.
So when the ConfigMap template says
data:
config.hcl: |-
...
{{- with secret "app-secrets/app-chart" -}}DB_PASSWORD: {{ .Data.DB_PASSWORD }}{{- end }}
first Helm tries to read that. Helm doesn't have a function named secret – secret is part of the consul-template language used by Vault – which leads to the error you have.
This means, within the ConfigMap template, you need to quote or escape the {{ so they get passed through to the output. I tend to write a template expression {{ "{{" }}, which evaluates to the string {{, but there are other syntaxes that work as well. Every time {{ appears and you do not want Helm to process it, you need to do this replacement.
{{ "{{" }}- with secret "app-secrets/app-chart" -}}DB_PASSWORD: {{ "{{" }} .Data.DB_PASSWORD }}{{ "{{" }}- end }}
Since Helm does get a first pass at rewriting the file, you can use normal Helm techniques when constructing it. For example, this DB_PASSWORD stanza appears twice, and matches a general pattern of getting a value out of Vault, so you can write a helper template for it
{{- define "vault-secret" -}}
{{- "{{" }}- with secret "app/secrets/app-chart -{{ "}}" -}}
{{ . }}: {{ "{{" }} .Data.{{ . }} {{ "}}" -}}
{{- "{{" }}- end {{ "}}" }}
{{ end }}
data:
config.hcl: |
"template" = {
"contents" = |
{{ include "vault-secret" "DB_PASSWORD" | indent 10 -}}
}
The helper function has a lot of curly braces (but look for patterns specifically {{ "{{" }}, its counterpart {{ "}}" }}, and {{ . }}, and note that the only newline is at the end of the template). Once you've written it, though, you can just include it from the ConfigMap template the same way you would any other Helm helper.