loop over release with secrets and values.

[jurgenweber]

How can I do something like this?

{{ if .Environment.Values.container_registries }}
{{ range .Environment.Values.container_registries }}
  - name: {{ .name }}
    namespace: devops
    chart: gabibbo97/imagepullsecrets
    <<: *default
    installed: {{ $.Values | get "container_registry.installed" true }}
    set:
      - imagePullSecret.registryURL: {{ .url }}
      - imagePullSecret.secretName: {{ .name }}
      - imagePullSecret.username: {{ .user }}
      - imagePullSecret.password: {{ .pass }}
{{ end }}
{{ end }}

Ideally I would want the password in environments secrets.

[mumoshu]

Hey! I'd suggest trying something like this.

Firstly, choose one of supported vals providers listed in https://github.com/variantdev/vals#suported-backends and store the passwords in it.

Let's say you've chosen HashiCorp Vault and stored passwords like vault kv put secrets/container_registry_passwords NAME=PASS:

{{ if .Environment.Values.container_registries }}
{{ range .Environment.Values.container_registries }}
  - name: {{ .name }}
    namespace: devops
    chart: gabibbo97/imagepullsecrets
    <<: *default
    installed: {{ $.Values | get "container_registry.installed" true }}
    set:
      - imagePullSecret.registryURL: {{ .url }}
      - imagePullSecret.secretName: {{ .name }}
      - imagePullSecret.username: {{ .user }}
    values:
      - imagePullSecret:
          password: ref+vault://secrets#/container_registry_passwords/{{ .name }}
{{ end }}
{{ end }}

[jurgenweber]

ok, I am using helm secrets but I am getting this weird error now:

in ./helmfile.yaml: in .helmfiles[2]: in helmfile/bases.yaml: failed to read releases.yaml.gotmpl: reading document at index 1: yaml: unmarshal errors:
  line 234: field imagePullSecrets.registryURL not found in type state.SetValue
  line 235: field imagePullSecrets.secretName not found in type state.SetValue
  line 236: field imagePullSecrets.username not found in type state.SetValue
  line 237: field imagePullSecrets.password not found in type state.SetValue

I am using; https://hub.helm.sh/charts/gabibbo97/imagepullsecrets/2.0.0

[jurgenweber]

I just realised that one is a user issue. set is

- name: asdf
  value: asdf

[mumoshu]

Also note that you have to use values rather than set to enable vals integration so it should be:

    values:
      - imagePullSecret:
          password: ref+vault://secrets#/container_registry_passwords/{{ .name }}

I've updated my example above

[jurgenweber]

ok, final setup:

{{ if .Values.container_registries }}
{{ range .Values.container_registries }}
  - name: {{ .name }}
    namespace: devops
    chart: gabibbo97/imagepullsecrets
    installed: true
    version: 1.0.2
    <<: *default
    set:
      - name: imagePullSecret.registryURL
        value: {{ .url }}
      - name: imagePullSecret.secretName
        value: {{ .name }}
      - name: imagePullSecret.username
        value: {{ .user }}
    values:
      - imagePullSecret:
          password: ref+sops://../secrets/secrets.yaml#/container_registry_passwords/{{ .name }}
{{ end }}
{{ end }}

the weird part is the release is not showing to be installed by diff or apply .

Comparing release=name, chart=gabibbo97/imagepullsecrets
exec: helm diff upgrade --reset-values --allow-unreleased name gabibbo97/imagepullsecrets --version 1.0.2 --namespace devops --values /var/folders/rl/wdmqph814blbfx66pl1x97yh0000gn/T/values069253993 --set imagePullSecret.registryURL=url --set imagePullSecret.secretName=name --set imagePullSecret.username=username
exec: helm diff upgrade --reset-values --allow-unreleased name gabibbo97/imagepullsecrets --version 1.0.2 --namespace devops --values /var/folders/rl/wdmqph814blbfx66pl1x97yh0000gn/T/values069253993 --set imagePullSecret.registryURL=url --set imagePullSecret.secretName=name --set imagePullSecret.username=username: ********************

	Release was not present in Helm.  Diff will show entire contents as new.

********************

********************

	Release was not present in Helm.  Diff will show entire contents as new.

********************

worker 1/1 finished
changing working directory back to "path"

no diff and it doesn't get installed

[mumoshu]

Perhaps something is going wrong in helm-diff..?

Could you kindly verify that the vanilla helm diff --reset-values --allow-unreleased name gabibbo97/imagepullsecrets --version 1.0.2 --namespace devops --values some.values.yaml  does detect changes?

[mumoshu]

Maybe a bug in helm 3 + helm-diff?

[jurgenweber]

no, its a problem with the chart.

I downloaded it:

$ cat templates/imagepullsecrets.yaml
{{- if .Values.imagePullSecrets }}
{{- range $i, $pullSecret := .Values.imagePullSecrets }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ $pullSecret.secretName }}
{{- if $pullSecret.annotations }}
  annotations:
{{ toYaml $pullSecret.annotations | indent 4 }}
{{- end }}
{{- if $pullSecret.labels }}
  labels:
{{ toYaml $pullSecret.labels | indent 4 }}
{{- end }}
data:
{{- if $.Values.addAuthField }}
  .dockerconfigjson: {{ include "imagepullsecrets.dockerconfigjson-with-auth" $pullSecret | nospace | b64enc | quote }}
{{- else }}
  .dockerconfigjson: {{ include "imagepullsecrets.dockerconfigjson" $pullSecret | nospace | b64enc | quote }}
{{- end }}
type: kubernetes.io/dockerconfigjson
{{- end }}
{{- end }}

firstly, I have imagePullSecrets vs imagePullSecret

and now I have

  Error: template: imagepullsecrets/templates/imagepullsecrets.yaml:7:22: executing "imagepullsecrets/templates/imagepullsecrets.yaml" at <$pullSecret.secretName>: can't evaluate field secretName in type interface {}

[mumoshu]

@jurgenweber Wow, isn't this a regression in Helm v3? I thought Helm v3 is intended to not break charts with only a few exceptions

[jurgenweber]

/me shrugs.

no idea, didn't use this in helm2. :)

Even running it manually:

$ helm diff upgrade --reset-values --allow-unreleased name gabibbo97/imagepullsecrets --version 1.0.2 --namespace devops --set imagePullSecrets.registryURL=url --set imagePullSecrets.secretName=name --set imagePullSecrets.username=username
********************

	Release was not present in Helm.  Diff will show entire contents as new.

********************
Error: Failed to render chart: exit status 1: coalesce.go:165: warning: skipped value for imagePullSecrets: Not a table.
Error: template: imagepullsecrets/templates/imagepullsecrets.yaml:7:22: executing "imagepullsecrets/templates/imagepullsecrets.yaml" at <$pullSecret.secretName>: can't evaluate field secretName in type interface {}

Error: plugin "diff" exited with error

and trying to install:

$ helm upgrade --install --reset-values name gabibbo97/imagepullsecrets --version 1.0.2 --namespace devops --set imagePullSecrets.registryURL=url --set imagePullSecrets.secretName=name --set imagePullSecrets.username=username
Release "name" does not exist. Installing it now.
coalesce.go:165: warning: skipped value for imagePullSecrets: Not a table.
Error: template: imagepullsecrets/templates/imagepullsecrets.yaml:7:22: executing "imagepullsecrets/templates/imagepullsecrets.yaml" at <$pullSecret.secretName>: can't evaluate field secretName in type interface {}

should I raise a ticket with helm?

[jurgenweber]

No, user issue again! :) lol. I got it working:

{{ if .Values.container_registries }}
{{ range .Values.container_registries }}
  - name: {{ .name }}
    namespace: devops
    chart: gabibbo97/imagepullsecrets
    installed: true
    version: 1.0.2
    <<: *default
    values:
      - imagePullSecrets:
          - password: ref+sops://../secrets/{{ env "HELMFILE_CLUSTER" | default "local" }}.yaml#/container_registry_passwords/{{ .name }}
            secretName: {{ .name }}
            username: {{ .user }}
            registryURL: {{ .url }}
{{ end }}
{{ end }}

v2.0.0 is broken, too many {{end}} at the end of hte template but the different between the v1 and v2 is the array/list.

I would like to add this loop to the tips and trickets ticket if you are keen? This loop and password reference is cool.

[mumoshu]

Glad to see it worked 🎉

Error: Failed to render chart: exit status 1: coalesce.go:165: warning: skipped value for imagePullSecrets: Not a table.

Ah interesting. So this might be an issue in the chart, that imagePullSecrets isn't set to {} that makes --set imagePullSecrets.whatever failing like this...?

I would like to add this loop to the tips and trickets ticket if you are keen?

That would be great!

[jurgenweber]

I have a new variant I am trying to get working, I am using this in the values.yaml.gotmpl for a incubator/raw release.

{{ if .Environment.Values.mysql }}
{{ range $i, $instance := .Values.mysql.instances }}
  - apiVersion: v1
    kind: Service
    metadata:
      name: database-{{ $i }}
      namespace: shared
    spec:
      type: ExternalName
      externalName: {{ $instance.externalName }}

  - apiVersion: v1
    kind: Secret
    metadata:
      name: database-{{ $i }}
      namespace: shared
      labels:
        app.kubernetes.io/name: database
        app.kubernetes.io/instance: database
    data:
      root_user: {{ $.Values.mysql.instance.(index $instance "externalName").root.user | b64enc }}
      root_pass: {{ $.Values.mysql.instance.(index $instance "externalName").root.pass | b64enc }}

  - apiVersion: v1
    kind: Secret
    metadata:
      name: database-{{ $i }}
      namespace: tenant
      labels:
        app.kubernetes.io/name: database
        app.kubernetes.io/instance: database
    data:
      tenant_user: {{ $.Values.mysql.instance.(index $instance "externalName").tenant.user | b64enc }}
      tenant_pass: {{ $.Values.mysql.instance.(index $instance "externalName").tenant.pass | b64enc }}
{{ end }}
{{ end }}

I am unable to build the path to the user/path secret using the externalName as a key, thoughts?

[mumoshu]

I thought it might be index "externalName" $instance. Could you try?

[jurgenweber]

yeah, I found a solution:

{{ with (index $Values.mysql.instance "externalName") }}{{ .root.pass | b64enc }}{{ end }}