helmfile: function fetchSecretValue fails if cannot find secret

Operating system

MacOS

Helmfile Version

v0.145.3

Helm Version

v3.10.0

Bug description

Previously I store secrets in sops encrypted file and used get function for accessing this secrets. I have quite a lot of environments and it’s not always all secrets exist in every env.

get function could have default value as described here: https://github.com/helmfile/helmfile/blob/main/docs/writing-helmfile.md https://github.com/roboll/helmfile/pull/1268/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R535

so this configuration works perfectly when no auth_token exist in env and set auth_token to "" (empty default value)

auth_token: "{{ .Values | get "auth_token" "" }}"

but after migration I cannot use fetchSecretValue with same behaviour

this code will fail if no auth_token in google secret manager or no versions - function fails

auth_token: "{{ .Values | fetchSecretValue "auth_token" }}"

this code will fail because fetchSecretValue function cannot set default value if cannot fetch secret

auth_token: "{{ .Values | fetchSecretValue "auth_token" "" }}"

So it would be nice to fix these 2 issue with fetchSecretValue value

Example helmfile.yaml

above

Error message you’ve seen (if any)

err 34: failed processing release xxx: failed to render values files “values.yaml.gotmpl”: failed to render [values.yaml.gotmpl], because of template: stringTemplate:1773:16: executing “stringTemplate” at <fetchSecretValue>: wrong number of args for fetchSecretValue: want 1 got 2

err 34: failed processing release xxx: failed to render values files “values.yaml.gotmpl”: failed to render [values.yaml.gotmpl], because of template: stringTemplate:114:42: executing “stringTemplate” at <.Values.auth_token>: map has no entry for key “auth_token”

Steps to reproduce

adove

Working Helmfile Version

none

Relevant discussion

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 24 (13 by maintainers)

Most upvoted comments

There is even an easier way, I’m also doing that with the echo and the Azure KeyVault backends:

environments:
  local:
    values:
      - vault: ref+echo:/  ## it is important to just have one '/' here!
  dev:
    values:
      - vault: ref+azurekeyvault://my-keyvault.vault.azure.net  ## may not have trailing '/'!

releases:
- name: myapp
  chart: mychart
  values:
  - foo: {{ .Values.vault }}/my-secret ## note: azure keyvault has no hierarchies

😃

+2
pathob on Oct 19, 2022

Gotcha! I believe you can do that today. Try val’s echo provider. You write your helmfile.yaml like the below so you can programmatically change which backend to use. For testing purpose specify echo. For deployment, specify e.g. vault or whatever you use.

environments:
# ... your environments here

# --- is always important
---

{{ $secretBackend := .Values.secretBackend }}

releases:
- name: myapp
  chart: mychart
  values:
  - foo: {{ fetchSecretValue (concat "ref+" $secretBackend "//path/to/your/secret") }}
+2
mumoshu on Oct 19, 2022

@yxxhero I think you can’t chain it with default because it returns an error when the secret is not found. And we have a similar function that works on .Values that is named get, which takes the default value as the second parameter. Maybe just add the optional second parameter as similar as the get function so that they are consistent?

+1
mumoshu on Oct 12, 2022
Read more comments on GitHub
← helmfile: Environment filtering not working properly in v0.155.0
helmfile: helmfile `jsonPatches` does not work with packaged (e.g. tgz) charts →