19913d85-f662-4518-a9a1-7adc1793dfd4.png){kind=small}
Channels
#deployment-kubernetes
Title
# deployment-kubernetes
s
szalai1
03/18/2021, 7:42 AMHey, I would like to commit my helm values files to git, but I'm not feeling comfortable to commit passwords.
Is it possible to turn off secret generation for helm generated secret files like
postgresql-passwordn
Noah K
03/18/2021, 8:09 AMI'm not sure I see any generation?
I populates the secret if a value is present but that's it
s
szalai1
03/18/2021, 8:18 AMIf I remove the password it still generates a secret config regardless (using the default secret
testn
Noah K
03/18/2021, 8:27 AMSure, I guess I'm not sure what you're asking for
Helm doesn't really offer a way around having secrets in the clear in your values. Best bet is the helm-secrets plugin and encrypting them before committing (usually leave the bulk of it in plain and have just the secret values in their own encrypted file)
s
szalai1
03/18/2021, 8:44 AMThat's fine, what I want is the ability to exclude the generated secret or override it.
n
Noah K
03/18/2021, 8:46 AMThe chart does not support that directly. You can override it with an output filter though
s
szalai1
03/18/2021, 8:48 AMthanks this is exactly what I'm thinking about using kustomize to post process the manifest
thanks a lot for helping 👍
n
Noah K
03/18/2021, 8:48 AM👍 Just beware that Kustomize mostly can't knock out whole objects.
Which can be annoying if you want to use SealedSecrets or similar
s
szalai1
03/18/2021, 8:50 AMI just need to add an annotation that the secret is managed by kubeseal
so the sealedsecret can overwrite it
n
Noah K
03/18/2021, 8:50 AMIf you're using Helm manually, yes. If you're using something like Argo or Flux you can get cranky sync behavior 🙂
(with argo you can set a Skip annotation on the secret)
s
szalai1
03/18/2021, 8:51 AMI'm using argo. Found this as well: https://dev.to/camptocamp-ops/use-kustomize-to-post-render-helm-charts-in-argocd-2ml6
n
Noah K
03/18/2021, 8:53 AMOkay so what you probably want instead is
<http://argocd.argoproj.io/hook|argocd.argoproj.io/hook>: SkipThat makes Argo pretend the object is always in sync and ignore it 🙂
s
szalai1
03/18/2021, 8:55 AMbut I still need kustomize to put on the secret, right?
n
Noah K
03/18/2021, 8:55 AMYeah, I mean you need some kind of post render filter and kustomize is probably the easiest 🙂
👌 1
If you want to write a "sed command from hell", more power to ya 😉
s
szalai1
03/18/2021, 8:58 AMtempting, but I already spent too much time on this 😄
n
Noah K
03/18/2021, 9:00 AMPiecing together a good secrets workflow is definitely one of my least favorite parts of k8s
Not sure I would even call sealed-secrets "good" but it's what we have, so it goes.
s
szalai1
03/18/2021, 9:17 AMsame here, sealed secrets make it work, but if you want to change it something....
m
Matyas Tamas
03/18/2021, 1:21 PMthe "sed command from hell" solution isn't actually that bad if you use
envsubstsource ./.env && helm upgrade --install dagster-release dagster/dagster -f <(envsubst < values.yaml)👌 1
values.yaml just has env variables in it for substitution - e.g.:
postgresqlPassword: "${DAGSTER_PG_PASSWORD}"s
szalai1
03/18/2021, 2:03 PMthanks for sharing
w
William Sheu
03/18/2021, 6:00 PMi also ran into this; I ended up just forking the helm chart and making some changes to allow passing in an independent secret for postgres: https://github.com/PenguinToast/dagster/commit/c99d2f34c15aa7fec29d25e7294a8fa5d9699365
👌 1
but never got around to making a proper PR for this change
r
rex
03/18/2021, 9:47 PMah nice @William Sheu - made a similar change with the introduction of
.Values.global.postgresSecretNamejust need to add a toggle to disable generating the secret in our helm chart
👍 1
w
William Sheu
03/25/2021, 5:45 AM@rex made a pull request here: https://github.com/dagster-io/dagster/pull/3941 -- wasn't sure where to put the toggle value; didn't really make sense in either
globalpostgresql3 Views