We are working with the helm charts for our product and we need to find out how to hide the passwords or secrets in helm charts. Can anyone help us with this?
Using the 'tpl' Function The tpl function allows developers to evaluate strings as templates inside a template. This is useful to pass a template string as a value to a chart or render external configuration files.
The list above is in order of specificity: values. yaml is the default, which can be overridden by a parent chart's values. yaml , which can in turn be overridden by a user-supplied values file, which can in turn be overridden by --set parameters. Values files are plain YAML files.
I think what you need to do is to create a secret outside Helm command, like:
kubectl create secret generic my-secret --from-literal=password=Y4nys7f11
And then use this secret name in values.yaml and pass it into templates/*. I think there is no better integrated Helm way.
You can see an example here.
Kubernetes secret is anyway just a base64 secret even if you create it using generic tag, they show as opaque but for production they are still a liability.
Where is your kubernetes cluster hosted? Is it managed or a baremetal cluster? Do you want a cloud agnostic solution, because kubernetes is cloud agnostic. If not you can go with key-vault provided by various cloud vendors. But again if that key is lost you are risking all the flow to get hampered.
What you can do is as you are already using helm, you can install the helm-vault plugin for helm. You can refer a descriptive blog and a readme that I will paste right below. A Blog for better understanding and the Github Project Readme for implementation.
However you will be need a vault cluster as a prerequisite. Also if you can back it by a consul instance that would be pretty great. But that's what will ensure a production requirement.
And if you are just trying out, creating a secret at runtime and loading in to your helm deployment is a job of few minutes. Speaking of which you can also use kubernetes cron jobs to refresh your secrets.
Update: Because you are on EKS an easier way to do it without vault/consul is via AWS Key Vault service but again it would have its own pros/cons. This can be implemented by another helm plugin developed at Zendesk, Helm Secrets.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With