Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keeping Vault secrets encrypted in helmfile diff & apply #1210

Open
ghost opened this issue Apr 16, 2020 · 6 comments
Open

Keeping Vault secrets encrypted in helmfile diff & apply #1210

ghost opened this issue Apr 16, 2020 · 6 comments

Comments

@ghost
Copy link

ghost commented Apr 16, 2020
edited by ghost
Loading

We are using the hashicorp vault integration ( #906 ) with success, however the passwords are shown in clear text in the helmfile diff & helmfile apply outputs.

mypassword: 'ref+vault://secret/data/foo?proto=http#/mykey'

+ my_password: ismyclearpassword

Are there any way to instead show what has been set in helmfile's values or show a dummy value ?
Ex:
+ my_password: ref+vault://secret/data/foo?proto=http#/mykey
Or:
+ my_password: ***HIDDEN***

Thanks.
@zam-zam
Copy link

zam-zam commented Apr 16, 2020
edited
Loading

Hey

"helmfile diff" shows differences for kubernetes entities and uses "helm-diff" plugin. By default this plugin hides all values in "data" section of kubernetes kind "Secret"
You can template Secret with your secret value

apiVersion: v1
kind: Secret
metadata:
  name: cm-config
type: Opaque
data:
  mypassword: {{ .Values.mypassword | b64enc | quote }}

and then reference it in you environment value like this

- name: DB_PASSWORD
  valueFrom:
    secretKeyRef:
      name: cm-config
      key: mypassword

Therefore you wiil see something like this in your diff output (your secret values are beeing replaced by '+++++++')

 + # Source: app/templates/cm-config.yaml
 + apiVersion: v1
 + kind: Secret
 + metadata:
 +   name: cm-config
 + data:
 +   password: '++++++++ # (24 bytes)'
 + type: Opaque

@mumoshu
Copy link
Collaborator

mumoshu commented Apr 16, 2020

@Tlzps Hey! As @zam-zam has explained kindly, it doesn't happen when you limit your secret refs to be only placed as Secret resources' data.

Where are you putting your secret ref on?

@ghost
Copy link
Author

ghost commented Apr 16, 2020
edited by ghost
Loading

@zam-zam Thank you very much for all these details. I am new to Kube and didn't experiment with Secrets yet.

@mumoshu , I was just testing the Vault integration so I created a Value key in the env file associated with the environment that I specified in `helmfile -e myenv'. Which was then shown in a ConfigMap

@mumoshu
Copy link
Collaborator

mumoshu commented Apr 16, 2020

@Tlzps Yeah that's expected. I believe no K8s-related tool treats ConfigMap as to if I might contain credentials. ConfigMap isn't encrypted at rest before being persisted in Etcd.

@mumoshu
Copy link
Collaborator

mumoshu commented Apr 16, 2020

So use Secret instead of ConfigMap.

@AlexZhenWang
Copy link

Yeah, as @mumoshu said, using secret and adding --suppress-secrets worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mumoshu @zam-zam @AlexZhenWang