Comments (6)
I think maybe a better way to resolve this would be to avoid decrypting secrets files to a decrypted file at all; it would probably be better to simply capture the stdout of helm secrets view
, than to run helm secrets dec
, work out the path to the decrypted file, read it, and then delete it manually.
Using helm secrets view
instead of helm secrets dec
would also have the advantage of allowing helmfile
to correctly handle sops-encrypted files stored in a read-only filesystem.
from helmfile.
@IkePCampbell Still waiting on review for PR #201, once that's merged this should be addressed AFAIK.
from helmfile.
A workaround for this issue is to use a suffix other than .yaml
on your secrets file. We renamed our secrets files from .yaml
to .yml
and it works fine, albeit looking very silly.
from helmfile.
I think something like this would do it, though I haven't tested it yet:
diff --git a/pkg/helmexec/exec.go b/pkg/helmexec/exec.go
index dc1668c..ca52d05 100644
--- a/pkg/helmexec/exec.go
+++ b/pkg/helmexec/exec.go
@@ -281,38 +281,14 @@ func (helm *execer) DecryptSecret(context HelmContext, name string, flags ...str
helm.logger.Infof("Decrypting secret %v", absPath)
preArgs := context.GetTillerlessArgs(helm)
env := context.getTillerlessEnv()
- out, err := helm.exec(append(append(preArgs, "secrets", "dec", absPath), flags...), env)
- helm.info(out)
+ secretBytes, err := helm.exec(append(append(preArgs, "secrets", "view", absPath), flags...), env)
if err != nil {
secret.err = err
return "", err
}
- // HELM_SECRETS_DEC_SUFFIX is used by the helm-secrets plugin to define the output file
- decSuffix := os.Getenv("HELM_SECRETS_DEC_SUFFIX")
- if len(decSuffix) == 0 {
- decSuffix = ".yaml.dec"
- }
-
- // helm secrets replaces the extension with its suffix ONLY when the extension is ".yaml"
- var decFilename string
- if strings.HasSuffix(absPath, ".yaml") {
- decFilename = strings.Replace(absPath, ".yaml", decSuffix, 1)
- } else {
- decFilename = absPath + decSuffix
- }
-
- secretBytes, err := os.ReadFile(decFilename)
- if err != nil {
- secret.err = err
- return "", err
- }
secret.bytes = secretBytes
- if err := os.Remove(decFilename); err != nil {
- return "", err
- }
-
} else {
// Cache hit
helm.logger.Debugf("Found secret in cache %v", absPath)
from helmfile.
@philomory Can you create a PR. reveiw it toghter.Thanks very much.
from helmfile.
Sadly glad we arent the only ones affected by this, any update?
from helmfile.
Related Issues (20)
- Helmfile doesn't respect --helm-binary option when using helmCharts in kustomization.yaml HOT 1
- Helmfile's `insecureSkipTLSVerify` option yields errors due to upstream bug in helm-diff HOT 6
- `.HelmfileCommand` is exposed to hooks but not exposed to other templates HOT 1
- `commonLabels` not applied on releases HOT 3
- helmfile fails if base contains an empty array HOT 1
- Issue with release dependencies with `needs` and multiple files HOT 14
- Helmfile renders entire helmfile even with selector labels HOT 9
- Add 'include' function identical to helm's
- "Re-using environment state in sub-helmfiles" kubeContext not working HOT 6
- feat: enhancing error message HOT 3
- helmfile error not propagated to action HOT 36
- helmfile does no use helmfile.lock when using ad-hoc kustimzation HOT 2
- Support of current kustomize strategie HOT 7
- race condition in remote cache with go-getter HOT 4
- failure in hook should not prevent next hooks to execute HOT 11
- Documentation Discrepancy: Inconsistency in Support for 'condition' Flag in Helmfile Dependencies HOT 5
- helmfile cannot execute binary file: Exec format error HOT 3
- [Regression] Registry password printed to stdout by `repos` on error
- Function `trunc` not defined in helper templates using new `include` function HOT 2
- Helmfile still trying to use "Helm chart pull" instead of just "Helm Pull" with newer versions of helm. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helmfile.