kuberneteskubernetes-helmtruststorekubernetes-secrets

How to read .jks file into Kubernetes secret?


I have created a secret.yaml file as follows:

apiVersion: v1
kind: Secret
metadata:
  name: my-secret
data:
  truststore.jks: {{ (.Files.Glob "../trust.jks").AsSecrets | b64enc }}

I am calling this as part of template .yaml file in HELM.

.yaml

apiVersion: v1
kind: DeploymentConfig
spec:
...
template:
  spec:
  ...
  container:
   - name: "my-container"
     ...
     volumeMounts:
        - name: secrets
          mountPath: /mnt/secrets
          readOnly: true

 volumes:
    - name: secrets
      secret:
        secretName: "my-secret"

When I run helm install command the pod gets created successfully, and the volume is also mounted, but if I check the truststore.jks in /mnt/secrets using cat command below is the output:

cat /mnt/secrets/truststore.jks
{}

I ran the dry run command to check the generated .yaml file, the secret is populted as below:

# Source: ag-saas/templates/tsSecret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-secret
data:
  truststore.jks: e30=

How do I get the file into my secret?


Solution

  • There's a couple of things going on here:

    So your Secret should look like

    apiVersion: v1
    kind: Secret
    metadata:
      name: my-secret
    data:
      truststore.jks: {{ .Files.Get "trust.jks" | b64enc }}
    

    where in the last line I've used .Files.Get, I've not tried to refer to a "../..." path outside the chart, and I don't render it to ...AsSecret.

    You also will need to move or copy (not symlink) the keyset file into the chart directory for this to work.

    (In the current form, .Files.Glob won't match anything outside the chart directory, so you get an empty list of files. Then rendering that to .AsSecrets gets you an empty JSON object. You're using that string {} as the secret value, which gets correctly base64-encoded, but that's why {} comes out at the end.)