I have created a secret.yaml file as follows:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
data:
truststore.jks: {{ (.Files.Glob "../trust.jks").AsSecrets | b64enc }}
I am calling this as part of template .yaml file in HELM.
.yaml
apiVersion: v1
kind: DeploymentConfig
spec:
...
template:
spec:
...
container:
- name: "my-container"
...
volumeMounts:
- name: secrets
mountPath: /mnt/secrets
readOnly: true
volumes:
- name: secrets
secret:
secretName: "my-secret"
When I run helm install command the pod gets created successfully, and the volume is also mounted, but if I check the truststore.jks
in /mnt/secrets using cat command below is the output:
cat /mnt/secrets/truststore.jks
{}
I ran the dry run command to check the generated .yaml file, the secret is populted as below:
# Source: ag-saas/templates/tsSecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: my-secret
data:
truststore.jks: e30=
How do I get the file into my secret?
There's a couple of things going on here:
.Files.Glob
is intended to retrieve multiple files, e.g. .Files.Glob "credentials/*.jks"
. For a single file .File.Get
will retrieve its contents directly..Files.Get "../trust.jks"
won't work..Files.Glob.AsSecret
renders a list of files to the entire contents of the data:
block; you just directly need the file content.So your Secret should look like
apiVersion: v1
kind: Secret
metadata:
name: my-secret
data:
truststore.jks: {{ .Files.Get "trust.jks" | b64enc }}
where in the last line I've used .Files.Get
, I've not tried to refer to a "../..."
path outside the chart, and I don't render it to ...AsSecret
.
You also will need to move or copy (not symlink) the keyset file into the chart directory for this to work.
(In the current form, .Files.Glob
won't match anything outside the chart directory, so you get an empty list of files. Then rendering that to .AsSecrets
gets you an empty JSON object. You're using that string {}
as the secret value, which gets correctly base64-encoded, but that's why {}
comes out at the end.)