kubernetes-helmhashicorp-vaultsidecar

How to use values in Vault annotation content in Helm Chart

Vault is integrated with K8s cluster as side car and this cluster is deployed by using helm chart. As a part of helm chart below is code :

 vault.hashicorp.com/agent-inject-template-dbsecret: |
                    {{`{{- with secret "path" -}}
                    export USER="{{ .Data.data.user }}"
                    export PASSWORD="{{ .Data.data.password }}"
                    {{- end }}`}}

Now it is required to use same helm chart for different environment and per environment path can be different so planning to store it in values file and use it here.

Tried with {{ .Values.secretPath }} but value is not getting populated.

 vault.hashicorp.com/agent-inject-template-dbsecret: |
                    {{`{{- with secret "{{ .Values.secretPath }}" -}}
                    export USER="{{ .Data.data.user }}"
                    export PASSWORD="{{ .Data.data.password }}"
                    {{- end }}`}}

I would like to know how can i keep this path values as dynamic and pass it from values file so same chart can be used in different environment.

Thanks in advance.

Solution

  • Here's what's going on with the template: that annotation's value is itself a Go text/template template – Vault is using the same underlying templating engine as Helm – and so wrapping the template text in curly braces and backticks causes the template text itself to be written out.

    # looks up "some" in `.`, then looks up "expression" in that
{{ .some.expression }}

# the string "{{ .some.string }}"
{{`{{ .some.string }}`}}

    There are other syntaxes to include double curly braces in the output, beyond quoting the entire string, for example

    # also outputs "{{ .some.string }}"
{{ "{{" }} .some.string }}

    which starts with a template expression outputting a double open curly brace, and then the rest is text.

    That means you can combine this with other template expressions; for example

    # also outputs "{{ .some.string }}"
{{ $variable := ".some.string" -}}
{{ "{{" }} {{ $variable }} }}

    Similar but longer and possibly easier to read,

    # also outputs "{{ .some.string }}"
{{ $open := "{{" -}}
{{ $variable := ".some.string" -}}
{{ $close := "}}" -}}
{{ $open }} {{ $variable }} {{ $close }}

    You can combine this technique with your original template to include double curly braces in the output, but use a Helm template expression to reference the Helm .Values structure.

    vault.hashicorp.com/agent-inject-template-dbsecret: |
                    {{ "{{" }}- with secret "{{ .Values.secretPath }}" -}}
                    export USER="{{ "{{" }} .Data.data.user }}"
                    export PASSWORD="{{ "{{" }} .Data.data.password }}"
                    {{ "{{" }}- end }}

    This form converts every {{ expected in the output to {{ "{{" }}, and then leaves the Helm-level expression {{ .Values.secretPath }} as-is.