How to reference kubernetes secrets in helm chart?

Tians picture Tians · Oct 18, 2019 · Viewed 19k times · Source

I want to make some deployments in kubernetes using helm charts. Here is a sample override-values yaml that I use:

imageRepository: ""

ocbb:
    imagePullPolicy: IfNotPresent
    TZ: UTC
    logDir: /oms_logs
    tnsAdmin: /oms/ora_k8
    LOG_LEVEL: 3
    wallet:
        client: 
        server: 
        root:
    db:
        deployment:
            imageName: init_db
            imageTag:
        host: 192.168.88.80
        port:
        service:
        alias:
        schemauser: pincloud
        schemapass:
        schematablespace: pincloud
        indextablespace: pincloudx
        nls_lang: AMERICAN_AMERICA.AL32UTF8
        charset: AL32UTF8
        pipelineschemauser: ifwcloud
        pipelineschemapass:
        pipelineschematablespace: ifwcloud
        pipelineindextablespace: ifwcloudx
        pipelinealias:
        queuename:

In this file I have to set some values involving credentials, for example schemapass, pipelineschemapass... Documentation states I have to generate kubernetes secrets to do this and add this key to my yaml file with the same path hierarchy.

I generated some kubernetes secrets, for example:

kubectl create secret generic schemapass --from-literal=password='pincloud'

Now I don't know how to reference this newly generated secret in my yaml file. Any tip about how to set schemapass field in yaml chart to reference kubernetes secret?

Answer

Rafał Leszko picture Rafał Leszko · Oct 21, 2019

You cannot use Kubernetes secret in your values.yaml. In values.yaml you only specify the input parameters for the Helm Chart, so it could be the secret name, but not the secret itself (or anything that it resolved).

If you want to use the secret in your container, then you can insert it as an environment variable:

env:
- name: SECRET_VALUE_ENV
  valueFrom:
    secretKeyRef:
      name: schemapass
      key: password

You can check more in the Hazelcast Enterprise Helm Chart. We do exactly that. You specify the secret name in values.yaml and then the secret is injected into the container using environment variable.