Flux: Failed to compose values for a Chart release - unable to yaml.Unmarshal

Created on 24 Jul 2019 · 4Comments · Source: fluxcd/flux

Using the standard helm operator get started template:
https://github.com/fluxcd/helm-operator-get-started

To Reproduce
Steps to reproduce the behaviour:

Create a Sealed Secret
Use the secret in a helmRelease via spec.valuesFrom
See logs

Expected behavior
To unmarshal the yaml successfully and decrypt the sealed secret into Kubernetes secret

Logs
caller=release.go:190 component=release error="Failed to compose values for Chart release [podinfo-dev]: unable to yaml.Unmarshal [65 80 80 95 78 65 77 69 61 76 117 109 101 110 13 10 65 80 80 95 69 78 86 61 108 111 99 97 108 13 10 65 80 80 95 75 69 89 61 69 122 77 120 50 115 118 116 65 49 67 115 79 122 80 114 113 69 57 69 77 109 85 107 101 103 108 115 52 109 106 118 13 10 65 80 80 95 68 69 66 85 71 61 116 114 117 101 13 10 65 80 80 95 85 82 76 61 104 116 116 112 58 47 47 103 97 116 101 119 97 121 46 108 97 110 13 10 65 80 80 95 84 73 77 69 90 79 78 69 61 85 84 67 13 10 13 10 65 80 73 95 68 65 84 65 95 76 79 71 71 69 82 61 108 111 99 97 108 13 10 76 79 71 95 67 72 65 78 78 69 76 61 115 105 110 103 108 101 13 10 76 79 71 95 83 76 65 67 75 95 87 69 66 72 79 79 75 95 85 82 76 61 13 10 13 10 68 66 95 67 79 78 78 69 67 84 73 79 78 61 13 10 68 66 95 72 79 83 84 61 55 13 10 68 66 95 80 79 82 84 61 13 10 68 66 95 68 65 84 65 66 65 83 69 61 13 10 68 66 95 85 83 69 82 78 65 77 69 61 13 10 68 66 95 80 65 83 83 87 79 82 68 61 13 10 13 10 67 65 67 72 69 95 68 82 73 86 69 82 61 102 105 108 101 13 10 81 85 69 85 69 95 67 79 78 78 69 67 84 73 79 78 61 115 121 110 99 13 10] from .env in Secret dev/gateway-env"

Additional context
Couldn't find any detailed explanation what is expected next and how to get valuesFrom thereafter. I suppose it will be in the pods printenv although with native Kubernetes before experimenting with Flux it was directly injected as the app's .env file without any additional commands.

Flux version: 1.13.1
Helm Operator version: 2.14.1
Kubernetes version: 1.12.8
Git provider: Bitbucket
Container registry provider: Docker Hub

helm question

Source

mar1n3r0

All 4 comments

When I transform the bytes from your log into text, the output becomes:

APP_NAME=Lumen
APP_ENV=local
APP_KEY=EzMx2svtA1CsOzPrqE9EMmUkegls4mjv
APP_DEBUG=true
APP_URL=http://gateway.lan
APP_TIMEZONE=UTC

API_DATA_LOGGER=local
LOG_CHANNEL=single
LOG_SLACK_WEBHOOK_URL=

DB_CONNECTION=
DB_HOST=7
DB_PORT=
DB_DATABASE=
DB_USERNAME=
DB_PASSWORD=

CACHE_DRIVER=file
QUEUE_CONNECTION=sync

This is not a valid YAML structure, which the Helm operator expects it to be, as it composes a values.yaml from the valuesFrom and .spec.values to use during releases.

Please read the valuesFrom docs carefully, and see if this answers your question: https://github.com/fluxcd/flux/blob/8292179855e15370fb3d3b03135a61b54f00ae42/site/helm-integration.md#specvaluesfrom

hiddeco on 24 Jul 2019

Thanks, I just want to pass my whole .env file as literal and insert it back to my pod after the secret is decrypted.

With a Kubernetes secret it was as easy as encoding the whole .env file and the deployment was automatically decoding and inserting that as .env in the pod. With the Helm Operator I would like to achieve the same flow but it seems I have to enter them all manually as far as I understand.

I am willing to use the sealed secret as a transportation layer to the pod in essence.

mar1n3r0 on 24 Jul 2019

Thanks, I just want to pass my whole .env file as literal and insert it back to my pod after the secret is decrypted.

I think that can all be solved without a valuesFrom.

create a SealedSecret with your .env (e.g. default:sealedsecret/foo)
adapt your chart to mount a secret name which you have specified in your values.yaml as .env, e.g.,
yaml <snip> volumeMounts: <ul> <li>name: env mountPath: "/expected/mount/path" readOnly: true volumes: <ul> <li>name: env secret: secretName: {{ .Values.secretName }}