Helmfile: Direct support of Hashicorp Vault

Created on 1 Oct 2019  路  3Comments  路  Source: roboll/helmfile

Hi!

Sometimes it's required to pass secret values to helm charts.
As Hashicorp Vault is a pretty popular tool for secret storing/managing, direct support of vault key-value engine could be useful feature of helmfile.
I'm talking about adding +1 function to templating engine, something like:

...
values:
- mySecretValue: {{ hashiVault "secret/mysecret" "keyname"}}

Would PR implementing this functionality be accepted?

picture klebediev

Most helpful comment

@klebediev Hey! Thanks for trying helmfile.

I do believe this is a valid feature request. But I have some opinion on the config syntax so that various use-cases are covered:

  • Consistent API for various sources(SSM #745, Terraform Outputs #505, and this - Vault)
  • Ability to have multiple instances of a specific source(like two instances of Vault)
  • Mix values from various sources
  • Ability to defer secrets retrieval (In a case you split CI and CD, you will want to remove CI access to secrets store, while still wanting to run helmfile template to generate K8s manifests for GitOps with a tool like fluxcd/flux and ArgoCD)

For now my proposal is something along the lines of https://github.com/mumoshu/values#cli.
That is, you use specifically formatted strings containing URIs to your Vault secrets like:

values:
- foo: $ref vals+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey
  bar:
    baz: $ref vals+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey

And maybe a special syntax to help reducing boilerplate:

values:
- $types:
    v: vals+vault://127.0.0.1:8200/mykv/foo?proto=http#/
  foo: $v mykey
  bar:
    baz: $v mykey

Would it work for you?

picture mumoshu on 2 Oct 2019
👍3

All 3 comments

@klebediev Hey! Thanks for trying helmfile.

I do believe this is a valid feature request. But I have some opinion on the config syntax so that various use-cases are covered:

  • Consistent API for various sources(SSM #745, Terraform Outputs #505, and this - Vault)
  • Ability to have multiple instances of a specific source(like two instances of Vault)
  • Mix values from various sources
  • Ability to defer secrets retrieval (In a case you split CI and CD, you will want to remove CI access to secrets store, while still wanting to run helmfile template to generate K8s manifests for GitOps with a tool like fluxcd/flux and ArgoCD)

For now my proposal is something along the lines of https://github.com/mumoshu/values#cli.
That is, you use specifically formatted strings containing URIs to your Vault secrets like:

values:
- foo: $ref vals+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey
  bar:
    baz: $ref vals+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey

And maybe a special syntax to help reducing boilerplate:

values:
- $types:
    v: vals+vault://127.0.0.1:8200/mykv/foo?proto=http#/
  foo: $v mykey
  bar:
    baz: $v mykey

Would it work for you?

mumoshu picture mumoshu on 2 Oct 2019
👍3

Hi @mumoshu!
Thank you for quick reply!
I like this idea very much.

klebediev picture klebediev on 2 Oct 2019
🎉2

FYI: The syntax is being simplified to:

values:
- foo: ref+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey
  bar:
    baz: ref+vault://127.0.0.1:8200/mykv/foo?proto=http#/mykey

And thanks a lot for adding Vault secrets v2 support to https://github.com/variantdev/vals/pull/1 @klebediev!

mumoshu picture mumoshu on 9 Oct 2019
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

willejs picture willejs  路  4Comments
mojochao picture mojochao  路  4Comments
RafalMaleska picture RafalMaleska  路  3Comments
ppawiggers picture ppawiggers  路  3Comments
machine424 picture machine424  路  3Comments