Secrets

Secrets demand special handling, and often they are stored, managed and configured in a workflow that is adjacent to application deployment.

OneChart will not generate a Kubernetes Secret object, but can reference one.

You must place your application secrets in Kubernetes in a Secret object, named the same way as your application deployment. OneChart can reference this secret, and includes all of its entries in the deployment.

The secret name must match the release name. my-release in this example.

image:
  repository: nginx
  tag: 1.19.3

secret:
  enabled: true

Check the Kubernetes manifest:

cat << EOF > values.yaml
image:
  repository: nginx
  tag: 1.19.3

secret:
  enabled: true
EOF

helm template my-release onechart/onechart -f values.yaml

Using encrypted secret values

OneChart can be used with Bitnami's Sealed Secrets, as it generates a SealedSecret resource that can be stored even in git.

image:
  repository: nginx
  tag: 1.19.3

sealedSecrets:
  secret1: secret-value-to-be-sealed
  secret2: another-secret-to-be-sealed

We recommend that you seal your values.yaml file with Gimlet CLI:

gimlet seal -f values.yaml \
  -o values.yaml \
  -p sealedSecrets \
  -k sealingKey.crt

# values.yaml
image:
  repository: nginx
  tag: 1.19.3

sealedSecrets:
  secret1: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq...
  secret2: ewogICJjcmVk...