In our previous post, we showed how to replicate secrets across multiple namespaces. In our use case, we only needed to replicate secrets so that they are available in preview environments. This will incur unnecessary costs since these secrets will stay even when the preview environments are deleted. We switched to temporary secrets that are only available in preview environments.
Helm Templates
To achieve our goal to create secrets only for the current preview environment, we make use of Helm’s template and template functions to add conditions and generate random strings. First, we will create a secret inside the application’s template directory and not in the cluster git repo. Next, we will only generate the secret if we are in the preview environment.
charts
- app-name
- templates
- secrets-preview.yaml
File: secrets-preview.yaml
{{- if .Values.usePreviewSecrets }}
apiVersion: v1
data:
mongodb-password: {{ randAlphaNum 40 | b64enc }}
mongodb-root-password: {{ randAlphaNum 40 | b64enc }}
mongodb-replica-set-key: {{ randAlphaNum 40 | b64enc }}
kind: Secret
metadata:
name: secrets-preview
type: Opaque
{{- end }}
We added a condition in our secret so that it is only created if we pass the usePreviewSecrets value into the helm chart values YAML. We also populated our secret with random strings. We don’t need to worry about external secrets and Google Secret Manager cost as it is only used if we populate the value with jx secret edit. In our case, we already populated with random string values.
File: charts/app-name/values.yaml
...
usePreviewSecrets: false
...
Add the value above into values.yaml for the chart but set it to false by default. We will enable usePreviewSecrets using the preview helm chart values.
File: preview/values.yaml.gotmpl
usePreviewSecrets: true
Override the flag in the preview values to enable preview secrets. We can now reference the secret in preview environment using its name secrets-preview.
On Helm random string generator
One disadvantage to this approach is that the random string is generated every time we update the preview environment. If we are integrating with a MongoDB application for example, the application will break if we push an update that triggers re-running the preview environment. This is because the MongoDB container is already initialized with the old secret but the application receives the old secret.
A work around is to monitor the preview logs via jx get build logs and when it reached a certain step where it validates the application, we will simply delete the MongoDB pod. The pod will be recreated using the new secret and it should work again.
Just remember to do it every time or just be too good that your pull request passes in single push 😂.
Featured image by PhotoMIX Company.
Very nice of you.