Question: using combination of encrypted and unencrypted values.yml files

[tgoehler]

you described the usage of a wrapper "helm vault install ..... -f values.yaml" where values.yml is the encrypted values file.
usually helm supports multiple values files like
"helm install .... -f values1.yaml -f values2.yaml" etc.

with using the warpper vault is it still to use multiple values files?
can there be a combination of i.e. " -f vault_values.yaml -f values.yaml" where vault_values.yaml is encrypted and values.yaml containing unencrypted values?

if so, how would the regarding command to issue helm install look like then?

Cheers
Torsten

[Just-Insane]

Hello!

I haven’t tested this, but I do not think it would work currently with multiple files specified.

That being said, the difference between “encrypted” and “decrypted” files is at the value level, not the file level. You could probably make a YAML file that contains all of the needed YAML and just encrypt the values as needed. It should parse fine, but I haven’t specifically tested it.

If this is of interest, I will look into adding support for it.

[Just-Insane]

These two lines are what loads the YAML file to be worked on:

helm-vault/src/vault.py

Lines 430 to 431 in babcd2f

	yaml_file = args.yaml_file
	data = load_yaml(yaml_file)

I think changing this to be able to know about multiple passed YAML files and then parse them sequentially would be fairly simple.

[tgoehler]

the idea behind this is to have a hirachical configuration and to avoid to maintain same values at different places.
A couple of helmcharts which each shall get three different categories of values.yaml file:

• individual values for a helm chart (clear text)
• global values, same file valid for all helm charts (clear text)
• vault values (encrypted)

So, usual helm can be given muitiple values file with mutiple -f options at the command line.
maybe you coud keep -f for unencrypted files and enhance with an option like -e --encrypted-values
to pass only files behind -e to the vault.

-e isn't yet being used by helm install | upgrade as far as I can see

[Just-Insane]

I like this idea. Once I get some time I’ll look into implementing it.

[Just-Insane]

Looping back on this, sorry it took so long.

Just to clarify, (since I’ve never used multiple values files with Helm), what is the purpose of the multiple values files?

I would imagine that you could combine the values into a single file and then pass that values file into the enc/dec statements?

With the addition of Vault Path Templating you would be able to set the location of your global variables to one spot in Vault, and then always use that templated vault path for the global values in the values file?

Would it be fine to just accept and parse multiple values files and just ignore files that don’t have any deliminators?

[Tri0L]

We need to be able to provide few values files through -f args too.
Use case:
We have one file with shared global values per environment + one service-specific file per environment + default values in chart.
It would be great to be able to do something like helm vault install release chart -f stage.yaml -f my-service.yaml