Pass nested env variables to Helm - kubernetes-helm

Due to security concerns, I can't keep the credentials in values.yaml in the CI/CD system. I'm trying to pass the credentials directly to the helm using --set argument instead. The application requires some of its configs to be in nested formats as shown below.
https://github.com/StackStorm/stackstorm-k8s/blob/master/values.yaml#L67
https://github.com/StackStorm/stackstorm-k8s/blob/master/values.yaml#L89
I'm unable to find a better way to pass these variables to helm during install/upgrade.
configs:
core.yaml: |
---
name: "CoreName"
value: "CoreValue"
element1.yaml: |
---
element_url: "https://example.com/element/"
invit_invite: "var1,var2,var3"
element_token: "elementtokenhere"
element_labels:
name: "value"
type: "value"
element2.yaml: |
---
name: "name"
type: "value"
Is there a better way to handle this within helm arguments before I look for options to change the chart itself?

Related

Pulumi - How do we patch a deployment created with helm chart, when values do not contain the property to be updated

I've code to deploy a helm chart using pulumi kubernetes.
I would like to patch the StatefulSet (change serviceAccountName) after deploying the chart. Chart doesn't come with an option to specify service account for StatefulSet.
here's my code
// install psmdb database chart
const psmdbChart = new k8s.helm.v3.Chart(psmdbChartName, {
namespace: namespace.metadata.name,
path: './percona-helm-charts/charts/psmdb-db',
// chart: 'psmdb-db',
// version: '1.7.0',
// fetchOpts: {
// repo: 'https://percona.github.io/percona-helm-charts/'
// },
values: psmdbChartValues
}, {
dependsOn: psmdbOperator
})
const set = psmdbChart.getResource('apps/v1/StatefulSet', `${psmdbChartName}-${psmdbChartValues.replsets[0].name}`);
I'm using Percona Server for MongoDB Operator helm charts. It uses Operator to manage StatefulSet, which also defines CRDs.
I've tried pulumi transformations. In my case Chart doesn't contain a StatefulSet resource instead a CRD.
If it's not possible to update ServiceAccountName on StatefulSet using transformations, is there any other way I can override it?
any help is appreciated.
Thanks,
Pulumi has a powerful feature called Transformations which is exactly what you need here(Example). A transformation is a callback that gets invoked by the Pulumi runtime and can be used to modify resource input properties before the resource is created.
I've not tested the code but you should get the idea:
import * as k8s from "#pulumi/kubernetes";
// install psmdb database chart
const psmdbChart = new k8s.helm.v3.Chart(psmdbChartName, {
namespace: namespace.metadata.name,
path: './percona-helm-charts/charts/psmdb-db',
// chart: 'psmdb-db',
// version: '1.7.0',
// fetchOpts: {
// repo: 'https://percona.github.io/percona-helm-charts/'
// },
values: psmdbChartValues,
transformations: [
// Set name of StatefulSet
(obj: any, opts: pulumi.CustomResourceOptions) => {
if (obj.kind === "StatefulSet" && obj.metadata.name === `${psmdbChartName}-${psmdbChartValues.replsets[0].name}`) {
obj.spec.template.spec.serviceAccountName = "customServiceAccount"
}
},
],
}, {
dependsOn: psmdbOperator
})
Seems Pulumi doesn't have straight forward way to patch the existing kubernetes resource. Though this is still possible with multiple steps.
From Github Comment
Import existing resource
pulumi up to import
Make desired changes to imported resource
pulumi up to apply changes
It seems they plan on supporting functionality similar to kubectl apply -f for patching resources.

Passing list object into configMap data section

I want to pass a list object in the data section of configMap in application YAML file.
I have the following list in the properties file:
abc.management.provider[0].url=https://example.com
abc.management.provider[0].username=John
abc.management.provider[1].url=https://example2.com
abc.management.provider[1].username=Targerian
YAML file:
data:
abc_management:
provider:
- url: "https://example.com"
username: "John"
- url: "https://example2.com"
username: "Targerian"
I'm getting this error: ConfigMap in version "v1" cannot be handled as a ConfigMap: v1.ConfigMap: Data: ReadString: expects " or n,.
what should I do?
what should I do?
This mostly depends on how your application reads the configuration.
If it works for you, you an create the ConfigMap directly with your properties-file:
kubectl create configmap app-config --from-file=app.properties
I think this question points to what the nature of a ConfigMap object is. Under the hood, it seems ConfigMaps do not explicitly handle lists, so in the end it just depends on how you read that content.
The data field is designed to contain UTF-8 byte sequences ...
Each key under the data or the binaryData field must consist of
alphanumeric characters, -, _ or .. The keys stored in data must not
overlap with the keys in the binaryData field.
https://kubernetes.io/docs/concepts/configuration/configmap/#configmap-object

Invalid characters were found in group names but not replaced ansible k8s

My k8s.yaml inventory file is:
plugin: k8s
connections:
- kubeconfig: '/Users/user1/Documents/Learning/ansible/kubeconfig.test.yaml'
context: 'user1#testeks.us-east-1.eksctl.io'
ansible playbook:
test_new.yml
- hosts: localhost
tasks:
- name: Create a k8s namespace
k8s:
name: testing3
api_version: v1
kind: Namespace
state: present
Looks like the ansibleplaybook command is not picking up the inventory k8s.yaml.Also I am not sure why I am getting Warning invalid characters {'-' in group name warnings.
Please let me know if the above inventory file and ansible playbook files look good or are there anything I am missing?
ansible-playbook -vvvv -i k8s.yaml -vvv ./test_new.yml
No config file found; using defaults
setting up inventory plugins
host_list declined parsing /Users/user1/Documents/Learning/ansible/k8s.yaml as it did not pass its verify_file() method
script declined parsing /Users/user1/Documents/Learning/ansible/k8s.yaml as it did not pass its verify_file() method
Not replacing invalid character(s) "{'-', '9'}" in group name (909676E2B4F81625BF5994625D3353C9-yl4-us-east-1-eks-amazonaws-com)
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
Not replacing invalid character(s) "{'-'}" in group name (namespace_add-ons)
Not replacing invalid character(s) "{'-'}" in group name (namespace_add-ons_pods)
Not replacing invalid character(s) "{'.', '/', '-'}" in group name (label_app.kubernetes.io/instance_aws-cluster-autoscaler)
I'm not sure where you got that you need the Kubernetes parameters specified in your inventory file. If you look at the k8s module documentation it says that kubeconfig and context are specified in the playbook or as environment variables.
Your inventory should look something like this:
all:
hosts:
host.where.can.access.the.kubeapiserver.com:
Then your playbook:
- name: Create a k8s namespace
k8s:
name: testing3
api_version: v1
kind: Namespace
state: present
kubeconfig: '/Users/user1/Documents/Learning/ansible/kubeconfig.test.yaml' 👈 this can replaced by the K8S_AUTH_KUBECONFIG env variable
context: 'user1#testeks.us-east-1.eksctl.io' 👈 this can replaced by the K8S_AUTH_CONTEXT env variable
Based on the formatting of your post, it looks like your inventory file contains improper syntax. It should look like this:
plugin: k8s
connections:
- kubeconfig: '/Users/user1/Documents/Learning/ansible/kubeconfig.test.yaml'
context: 'user1#testeks.us-east-1.eksctl.io'
Remember that spaces are important.
For deprecation warnings, be sure to read up on these issues:
https://github.com/ansible/ansible/issues/56930
https://github.com/kubernetes-sigs/kubespray/issues/4830
Usage of hyphens in inventory group names was deprecated in Ansible 2.8 due to Python parser errors when using dot syntax. Auto-transformation can be disabled by adding force_valid_group_names = never to your Ansible config file. Similarly, deprecation warnings can be suppressed by adding deprecation_warnings = False though this is not recommended.

Multiple subcharts with differents .Values properties

I'm trying to create a chart with multiple subcharts ( 2 instances of ibm-db2oltp-dev). Is there a way to define in the same values.yaml file, different configuration for each instance?
I need two databases:
db2inst.instname: user1
db2inst.password: password1
options.databaseName: dbname1
db2inst.instname: user2
db2inst.password: password2
options.databaseName: dbname2
I saw it could be done via alias but I didn't find an example explaining how to do it. Is it possible?
Yes, it is possible:
In Chart.yaml for Helm 3 or in requirements.yaml for Helm 2:
dependencies:
- name: ibm-db2oltp-dev *(full chart name here)*
repository: http://localhost:10191 *(Actual repository url here)*
version: 0.1.0 *(Required version)*
alias: db1inst *(The name of the chart locally)*
- name: ibm-db2oltp-dev
repository: http://localhost:10191
version: 0.1.0
alias: db2inst
parentChart/values.yaml:
someParentChartValueX: x
someParentChartValueY: y
db1inst:
instname: user1
db2inst: password1
db2inst:
instname: user2
db2inst: password2
Actually it cannot be achieved in Helm (by aliases too) because values resolving doesn't work for aliased charts. The only way is to define values for chart name:
<chart_name not alias>:
var1: value
var2: value
The source issue: https://github.com/helm/helm/issues/7093

spinnaker create application in default namespace with helm chart

I trying to create a CD pipeline on spinnaker, and my applications were packaged as helm chart.
I set k8s namespace in following page, but when i trigger pipeline, spinnaker did't create applications in that namespace, actually applications were created in default namespace "spinnaker" which i setup spinnaker.
Is it a spinnaker bug or configuration mistake?
Can someone point me on how to troubleshoot/solve this?
configuration of spinnaker pipeline
And i found below log info from spin-rosco:
2018-11-07 06:48:49.146 INFO 1 --- [0.0-8087-exec-6] c.n.s.rosco.jobs.local.JobExecutorLocal : Starting job: [helm, template, /tmp/52a04675-210e-44a4-a0d8-d008222d527a/84C4D3AF1AA88C049E8175B4F068D7EE, --name, mytest, --namespace, mynamespace]...
2018-11-07 06:48:49.147 INFO 1 --- [0.0-8087-exec-6] c.n.s.rosco.jobs.local.JobExecutorLocal : Polling state for e8521f11-ef81-4d72-a172-b578a8c4c10a...
2018-11-07 06:48:49.148 INFO 1 --- [ionThreadPool-1] c.n.s.rosco.jobs.local.JobExecutorLocal : Executing e8521f11-ef81-4d72-a172-b578a8c4c10a with tokenized command: [helm, template, /tmp/52a04675-210e-44a4-a0d8-d008222d527a/84C4D3AF1AA88C049E8175B4F068D7EE, --name, mytest, --namespace, mynamespace]
2018-11-07 06:48:50.147 INFO 1 --- [0.0-8087-exec-6] c.n.s.rosco.jobs.local.JobExecutorLocal : Polling state for e8521f11-ef81-4d72-a172-b578a8c4c10a...
2018-11-07 06:48:50.149 INFO 1 --- [0.0-8087-exec-6] c.n.s.rosco.jobs.local.JobExecutorLocal : State for e8521f11-ef81-4d72-a172-b578a8c4c10a changed with exit code 0.
Solved! My mistake, the helm template should contain namespace as offical website's note:
The release namespace (optional)
The Kubernetes namespace to install release into. If parameter is not specified default namespace will be used.
Note: Not all Helm charts contain namespace definitions in their manifests. Make sure that your manifests contain the following code:
metadata:
namespace: *{{ .Release.Namespace }}*