Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add values_sensitive option to set sensitive values as yaml #625

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

ksvladimir
Copy link

Description

When using tools like sops or similar, multiple secrets are often managed in a single Yaml file. It's not possible to pass it using set_sensitive. This PR implements values_sensitive argument, which works just as values, but hides its content just as set_sensitive.

The PR includes tests and documentation, and closes #546.

Note: after implementing it, I realized it duplicates with PR #549 .

Acceptance tests

  • Have you added an acceptance test for the functionality being added?
  • Have you run the acceptance tests on this branch?

Output from acceptance testing:

$ make testacc TESTARGS='-run=[Cc]loak'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test "./helm" -v -run=[Cc]loak -timeout 120m -parallel=4
=== RUN   TestAccResourceRelease_cloakValues
=== PAUSE TestAccResourceRelease_cloakValues
=== RUN   TestAccResourceRelease_cloakValuesYaml
=== PAUSE TestAccResourceRelease_cloakValuesYaml
=== RUN   TestCloakSetValuesYaml
--- PASS: TestCloakSetValuesYaml (0.00s)
=== RUN   TestCloakSetValuesYamlNotMatching
--- PASS: TestCloakSetValuesYamlNotMatching (0.00s)
=== RUN   TestCloakSetValues
--- PASS: TestCloakSetValues (0.00s)
=== RUN   TestCloakSetValuesNested
--- PASS: TestCloakSetValuesNested (0.00s)
=== RUN   TestCloakSetValuesNotMatching
--- PASS: TestCloakSetValuesNotMatching (0.00s)
=== CONT  TestAccResourceRelease_cloakValues
=== CONT  TestAccResourceRelease_cloakValuesYaml
    provider_test.go:162: [DEBUG] Creating namespace terraform-acc-test-3xbfya6mvh
=== CONT  TestAccResourceRelease_cloakValues
    provider_test.go:162: [DEBUG] Creating namespace terraform-acc-test-ovemsbqlx3
--- PASS: TestAccResourceRelease_cloakValues (21.99s)
--- PASS: TestAccResourceRelease_cloakValuesYaml (24.82s)
PASS
ok      github.com/hashicorp/terraform-provider-helm/helm       24.970s

Release Note

- Adds `values_sensitive` option to set sensitive values as yaml

References

Resolves #546
Supersedes #549

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

@ksvladimir
Copy link
Author

It looks like engineerd/[email protected] needs to be upgraded to engineerd/[email protected] in https://github.com/hashicorp/terraform-provider-helm/blob/master/.github/workflows/tests.yaml for the tests to work.

@hashicorp-cla
Copy link

hashicorp-cla commented Nov 22, 2020

CLA assistant check
All committers have signed the CLA.

@mnaser
Copy link

mnaser commented Jan 11, 2021

It looks like engineerd/[email protected] needs to be upgraded to engineerd/[email protected] in https://github.com/hashicorp/terraform-provider-helm/blob/master/.github/workflows/tests.yaml for the tests to work.

It seems like this was fixed in #635

Base automatically changed from master to main March 19, 2021 18:26
@hilariocoelho
Copy link

Any updates on this? This would be really helpful
@jrhouston

Seems to fix #793 and #546.

@hilariocoelho
Copy link

hilariocoelho commented Jan 25, 2022

update: I forked @ksvladimir PR in order to pull changes from master, did the necessary adjustments on unit tests, published the provider to Terraform registry and it worked as expected.

You can find the fork here and the published provider here

- resource "helm_release" "test_release" {
      - atomic                     = false -> null
      - chart                      = "oci://redacted.azurecr.io/helm/redacted" -> null
      - cleanup_on_fail            = false -> null
      - create_namespace           = false -> null
      - dependency_update          = false -> null
      - disable_crd_hooks          = false -> null
      - disable_openapi_validation = false -> null
      - disable_webhooks           = false -> null
      - force_update               = false -> null
      - id                         = "test_release" -> null
      - lint                       = false -> null
      - max_history                = 0 -> null
      - metadata                   = [
          - {
              - app_version = "6.1.0"
              - chart       = "redacted"
              - name        = "test"
              - namespace   = "test"
              - revision    = 1
              - values      = jsonencode(
                    {
                          - secret_key      = "(sensitive value)"
                          - secret_password = "(sensitive value)"
                    }
                )
              - version     = "6.1.0"
            },
        ] -> null
      - name                       = "redacted" -> null
      - namespace                  = "test" -> null
      - recreate_pods              = false -> null
      - render_subchart_notes      = true -> null
      - replace                    = false -> null
      - repository_password        = (sensitive value)
      - repository_username        = "redacted" -> null
      - reset_values               = false -> null
      - reuse_values               = false -> null
      - skip_crds                  = false -> null
      - status                     = "deployed" -> null
      - timeout                    = 300 -> null
      - values_sensitive           = (sensitive value)
      - verify                     = false -> null
      - version                    = "6.1.0" -> null
      - wait                       = true -> null
      - wait_for_jobs              = false -> null
    }

@hilariocoelho
Copy link

@alexsomesan can you take a look at this please? We have been using a custom provider version for some time and we haven't faced any issue. This should be included in the provider

@pndurette
Copy link

I hate to annoyingly +1 things, but anybody over at @hashicorp/terraform-ecosystem-kubernetes (sic CODEOWNERS) mind giving us a hand in pushing this towards an official release?

@NumenDivinum
Copy link

Please integrate this feature, it will really make handling helm releases easier.

@astorrs
Copy link

astorrs commented Feb 15, 2024

+1

1 similar comment
@michelzanini
Copy link

+1

@paymog
Copy link

paymog commented Aug 21, 2024

@hilariocoelho you would be an absolute hero if you could also include #746 and #1322 in your custom provider and rebase on a base release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add ability to handle sensitive yaml input without leaking sensitive data
9 participants