Kapitan Secrets and Helm integration problems

[Moep90]

Hey,

I'm currently working on an adoption of a helmchart of goharbor.
See: https://github.com/goharbor/harbor-helm/

parameters:
  harbor:
    chart_name: ${target_name}
    chart_version: 1.6.0
    namespace: ${namespace}
    helm_values:
      name: ${target_name}
      database:
        type: internal
        internal:
          password: ?{base64:targets/${target_name}/harbor-db-internal-password||randomstr:16}

This Helmchart requires plaintext passwords as value-Input.
So I tried using the kapitan's secret-backend base64 like so:
?{base64:targets/${target_name}/harbor-db-internal-password||randomstr:16}

Assuming my refs refs/targets/harbor/ is empty.
I run kapitan for the first time to generate the secrets:
$ ./kapitan compile -t harbor

This generates the file refs/targets/harbor/harbor-controller-secret with the following content:

$ cat refs/targets/harbor/harbor-controller-secret
---
data: cTc5UmZiYm4xYWZDOXNwcA==
encoding: original
type: base64
This is exactly what I expected:
data: UmVUbFZmdTU0bFZ0NG9Caw==
encoding: original
type: base64

$ echo "UmVUbFZmdTU0bFZ0NG9Caw==" |base64 -d
ReTlVfu54lVt4oBk

But the secrets in the end looks like this:

$ cat compiled/harbior/harbor/templates/database/database-secret.yaml
---
apiVersion: v1
data:
  POSTGRES_PASSWORD: P3tiYXNlNjQ6dGFyZ2V0cy9oYXJib3IvaGFyYm9yLWRiLWludGVybmFsLXBhc3N3b3JkfHxyYW5kb21zdHI6MTZ9
[...]

$ echo "P3tiYXNlNjQ6dGFyZ2V0cy9oYXJib3IvaGFyYm9yLWRiLWludGVybmFsLXBhc3N3b3JkfHxyYW5kb21zdHI6MTZ9" | base64 -d
?{base64:targets/harbor/harbor-db-internal-password||randomstr:16}

Any idea how I can make use of the kapitan secrets backend im cimbination with helm?

[ademariag]

I believe the issue is due to the fact that our integration with HELM, is not able to understand kapitan secrets.

Here's what I think is happening:

Any HELM chart that takes a password in the value files, will attempt to handle it by taking that value, and running a base64 of it. For reference, look at this mysql chart

So if you pass password123 to the value file, helm will do a base64 encryption and add it directly to the secret resource manifest.

Obviously.. if you pass ?{my-kapitan-ref:abc123}, HELM doesn't know how to handle it, and run a base64 on that string, which is what you are getting.

I think a possible solutions are:

• Use the post-processing feature that we have
• accept that you need to make a tiny change to the chart, and remove the part where helm does the base64 encoding

Full discussion here: https://kubernetes.slack.com/archives/C981W2HD3/p1615974246001700

[Moep90]

Yeah your right:
https://github.com/goharbor/harbor-helm/blob/1a0b86e3222ce00b97061e7658d8f87716ec8a0a/templates/_helpers.tpl#L94

Use the post-processing feature that we have
accept that you need to make a tiny change to the chart, and remove the part where helm does the base64 encoding.

Both these options are not made for me unfortunately...As you already stated:

This could make it harder to upgrade chart versions in the future, and understand the motivation behind changes in the chart itself.

[ademariag]

you could contribute a patch to the upstream chart, with a parameter like harbor.database.encodedPassword, explaining the use case.

[ademariag]

FWIW I think we have plans to make "post-compile" editing much much simpler...