[docs] talm: encrypted user values and dry-run secret redaction#590
Conversation
❌ Deploy Preview for cozystack failed.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds a new documentation subsection to talm.md describing encrypted operator-supplied secret values for Talm v0.32+, covering encryption via talm.key, Chart.yaml wiring, and secret redaction behavior across talm template, node-file rendering, and dry-run apply. ChangesTalm documentation update
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request adds a new section to the Talm documentation explaining how to handle encrypted user values and secret redaction. The feedback suggests formatting the YAML configuration using block style instead of flow style, maintaining American English spelling consistency (e.g., changing 'Behaviour' to 'Behavior' and 'honours' to 'honors'), and correcting a minor grammatical issue.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| **Step 3 — reference the encrypted file** from `Chart.yaml` by adding it to `templateOptions.valueFiles`, so both `talm template` and `talm apply` read it: | ||
|
|
||
| ```yaml | ||
| templateOptions: { valueFiles: ["values-secret.encrypted.yaml"] } |
There was a problem hiding this comment.
Using block style for YAML is generally preferred over flow style (JSON-like) in Kubernetes and Helm documentation as it is more readable and consistent with the rest of the examples in this guide.
| templateOptions: { valueFiles: ["values-secret.encrypted.yaml"] } | |
| templateOptions: | |
| valueFiles: | |
| - values-secret.encrypted.yaml |
There was a problem hiding this comment.
Switched to block style in edff884 — agreed, it reads better and matches the other examples in this guide.
|
|
||
| How secrets are handled across commands: | ||
|
|
||
| | Command | Behaviour | |
There was a problem hiding this comment.
Fixed in edff884 (Behaviour → Behavior).
| | `talm template -i` (node file) | secret values are omitted entirely from the committed node file — the real value is re-rendered in memory only at apply, so no plaintext (or ciphertext) ever lands in `nodes/*.yaml`. | | ||
| | `talm apply --dry-run` | both diffs redact secrets: talm's structured drift preview AND the server-returned `Config diff:` block. `--show-secrets-in-drift` reveals them. | | ||
|
|
||
| The `--show-secrets-in-drift` flag governs every secret-bearing surface of the apply dry-run, covering both these user values and the Talos bootstrap material (`cluster.ca.key`, `machine.token`, encryption secrets, Wireguard keys, etc.). By default a dry-run never prints a CA private key or a user secret in cleartext. |
There was a problem hiding this comment.
Added the comma in edff884.
|
|
||
| The `--show-secrets-in-drift` flag governs every secret-bearing surface of the apply dry-run, covering both these user values and the Talos bootstrap material (`cluster.ca.key`, `machine.token`, encryption secrets, Wireguard keys, etc.). By default a dry-run never prints a CA private key or a user secret in cleartext. | ||
|
|
||
| `talm apply` honours the full set of value sources, matching `talm template`: `--values`, `--set`, `--set-string`, `--set-file`, `--set-json`, `--set-literal`, merged on top of the `templateOptions.*` defaults from `Chart.yaml`. This keeps `template` and `apply` rendering identically. |
There was a problem hiding this comment.
Fixed in edff884 (honours → honors).
Add a talm.md section covering the encrypted-user-values workflow (values-secret.yaml -> talm.key encryption -> templateOptions.valueFiles -> in-template use) and how secrets are redacted across talm template, talm template -i, and talm apply --dry-run. Documents --show-secrets / --show-secrets-in-drift, the apply value-source flags, and the value-based-matching sharp edge. Signed-off-by: Aleksei Sviridkin <f@lex.la>
- block-style YAML for the templateOptions.valueFiles example - American English spelling (Behavior, honors) - comma after "By default" for readability Signed-off-by: Aleksei Sviridkin <f@lex.la>
edff884 to
9884e5e
Compare
IvanHunters
left a comment
There was a problem hiding this comment.
One blocking fix before merge; everything else is verified correct against talm v0.32.0 source.
Blocking:
- The behavior table lists
talm template -ifor the in-place node-file row, but-iis--insecure(template via the maintenance service). The in-place flag is-I/--in-place. This is worth fixing carefully: suggesting-iin a secret-handling context is misleading — the--show-secretshelp itself notes it "never affects-I, which always omits them". Please change-ito-I.
Everything else checks out against the source: talm init --encrypt/-e, the --values unpersisted-secret warning, the stdout *** redaction vs --show-secrets, --dry-run redaction of both structured drift and the server Config diff: block, --show-secrets-in-drift, and the value-based exact-match redaction caveat.
The secret-handling table referenced `talm template -i` for the in-place node-file case, but `-i` is `--insecure` (render via the maintenance service). In-place rendering into nodes/*.yaml uses `-I` / `--in-place`. Assisted-By: Claude <noreply@anthropic.com> Signed-off-by: Aleksei Sviridkin <f@lex.la>
IvanHunters
left a comment
There was a problem hiding this comment.
LGTM
The blocking -i → -I fix is in place (commit 1ac0301). Every talm flag/behavior
claim verified against talm source, twice:
-I/--in-place,-i/--insecure,-e/--encryptsemantics match
(pkg/commands/template.go:486-488,501,init.go:1592).-Ialways omits secrets regardless of--show-secrets:sealRenderedSecrets
matchescase inplace:first (value_secret.go:51-71), covered by the
inplace omitscontract test.- dry-run redacts the server-side
Config diff:block viaprintApplyResultsRedacted
(preflight_apply_safety_modedetails.go:169), covered by
contract_modedetails_redaction_test.go.
No claim tells the user a command is safe while it actually leaks secrets. markdownlint clean.
What
Adds a
2.4 Encrypted user values and secret redactionsection to thenexttalm install guide.Why
The talm encrypted-user-values feature — encrypted
values-secret.yamldecrypted in memory, honored at bothtalm templateandtalm apply, with secrets kept out of committed node files and CI logs — had no user-facing documentation. The new section covers the full workflow (create → encrypt → reference intemplateOptions.valueFiles→ use in templates) and how secrets are redacted acrosstalm template,talm template -i, andtalm apply --dry-run, including--show-secrets/--show-secrets-in-driftand the value-based-matching sharp edge.Notes
nextonly — the feature ships in talm v0.32.0; not backported to v1.0–v1.4 (older talm).Summary by CodeRabbit