New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow environment variables substitition in values.yaml #10026
Comments
Supporting environment variables has been discussed at length and there have usually been issues in how we would do it. A proposal to add them would need a Helm Improvement Proposal. I'll give you an example of an issue. A common case is for one person or organization to create a chart while someone else consumes it. Helm is a package manager like apt, zypper, yum, etc. It's common for someone to create a chart (package) like the PostgreSQL chart by Bitnami and for many others to install it. Those many other may not know how to install or operate PostgreSQL but they can easily use it. Many people also store sensitive information in environment variables. Sometimes it's a key, like a GitHub token, or something else sensitive. How does the security model work to help shield the Helm user (chart consumer) from a malicious chart author who wants to exfiltrate sensitive information? Note, these types of situations do come up in our regular security audits. |
I believe the implementation should consist of replacing only environment variable names that match the placeholder names. The placeholder should have a special format like suggested above easily distinguishable and different from normal .yaml keys/values. Also to cater for the security of chart consumers, this feature could be made optional (disabled by default and can be enabled by educated users who knows what could go wrong). Chart authors can also be mandated and (code enforced/lint to ensure) all environment variable placeholders are clearly documented and visible to chart consumers. |
Consider, for a moment, those who use This is one of the powerful things about package managers. They enable someone with expert knowledge to package up that knowledge so others can consume it with little to no knowledge on their part. Problems can arise when package authors start to assume that end users know nearly as much as they do. Package authors have a very different level of knowledge from package consumers. Yet, do many package authors realize that? We want to enable some advanced features but we want to do it in a way that chart authors don't make the experience more complex or less secure for more chart consumers. This is why I suggest a Helm Improvement Proposal (HIP). It would be a way to look at the varying angles, consider the roles involved, look at the security, and propose something to work with all of that.
This assumes that chart consumers read the docs. Do people read the docs before the reach a bump in the road? I'm not sure they do. Security by expecting people to read the docs may be a bad assumption. |
As I have not found any easy way to use environment variables in the
The main point is |
This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs. |
Any updates? |
We already have chart provenance for those that are wanting to enforce security, and the charts are readable by anyone. I think the security issue is a bit moot in my opinion, not that security is a moot issue, just out of scope for a package manager. No package manager I know of, goes beyond provenance to ensure a collected and installed package is not reading environment variables and sending them off, nor do you have the same level of visibility into said installed packages from something like Bash/Shell already have a way to handle defaults for an envvar when not defined, for which that syntax standard could also be followed. You could also take a system that was running an application with settings define via envvar, deploy using helm from that system, and it would essentially be able to then mimic that systems config when deploying the chart to the cluster, say during a migration to k8s. Using postgres as an example, going from a docker-compose system setup where you would define Having been deploying things via chart for a while now, its getting a bit old having to |
I'm just the same thing what @git001 is doing in #10026 (comment) and bypassing all security blah blah to get stuff done. so just make a decision to: both outcomes are fine. |
workaround: multiple value files substituted and merged together:
|
While Ergo, there is no support within the values.yaml for something like |
I fully agree to the previous comments. helm should have the option to use environment variables maybe with a flag |
To ensure integration in our DevOps Processes this improvement is essential! |
This feature might be useful when we use ArgoCD. |
+1 on this improvement. |
@HyungJune Maybe have a look at https://baloise.github.io/gitopscli/ |
Guys, kindly let me know if there is any workaround for this proposal. Even, I am in the situation where I need to substitute USERNAME and PASSWORD to configure SASL authentication mechanism for kafka-connect helm chart. Both USERNAME and password will be the part of key-vault secret which the SASL_JAAS_CONF is part of env at the end the value will look like below:
Currently the value is getting passed as is to the env variable and I am unable to replace its actual content in the helm way. Any help will be appreciable. |
See the script CFPB built. https://github.com/cfpb/consumerfinance.gov/blob/main/helm-install.sh#L99 |
yes, envsubst or sed |
I have created a simple helm plugin which imports environment variables and passes them to helm as https://github.com/bery/helm-set
Result
|
We were facing the same problem, the missing possibility to add variables to values. |
This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs. |
This should be possible with vals in combination with the envsubst backend. The reference in a values file would look very nice: mysqlPassword: ref+envsubst://$MYSQL_PASSWORD But the way to get helm to use vals is so convoluted, that other examples already provided for using envsubsts command or sed directly seems more elegant: helm template mysql-1.3.2.tgz --set mysqlPassword='ref+envsubst://$MYSQL_PASSWORD' | vals ksdecode -o yaml -f - | tee manifests.yaml
cat manifests.yaml | ~/p/values/bin/vals eval -f - | tee all.yaml
kubectl apply -f all.yaml There is a plugin that should make it easier to incorporate: I haven't used it because I'm trying to solve this on helmfile, which should work out-of-the-box with vals, but it isn't doing so for me with environment variables... but I leave those links in case they are useful to somebody using directly helm. |
Nothing yet then? |
This should be allowed. It's silly it isn't already unless there is a good reason not to. Often, more complex deploys have config variables in values.yaml that may need to have dynamic or sensitive information in them and while you can use envtpl (if no existing {{}} in values.yaml) or envsubst but it is a pain to do so and would prefer this option is built into helm cli. I would think it would take a limited coding effort to add this in and if you ask around it would save a lot time then individual users editing template files for their own custom charts. |
I'd argue the legitimacy of this attack vector. The simple answer is: it doesn't. It's not entirely Helm's business to make sure users don't use it with malicious charts. Same as Maven [and its plugins], Gradle [and its plugins], kubectl apply, etc. It is up to the user to ensure he knows what he's doing and that the repository/chart he's using can be trusted. The only really valid problem I can think of is scoping: all the charts are run in the same environment and multiple charts can be referring to the same env variable for different purposes. In this case, even a defaulting mechanism (like shell's |
The way I use env variable in these situations is that I define them just for the execution I'm doing. So if I want to define a port with an env variable, I would do: |
I just stumbled across this issue when seeing some custom So here are my 2 cents on this topic. It could be done similarly to what Spring Boot does. Spring boot allows to set any configuration variable via environment variables. You just have to have to stick to some naming conventions for the environment variables. This way helm chart authors do not need to guess what users may want to override via environment variables and what not. They do not need to know about that feature at all. To address the already mentioned security concerns this feature could be off by default and you could activate it with the already mentioned An example on how this would work. Given the following
You could override this e.g. when doing
without the need to explicitly state in the |
Same idea as We've used that at work with success. Hope that helps ! |
This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs. |
This feature would be seriously helpful. |
This is an alternative solution that supports default values。 https://github.com/a8m/envsubst |
Yep and is a suggested solution in #10026 (comment) 😀 |
This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs. |
Still an issue, please unstale. |
it's not a perfect solution though as it breaks down with stuff that needs quoting because it has special meaning in YAML, multiline and whatnot. |
Hi, I would like to propose allowing environment variable substitution in values.yaml file. Something like
This would be much similar to what is achievable with docker-compose.yml
This is especially useful in CI/CD environments as values can be exported as environment variables and the value.yaml file is aware of such values and adequately substituted like in docker-compose.
Running Helm in a CI/CD usually involves constructing a separate values.yaml which will be passed as an argument to 'helm upgrade' command or directly setting each and every value in the command line as arguments
it is somehow daunting keeping multiple values.yaml file for different environments, and deployment targets and having to update each one for every change to a value.yaml
With this feature implemented, only one values.yaml may be maintained for all environments and deployment targets. The respective values are substituted as needed in the values.yaml (since in most cases, most of the values are already exposed and available as CI variable or environment variable in the CI environment). This will alleviate the pain of replicating/constructing/maintaining multiple values.yaml.
I'd be open to contributing a PR to this
The text was updated successfully, but these errors were encountered: