如何不覆盖Helm模板中随机生成的秘密 [英] How not to overwrite randomly generated secrets in Helm templates
问题描述
我想在Helm模板中生成一个密码,使用randAlphaNum
函数很容易做到这一点.但是,升级发行版后,密码将更改.有没有一种方法可以检查以前是否生成过密码,然后再使用现有值?像这样:
I want to generate a password in a Helm template, this is easy to do using the randAlphaNum
function. However the password will be changed when the release is upgraded. Is there a way to check if a password was previously generated and then use the existing value? Something like this:
apiVersion: v1
kind: Secret
metadata:
name: db-details
data:
{{ if .Secrets.db-details.db-password }}
db-password: {{ .Secrets.db-details.db-password | b64enc }}
{{ else }}
db-password: {{ randAlphaNum 20 | b64enc }}
{{ end }}
推荐答案
它仍然是Helm最大的问题之一.据我了解,尚无好的解决方案(请参阅 https://github.com/helm /charts/issues/5167 ).
It's still one of the biggest issues of Helm. As far as I understand no good solution is available yet (see https://github.com/helm/charts/issues/5167).
一种肮脏的解决方法是创建秘密作为预安装挂钩.这种方法的明显缺点是秘密删除后不会删除机密.
One dirty workaround is to create secret as pre-install hook. Obvious downside of this approach is that secret will not be deleted on helm delete.
apiVersion: v1
kind: Secret
metadata:
name: {{ template "helm-random-secret.fullname" . }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
labels:
app: {{ template "helm-random-secret.name" . }}
chart: {{ template "helm-random-secret.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
some-password: {{ default (randAlphaNum 10) .Values.somePassword | b64enc | quote }}
这篇关于如何不覆盖Helm模板中随机生成的秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!