如何不覆盖Helm模板中随机生成的秘密 [英] How not to overwrite randomly generated secrets in Helm templates

问题描述

我想在Helm模板中生成一个密码，使用randAlphaNum函数很容易做到这一点.但是，升级发行版后，密码将更改.有没有一种方法可以检查以前是否生成过密码，然后再使用现有值?像这样:

I want to generate a password in a Helm template, this is easy to do using the randAlphaNum function. However the password will be changed when the release is upgraded. Is there a way to check if a password was previously generated and then use the existing value? Something like this:

apiVersion: v1
kind: Secret
metadata:
  name: db-details
data:
  {{ if .Secrets.db-details.db-password }}
  db-password:  {{ .Secrets.db-details.db-password | b64enc }}
  {{ else }}
  db-password: {{ randAlphaNum 20 | b64enc }}
  {{ end }}

推荐答案

它仍然是Helm最大的问题之一.据我了解，尚无好的解决方案(请参阅 https://github.com/helm /charts/issues/5167 ).

It's still one of the biggest issues of Helm. As far as I understand no good solution is available yet (see https://github.com/helm/charts/issues/5167).

一种肮脏的解决方法是创建秘密作为预安装挂钩.这种方法的明显缺点是秘密删除后不会删除机密.

One dirty workaround is to create secret as pre-install hook. Obvious downside of this approach is that secret will not be deleted on helm delete.

apiVersion: v1
kind: Secret
metadata:
  name: {{ template "helm-random-secret.fullname" . }}
  annotations:
    "helm.sh/hook": "pre-install"
    "helm.sh/hook-delete-policy": "before-hook-creation"
  labels:
    app: {{ template "helm-random-secret.name" . }}
    chart: {{ template "helm-random-secret.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
data:
  some-password: {{ default (randAlphaNum 10) .Values.somePassword | b64enc | quote }}

这篇关于如何不覆盖Helm模板中随机生成的秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！