如何不覆盖 Helm 模板中随机生成的秘密 [英] How not to overwrite randomly generated secrets in Helm templates

问题描述

我想在 Helm 模板中生成密码，使用 randAlphaNum 函数很容易做到这一点.然而，当版本升级时密码将被更改.有没有办法检查之前是否生成了密码，然后使用现有值?像这样:

I want to generate a password in a Helm template, this is easy to do using the randAlphaNum function. However the password will be changed when the release is upgraded. Is there a way to check if a password was previously generated and then use the existing value? Something like this:

apiVersion: v1
kind: Secret
metadata:
  name: db-details
data:
  {{ if .Secrets.db-details.db-password }}
  db-password:  {{ .Secrets.db-details.db-password | b64enc }}
  {{ else }}
  db-password: {{ randAlphaNum 20 | b64enc }}
  {{ end }}

推荐答案

您可以基于 shaunc 的想法使用 lookup 函数来修复原始海报的代码，如下所示:

You can build on shaunc's idea to use the lookup function to fix the original poster's code like this:

apiVersion: v1
kind: Secret
metadata:
  name: db-details
data:
  {{- if .Release.IsInstall }}
  db-password: {{ randAlphaNum 20 | b64enc }}
  {{ else }}
  # `index` function is necessary because the property name contains a dash.
  # Otherwise (...).data.db_password would have worked too.
  db-password:  {{ index (lookup "v1" "Secret" .Release.Namespace "db-details").data "db-password" }}
  {{ end }}

仅在 Secret 尚不存在时创建它是行不通的，因为 Helm 将删除在升级过程中不再定义的对象.

Only creating the Secret when it doesn't yet exist won't work because Helm will delete objects that are no longer defined during the upgrade.

使用注解来保留对象的缺点是当您使用 helm delete ... 删除发布时它不会被删除.

Using an annotation to keep the object around has the disadvantage that it will not be deleted when you delete the release with helm delete ....

这篇关于如何不覆盖 Helm 模板中随机生成的秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！