jenkins-x / jx

we need to make it easier to populate the Secrets from a smaller set of actual values stored in vault (or locally on the file system if need be).

see an early iteration here: #4323

but after various discussions we're thinking of a simpler approach.

when using jx step helm apply allow values.yaml files to use go/helm templates like templates/foo.yaml does inside helm charts so that we can generate value/secret strings which can use templating to compose things from smaller secret values. e.g. creating a maven settings.xml file or docker config.json which includes many user/passwords for different registries
we can then check in the values.yaml file which does all of this composition and reference the actual secret values via URLs (or template functions) to access vault or local vault files

Parameters

have a way to define common parameters used to inject into multiple charts values.yaml files. e.g. we use the pipelineUser.username and pipelineUser.token in many apps (prow, tekton, secret templates for jenkins x platform et al)
have a way to define the JSON schema of the parameters (like we do with values.yaml editing in Apps) and map the parameters to a URL for vault / local storage

Use go templating in `values.yaml`

So that we can easily reuse value or secret parameters (from vault / local files) in any values.yaml value expression we enable go templating in values.yaml files. This lets us refer to a named parameter anywhere in any value in any values.yaml file in any chart.

e.g. we can inject the login/pwd of a particular registry inside the maven settings.xml file in a values.yaml value - ditto for each user/pwd for each docker registry in the docker config.json secret.

To do this we use {{ .Parameter.pipelineUser.token }} syntax somewhere in the values.yaml file.

In addition we can use {{ secret "vault:/foo/bar" }} syntax to inject URLs from physical locations or disk etc

btw here's a test case showing

the expected results from the test case

jx/pkg/helm/values_tree_template_test.go

Lines 12 to 20 in 10b0675

    
           var expectedTemplatedValuesTree = `dummy: cheese 
        
           prow: 
        
             hmacToken: abc 
        
           tekton: 
        
             auth: 
        
               git: 
        
                 password: myPipelineUserToken 
        
                 username: james 
        
           `

which is generated from a this parameters file
which loads secret value from this local file system folder (change the URLs and it'd be vault)
here's the sample tekton/values.yaml which uses the {{ .Parameters.pipelineUser.password }} expression to inject the (secret) parameter

	var expectedTemplatedValuesTree = `dummy: cheese
	prow:
	hmacToken: abc
	tekton:
	auth:
	git:
	password: myPipelineUserToken
	username: james
	`

simplify values + secret templating

Parameters

Use go templating in values.yaml

Use go templating in `values.yaml`