jx-secret-postrenderer is a helm post renderer for working with helm and Kubernetes External Secrets.
This post renderer lets you use helm charts which contain Secret resources and have those secrets managed by Kubernetes External Secrets without having to modify your charts.
When you use this helm post renderer:
Secretresources are automatically translated toExternalSecretresources on the fly when you usehelm install / helm update / helm template- Kubernetes External Secrets then populates any
Secretresources from the underlying external secret store (e.g. vault or your cloud providers secret store) - any missing secret values in your external secret store are initially populated from any generated secret values from your helm charts - or you can use a Secret schema to generate values from templates or generators
After installing a chart things should generally look and feel the same other than:
- you can modify secrets at any time in your secret store (e.g. vault or your cloud providers secret store) and Kubernetes External Secrets will replicate the state to the kubernetes
Secretresources - you don't need to pre-create the vault or cloud provider secret store values by hand first which is error prone
Once you have installed your chart with this post renderer so that Kubernetes External Secrets manages the secret data you can edit your secret values by:
- modify the secret using the vault / cloud provider secret store CLI
- use the jx secret edit -i command line like this example
If you convert your helm charts into YAML via something like:
helm template --post-renderer "jx-secret-postrenderer" myname mychartThen the results have no secret values in them - so you are free to check in all of that YAML safely into your git repository!
This also avoids accidentally checking secrets into git.
We have found this approach to GitOps to be a massive benefit on the Jenkins X project - as it makes it super easy to reason about how a particular kubernetes resource has changed over time via git history.
We initially tried to use sealed secrets or sops with Jenkins X and found them to be clumsy for UX developers to work with.
So in version 3.x of Jenkins X we switched to using Kubernetes External Secrets to handle population of Secrets from the underlying secret store (vault or your cloud providers secret store).
Once you move to Kubernetes External Secrets things are much simpler; but it means converting lots of helm charts that use Secret to switch them to use ExternalSecret instead.
So we automated the translation of the Secret resources in any helm chart to use ExternalSecret resources and pre-populate any missing external secret store values with values genearted from the charts.
What this post renderer does is bring this capability from Jenkins X to anyone who is not using Jenkins X but is using helm and Kubernetes External Secrets
You need to download the jx-secret-postrenderer binary binary for your platform and add it to your $PATH
You also need to make sure your kubernetes cluster has the kubernetes external secrets helm chart installed.
If you are working with vault you'll need to set the $VAULT_ADDR to point at your vault server. If its inside the cluster you may need to run a port forward.
To use the helm postrenderer you just append --post-renderer jx-secret-postrenderer to any helm install / helm upgrade / helm template command.
e.g. to install the RabbitMQ helm chart, setting up the necessary secrets in your secret store, creating the ExternalSecret resource which will then populate the Secret run the following:
helm install --post-renderer jx-secret-postrenderer rmq bitnami/rabbitmqThis will then convert the Secret resource inside the chart into an ExternalSecret resource and pre-populate your particular external secret store (which defaults to vault).
You should be able to see the external secret via
kubectl get externalsecrets If you use helmfile then you can pass in the necessary command line arguments to helm via something like:
helmfile sync --args "--post-renderer jx-secret-postrenderer"The following environment variables can be used to configure the helm post renderer
| Variable | Description |
|---|---|
| JX_DIR | the directory look in for the .jx/secret/mapping/secret-mappings.yaml file which is used to configure the secret mapping such as which kind of back end to use |
| JX_NO_POPULATE | set to true if you want to disable the pre-create and pre-population of the external store values and just translate the Secret resources to ExternalSecret |
As you can see above you can point the $JX_DIR at a folder which contains a file .jx/secret/mapping/secret-mappings.yaml that defines the Secret Mapping configuration
These files are automatically included in any Jenkins X environment. Here's a few examples:
| Example | Description |
|---|---|
| alicloud | for using alicloud secrets manager |
| gsm | for using Google Secrets Manager |
| vault | for using Hashicorp Vault |
| local | for local secrets (i.e. no secret store) |