The goal here is to validate if Helm can be used to retrieve values from a Golden ConfigMap that is in a defined Namespace. Helm will read the data from the Golden ConfigMap and make a copy of the config map for the application namespace.
The Helm lookup function can be used to parse the ConfigMap data fields. The an example of the syntax is below, here Helm will do a lookup of Version 1 of a ConfigMap in the default namespace, where the name of the ConfigMap is specified by Values.conjurname and Helm will get the conjur_foo item of the ConfigMap
name: {{ (lookup "v1" "ConfigMap" "default" (print .Values.conjurname) ).data.conjur_foo }}
Note: The print function can be used to pass a parameter into the lookup function. The 'Value' can be used passed as a Helm argument or in the Value.yaml file
- The configmap data needs to be in a flat key value pair as in golden-config-example.yaml.
- The Helm lookup function will not parse a multiline yaml value, the value can be base64 encoded.
- Helm install --dry-run and Helm template do not work with lookup as Helm needs to reach out to the cluster.
- Helm will install manifests in order based on the type of manifest. ConfigMaps will be installed before RoleBindings.
- The ConfigMap values cannot have a
.
or-
. They can use a_
Validated the Helm upgrade works.
- Did Helm install.
- Removed the golden config.
- Changed the golden config and re-installed.
- Did a Helm upgrade.
- The new changes are in the Helm created config map.
The Helm lookup function will not parse a multiline yaml value like this
sslCertificate: |
-----BEGIN CERTIFICATE-----
MIIDhDCCAmygAwIBAgIRAJwBd+VnZ7C9RqNHFEHtqAcwDQYJKoZIhvcNAQELBQAw
GDEWMBQGA1UEAxMNY29uanVyLW9zcy1jYTAeFw0yMTAyMjIxMTQ0MTBaFw0yMjAy
MjIxMTQ0MTBaMBsxGTAXBgNVBAMTEGNvbmp1ci5teW9yZy5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/7Ss8SBD88HpaQmWZRHXrIBeXMqSWeSSf
4MwWqad+/Aog473CAVaWJrbVIe/x3l2JUD5QgS3X4syhMPuDCIUaBsiNICpPkVAj
bIJWfuXCqn3ScDStsnkDdRKK3X1HGrojfxcHhxFUqUhKHdJ3oreQvFgrIkbBfbbR
2O9Gd5SUUam6feBcwHvVYx9fHq55C6DneyHLxs5HX+3A2Qcm0wHhJxcyHZl4zKR+
WDd+bZjIBToMlJUKvZXl0Thu1+1MSuLqMTsq9+4HzaMsfsghAOCu1dJdJekqxUUn
uNRkRP82yuS9Ajb+vo3u4ElCPjakF+57bhofNENxkLTuKBXSVAfVAgMBAAGjgcUw
gcIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMIGCBgNVHREEezB5ghBjb25qdXIubXlvcmcuY29tggpj
b25qdXItb3NzghVjb25qdXItb3NzLmNvbmp1ci1vc3OCGWNvbmp1ci1vc3MuY29u
anVyLW9zcy5zdmOCJ2Nvbmp1ci1vc3MuY29uanVyLW9zcy5zdmMuY2x1c3Rlci5s
b2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAEZZYw4SeDEZaiy+Nma5NlZwQWtWKRRth
yF7LJamYwYripGFUCV/8rMlfpTEUiOphkOVK4SpUpXWIsXSEFtYp0MNP8oImO0+z
MTmgcCf5F7zFhuCMkJImbsyCQsUd26upTebcrK7R7bV++yMofS2fYC+G8HBKsDpf
3+BOSmQLSc8bJngdkDBXLPflZSJ3m/zKVljxW/5HBmexrYLA1dVNmNSDL867GN1q
s1ENIh1UT7kIEPr+YebkR9BaxQbyG9DXnktpp5we+9a1HEPWJ6dXCyvf43DXKdWU
4fRDZYLUuodUxPdyfltuKCPP6xaUSac+TG1fnr13kVGy1SuTGkJI+w==
-----END CERTIFICATE-----
To get around this error one idea is to base64 encode the certificate so the cert is one long line. In this was case the cert will look like this in the golden config
conjur_sslCertificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCiAgICAgIE1JSURoRENDQW15Z0F3SUJBZ0lSQUp3QmQrVm5aN0M5UnFOSEZFSHRxQWN3RFFZSktvWklodmNOQVFFTEJRQXcKICAgICAgR0RFV01CUUdBMVVFQXhNTlkyOXVhblZ5TFc5emN5MWpZVEFlRncweU1UQXlNakl4TVRRME1UQmFGdzB5TWpBeQogICAgICBNakl4TVRRME1UQmFNQnN4R1RBWEJnTlZCQU1URUdOdmJtcDFjaTV0ZVc5eVp5NWpiMjB3Z2dFaU1BMEdDU3FHCiAgICAgIFNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUMvN1NzOFNCRDg4SHBhUW1XWlJIWHJJQmVYTXFTV2VTU2YKICAgICAgNE13V3FhZCsvQW9nNDczQ0FWYVdKcmJWSWUveDNsMkpVRDVRZ1MzWDRzeWhNUHVEQ0lVYUJzaU5JQ3BQa1ZBagogICAgICBiSUpXZnVYQ3FuM1NjRFN0c25rRGRSS0szWDFIR3JvamZ4Y0hoeEZVcVVoS0hkSjNvcmVRdkZncklrYkJmYmJSCiAgICAgIDJPOUdkNVNVVWFtNmZlQmN3SHZWWXg5ZkhxNTVDNkRuZXlITHhzNUhYKzNBMlFjbTB3SGhKeGN5SFpsNHpLUisKICAgICAgV0RkK2JaaklCVG9NbEpVS3ZaWGwwVGh1MSsxTVN1THFNVHNxOSs0SHphTXNmc2doQU9DdTFkSmRKZWtxeFVVbgogICAgICB1TlJrUlA4Mnl1UzlBamIrdm8zdTRFbENQamFrRis1N2Job2ZORU54a0xUdUtCWFNWQWZWQWdNQkFBR2pnY1V3CiAgICAgIGdjSXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0QKICAgICAgQWpBTUJnTlZIUk1CQWY4RUFqQUFNSUdDQmdOVkhSRUVlekI1Z2hCamIyNXFkWEl1YlhsdmNtY3VZMjl0Z2dwagogICAgICBiMjVxZFhJdGIzTnpnaFZqYjI1cWRYSXRiM056TG1OdmJtcDFjaTF2YzNPQ0dXTnZibXAxY2kxdmMzTXVZMjl1CiAgICAgIGFuVnlMVzl6Y3k1emRtT0NKMk52Ym1wMWNpMXZjM011WTI5dWFuVnlMVzl6Y3k1emRtTXVZMngxYzNSbGNpNXMKICAgICAgYjJOaGJEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFFWlpZdzRTZURFWmFpeStObWE1Tmxad1FXdFdLUlJ0aAogICAgICB5RjdMSmFtWXdZcmlwR0ZVQ1YvOHJNbGZwVEVVaU9waGtPVks0U3BVcFhXSXNYU0VGdFlwME1OUDhvSW1PMCt6CiAgICAgIE1UbWdjQ2Y1Rjd6Rmh1Q01rSkltYnN5Q1FzVWQyNnVwVGViY3JLN1I3YlYrK3lNb2ZTMmZZQytHOEhCS3NEcGYKICAgICAgMytCT1NtUUxTYzhiSm5nZGtEQlhMUGZsWlNKM20vektWbGp4Vy81SEJtZXhyWUxBMWRWTm1OU0RMODY3R04xcQogICAgICBzMUVOSWgxVVQ3a0lFUHIrWWVia1I5QmF4UWJ5RzlEWG5rdHBwNXdlKzlhMUhFUFdKNmRYQ3l2ZjQzRFhLZFdVCiAgICAgIDRmUkRaWUxVdW9kVXhQZHlmbHR1S0NQUDZ4YVVTYWMrVEcxZm5yMTNrVkd5MVN1VEdrSkkrdz09CiAgICAgIC0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
Tested a ConfigMap with an SSLCertificate that was four times bigger that in the below examples. There was no error and it was decoded by Helm.