Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting "map has no entry for key" for some secrets files when using kms encryption #2179

Open
Sahand1993 opened this issue Aug 14, 2023 · 1 comment
Open

Getting "map has no entry for key" for some secrets files when using kms encryption #2179

Sahand1993 opened this issue Aug 14, 2023 · 1 comment

Comments

@Sahand1993
Copy link

Sahand1993 commented Aug 14, 2023
edited

I have a project with the following hierarchy:

home/
    realm/
        namespaces/
            _defaults.yaml
            myNs/
                services/
                    my-release.yaml    
        values/
            env/
                myEnv/
                    secrets.yaml
                    values.yaml

I'll also list all the file contents:

my-release.yaml:

bases:
  - ../../_defaults.yaml

values:
  - app: kafka

---
templates:

  kafka: &kafka
    chart: bitnami/kafka
    installed: true

releases:
  - name: kafka
    <<: *kafka

_defaults.yaml:

# Default values to set for args along with dedicated keys that can be set by contributors, cli args take precedence over these.
# In other words, unset values results in no flags passed to helm.
# See the helm usage (helm SUBCOMMAND -h) for more info on default values when those flags aren't provided.
helmDefaults:
  args:
    - "--no-hooks"
    - "-amonitoring.coreos.com/v1"

values:
  - aDependentValue: "{{.Values.myValue}}"

environments:
  myEnv:
    values:
      - ../../../values/env/myEnv/values.yaml
    secrets:
      - ../../../values/env/myEnv/secrets.yaml

secrets.yaml:

masked1:
    masked2: ENC[ALGO,data:cK4ZmQSgTgj8oQ==,iv:by/uT7RpJmEfmGkO7wmbDs2ggqQ+ls2HKG/4vGwl/jI=,tag:/tMnx5j8KuXjetT5deBe2A==,type:str]
    masked3: ENC[ALGO,data:LaYO5CVGEHkEbw==,iv:G+wpY9XQWf7tHtmvpkY0NN9J4t9KfMzWolsVStroJJ0=,tag:DTPefE51Y4i3l+EERIZPoQ==,type:str]
masked4:
    masked5: ENC[ALGO,data:XsDrre91e9lq2A==,iv:CSe9BpQ1bJpMk5KOgBAHazU/Hmn1CKnW6juc3vS3NfA=,tag:p2WTTE8vEEW21WyMl90T2A==,type:str]
    masked6: ENC[ALGO,data:c2ZG4JOuc5btvw==,iv:kA+JYIa1nBd/Vme7Fw9kHP3os4NFxrBnhi0jU0oklxM=,tag:NN+6SrJe2Kq3wc61EIcduw==,type:str]
    masked7: ENC[ALGO,data:I08MC73n59d0QA==,iv:lbTEdLkFzJSYcqNPPkDf4EoAuAhftETSG6Ji47h6hr0=,tag:zhWxW5i8En8ODBTGdaVE/Q==,type:str]
    masked8: ENC[ALGO,data:6HK8C0KOeSZ9CQ==,iv:cLQpyP+/AhJhIDFT+doxgsqg4D+cuUGMYapim3dwB+o=,tag:BqbjvX5pKpuo0FT5gsD4SQ==,type:str]
masked9:
    masked10: ENC[ALGO,data:sTy0rzPQOTFlFg==,iv:qjyuc7UItp2ofdRI6RowxoxI3/cF79So+Xkl5qoV8zQ=,tag:4mL9K0tI3VQVdL7wjSLedg==,type:str]
    masked11:
        masked12: ENC[ALGO,data:YmaMc1TNSAzLIg==,iv:h5xyOs17r6u1UD4W7ZP1cdnwSeTJQp2FKLUaPAXL/mE=,tag:TtBOFt0rcCGsjA6YKOshZQ==,type:str]
        masked13: ENC[ALGO,data:zi/Z4WYOPw1ixQ==,iv:82fzUBL4qwHUQOuGOiX00TWQ9DBqqIrh8I8Nw+qVf2I=,tag:nVoiFaaZosBcHrJ+XFdNSQ==,type:str]
        masked14: ENC[ALGO,data:9+dp1gTtBxFmcA==,iv:Fj6SH8m8l943XIs6SrFCheGzvSAN+xj7XLM+Is5eu58=,tag:NKNcjh2r2NEVlh1ty0I2Xg==,type:str]
        masked15: ENC[ALGO,data:ETiLj1qr2ytbew==,iv:d6sKAg6W8gDCrwYaaeRrCCtL+/BzTStgfbRiog+i2Jw=,tag:5sLCpDzq6j7JV1/VK/Rc7w==,type:str]
        masked16: ENC[ALGO,data:cfbH1OFt+DUxmw==,iv:KkLXeUgOwficKp6ApDFEhOMV5oRgjmaWqIe/m4UDG3I=,tag:az3wjW4obmaObijHX49r9g==,type:str]
        masked17: ENC[ALGO,data:Iu0vbTi3JgNszQ==,iv:w2vaRXTg2orEjqkOWnMNzIDBV6b1yc1or6KKN5tP0gY=,tag:AD5lYi1tFT5SL7LYk9CKmg==,type:str]
        masked18: ENC[ALGO,data:y0hyajRhUhgNmA==,iv:EyVNAz6WpvsooE8F6N06U3dIbEh2SKPBd/47DXWFhwY=,tag:suwXMhuABn8PRE9w8q8tjw==,type:str]
        masked19: ENC[ALGO,data:ZP6r4kqnKmus9g==,iv:UwfQRPXDArGoVE686LrvfVSAtya9nhVBazmR4SBzAuc=,tag:/OJd+hFu03ybh2jxmsOSgw==,type:str]
        masked21: ENC[ALGO,data:WixZEiA/JIJzlQ==,iv:lDY1YaV+jRmLF0kyZXvR8C4wOVdYp8tb8gJZ5n/9kLc=,tag:CACev7n200Z/qSe3QpvNCA==,type:str]
        masked22: ENC[ALGO,data:Wek6uyoZlflXyQ==,iv:Qc3uU20JakpC/7HRE01fixivoJdYxsrC6Ah0FSxr84Q=,tag:NSaHRBfC7xKyUk1tMggZhg==,type:str]
        masked23: ENC[ALGO,data:w1OfKXyl6eSgyg==,iv:vON4cGRG0PxTcv3K7MFsDInhaZVdmACv4VX7oB3EGBM=,tag:yXD0rj2xGQVvui8iZix+yg==,type:str]
        masked24: ENC[ALGO,data:dT25v9yjz5HeNg==,iv:k5rADTorf6RYQOCujVq6LNvyXABZJLCEYq59AEKXwG0=,tag:1Z9ac+bpyRd8I55qOJ2n7A==,type:str]
        masked25: ENC[ALGO,data:Tn4DKQ8FUfFbOA==,iv:04B82391g+m31mMiBWkv0vAyv4z2mrvKbwqvVcNfcfE=,tag:mIX0rw9HK+XPHvWRk3Edjw==,type:str]
        masked26: ENC[ALGO,data:DIMWVL3cAELiew==,iv:ArHV8VtwICiQqQprhLd3tLYzOobSnmO/bBv0ZITu83I=,tag:rRtoS32bJ7sZFGorA2isJQ==,type:str]
        masked27: ENC[ALGO,data:ztKiYqUu3i2rvA==,iv:UzlBiqgdFLhu6y8QUXZYZpr7Etbpd6vhMpZzRM0n7e0=,tag:j0ap5ljF6ojMO61C0GZN8w==,type:str]
masked28: ENC[ALGO,data:CPW61IFMUVjh5Q==,iv:60ZU3MOluF+eNcJQs3MtvO9UBcbrzgz5rh6QNQWxLEM=,tag:VGFVb4ZhJLtjIxeHvAsRsw==,type:str]
masked29: ENC[ALGO,data:6zmAhRyqaJ1MCg==,iv:04DlWbgXbnyx/1dan/YzYTNRNBZiNyj7bxWlXJVMYhg=,tag:Fko4cVf/36wehGqc+/CZQQ==,type:str]
masked30: ENC[ALGO,data:Pwda1iE8daOQ4g==,iv:sQJMCV1ZTzYddEQymXl/fWzJRiu3xnWawRgvole4G5k=,tag:g64dRvLySFZjmZpIqwGOQA==,type:str]
masked31: ENC[ALGO,data:UvCxkFgWdKl9cw==,iv:8N8rT5xYtEtUNPEXAGbCc1331xLUBl0nx8bixkCsKcg=,tag:mTA9MOqsq8GvIq8hZOLa8A==,type:str]
masked32: ENC[ALGO,data:t1cg6n8UHijIow==,iv:BxFRHUhbthFkuRcfwmED/gsfarAVtsc5626g6XwYjbI=,tag:fbSWz9Alfdn9dKwGsKw5iw==,type:str]
masked33: ENC[ALGO,data:alZf6WF8sBjcVg==,iv:JsW0lCC5IY4wJWTnthRQiH/z2aKXSW+G7SEe/DklACE=,tag:lwFewnFSyxKoq7N53AvY2Q==,type:str]
masked34: ENC[ALGO,data:xqpA2ew6JEfHTQ==,iv:l8Rghm3c0YBrQCKR6hJznN8HbgiqaekMQUZec2NXsak=,tag:JdD8+E2lz5h7VhdxstCzQw==,type:str]
masked35: ENC[ALGO,data:v+BdD1WSoDihCA==,iv:inI9Okl/YqdgpTD6lvwvcfY7O6wAqPIx6CHNrMv9YqU=,tag:2+syJcxiLEFkF1H5yHc7tA==,type:str]
masked36: ENC[ALGO,data:lmZttJLasGO0lg==,iv:AqKUVX7W/0U1UKGGknPe8hxlulqey6mopMgUb8Hv/y8=,tag:K2+mHsi/zwAEFfSTeYhL5A==,type:str]
masked37: ENC[ALGO,data:ieY1iO9D3nQ3kg==,iv:TFWNIwI07rWHd8u09xffj9uTQpdQoim+FPP1d4uD54o=,tag:wdwS7DIh0JAYjEtjidj8Ng==,type:str]
masked38: ENC[ALGO,data:CNlRuEAjJMAizg==,iv:HXjhlY4sSC1iWk9jbj7MKhAG/kGpgXb9QCxpm4IQdGU=,tag:asMagURqmFTFByNVVZWXFQ==,type:str]
masked39: ENC[ALGO,data:AG793poXNqNAJg==,iv:1rAfjicAb54bWLci0/qe5Rijlpp+q6mzUCL7zeg68UI=,tag:IUIs/S3zOQvh10dLmoYjDg==,type:str]
masked40:
    masked41: ENC[ALGO,data:muhqH6ulwkmqYA==,iv:/z2Npzf4ytsPkp1xQKyo6zatQNemOuS44OOqMmQFHpQ=,tag:AOhVdtKpqLALYFoTb3kf8A==,type:str]
    masked42: ENC[ALGO,data:+4WbReIux3xOTg==,iv:dBfTtk/NXZiNnoyEZgwheMLBOxKHNS389K5WyRk6Hwg=,tag:nRYsUo78Xu6Ut1OuviCnvg==,type:str]
    masked43: ENC[ALGO,data:a9pYMEhwf7HLaw==,iv:0lVZ16VV+kzCjRZBzqN/4T/XRf7kyS+JS0NkkTfhUeQ=,tag:qcMNGmohcz0YpQw6/SRjHQ==,type:str]
    masked44:
        masked45: ENC[ALGO,data:mXuvDN3fWL1QvQ==,iv:q9rVRNr0hjuJ+P2jeRSt5a+kGznO0ry2sV2NOv+hTuQ=,tag:FbFD90fSTRINYZgXmds5fA==,type:str]
masked46:
    masked47: ENC[ALGO,data:msi2jtYP5Y7ZMw==,iv:fWKBpYKdm2aVCpTJUMY5VRscaC+VNTVo3yfrubB9IpI=,tag:IflQjQ/0sKiPyQ142YDU6A==,type:str]
    masked48: ENC[ALGO,data:w7/dbw7AhnHQRw==,iv:V37H3epINsMfF/kdp28/7DoG+mvMbpyxC6saD+qZtJo=,tag:+UFX3+f3XWqWtbFMWTCC2w==,type:str]
    masked49: ENC[ALGO,data:+JDf/5/Un+ymZQ==,iv:EgHpNjzRhv+qbY4+lXMTPG11vsRuHh3m2WqmfjfXOHQ=,tag:sRwTSwGPPyc+MKB9DBaI2A==,type:str]
    masked50: ENC[ALGO,data:w7O/ZhE1QuJ1rQ==,iv:O2h90SIlsvIwNFqHXxtZwW7l7thQRGB41cb5YrReI0o=,tag:okBiH9ulUFAiXrFs5IqlqA==,type:str]
    masked51: ENC[ALGO,data:YxFcXJF9n0Zs5g==,iv:i8u2jyHUxQ6GfmG/1aZpemZc80ylDHol90xO5VIf5fg=,tag:TzUp+0Cq+/hZCMVbwXpALQ==,type:str]
    masked52: ENC[ALGO,data:C7uID5H+wXf8Jg==,iv:uVsLpZKKCUjz4EpFcQC9O9O+EbYi/uk4z2M6wZ64IaA=,tag:0VHI2YO4F8EsCig+gwHeDQ==,type:str]
masked53:
    masked54: ENC[ALGO,data:NfUvXYcIGIsX3w==,iv:7qSS4Pq/6bgiMPNpIPTT8Zadz+Z3Rjt9Gqd35+lJIXQ=,tag:h3KGF424rB/GhCvPORJtfQ==,type:str]
    masked55: ENC[ALGO,data:PPBeIyHPv6MsNA==,iv:hJL23KsrvcBLKsUFU3BRvLHh2GpZ1s31B6obTax4rPc=,tag:CZ4bnjdIDD9mWOpRIA1tlA==,type:str]
    masked56: ENC[ALGO,data:CwKaOZ/PCiQMlQ==,iv:KO8GAxVYPRa1ZaY/M6vkvOIsMfx7+jPa2yxKPq9iW3Y=,tag:2AWd68Ll//vXOV6WKdDeLw==,type:str]
    masked57: ENC[ALGO,data:/NUOl4L10gGRCA==,iv:PwGi1/m0EZkcrpEVS19l+XGY4M/jun+6QqanUSSzIZ4=,tag:5okxhOCEvOj4mNlTPOfIIw==,type:str]
    masked58: ENC[ALGO,data:gsCZU41uNu6EOA==,iv:c/PU+aUeGu7rSV2YtR0bSalgL19cche2BiN4d4TzzDw=,tag:d92VZ0oYN/vk9zqA0XaneA==,type:str]
masked59:
    masked60:
        masked61: ENC[ALGO,data:xf0XSChc6pwkCw==,iv:Uy+yyGlysxJ9KXHkGl86QlAr9Ii4BSwmuWO9qy9w1Pg=,tag:YAeB2wvvguiI/mJapJNuZw==,type:str]
masked62:
    masked63: ENC[ALGO,data:FYTB91+YOb2heg==,iv:DlTy3dmHJMTXj0tdT9gz2hzVPRrA9ug57BCRdtPRHSY=,tag:tew20p1bGCRBfhtLzbfa6Q==,type:str]
    masked64: ENC[ALGO,data:DmKm366/9DYoYw==,iv:VHMVWnorXZxhMrnAqVjgwx4ych0lPXvySTzW8dcNPQg=,tag:s41ycc6p9HV6WljQ7UE/mA==,type:str]
masked65:
    masked66: ENC[ALGO,data:wUheEhpgEuGP7w==,iv:T0YSzl839gDC2lxoXtnugP2SstOo7OllhXljxIOhJpc=,tag:82fYcZPVGfp8ijrjYOGFyg==,type:str]
    masked67: ENC[ALGO,data:eJs4JjUmEYqchw==,iv:cIQFrzag0JP1Dpx0AG7GVn//xEv5TAZkSbLJNTUhdHA=,tag:FmAe2zgK5O4KdVOMx0v1vg==,type:str]
masked68: ENC[ALGO,data:ykbH1/a8R8WgJQ==,iv:XfGzu7Fnt9SyJC9WHQ1aQhIL1+QVAntPRBK++BQSedI=,tag:WedCfRbfdZYvEoKNnE7XrQ==,type:str]
masked69: ENC[ALGO,data:OZojw7Z40c+N+w==,iv:vs0eUAs42TnM7gLUv1fQxzaQOH33Q4bpovARkAeV0y8=,tag:pDsvoAP2CRY5qZto86oCYw==,type:str]
masked70:
    masked71:
        masked72: ENC[ALGO,data:seNS5VUP0HPPUQ==,iv:VW1V/i5ry5G7L9Gt3Y8RYrBP1aOZ/O3uR8N4H+jmunA=,tag:90yy7H+r4Vud7oHsyjYAGQ==,type:str]
        masked73: ENC[ALGO,data:Nhsq3GT6eWym8Q==,iv:unQx8FxeZ8tuFNNx+t2Z0BGkHzaezIJrHr9YAF108eY=,tag:pBhF6WB2y1PlJDDlwT3C7Q==,type:str]
        masked74: ENC[ALGO,data:wQiu8rU70ruBjg==,iv:14lNaXgGT2zjrGLDP4t/NGhdXMtfvZfcp+UD2p4jA6I=,tag:lXj8D+9HgO2NrlE0pG+Vfg==,type:str]
masked75:
    masked76:
        masked77:
            masked78: ENC[ALGO,data:5jKp33CuVZfHew==,iv:I1KwtNM+dFW+vDLMHNWj/mWKnpLhAXCP7C+WdeMG7+o=,tag:fQX3+sLh6LcO610kf+fxjA==,type:str]
            masked79: ENC[ALGO,data:eIOT0XOIdoTcsA==,iv:uWzSpJJEby0NgazH2SWkQC7BeA5YzwlVQ5NoUYLID/o=,tag:5LDL5uZYGN2Up1OAGwKkVg==,type:str]
masked80:
    masked81: ENC[ALGO,data:aBN9GFIFycn3fg==,iv:sPzPDrsqC1bsisbiant0+Ab3waE0cZCP1En2F9kXM+E=,tag:TxNWV/QrX1gftowRhLuaAg==,type:str]
masked82:
    masked83: ENC[ALGO,data:WufZkwtrppI1YQ==,iv:bqcc6A9ICwp9/g/e0oXYkmtUdKSSJCtMuRWXY6t8p48=,tag:xRGDVb+eWpXXHOKJnTmD3w==,type:str]
    masked84: ENC[ALGO,data:C9LmHJAn/c+XaQ==,iv:YcB/eQH6xkaKIchx3lng2mLJ7Rhb0KTjdf4MHfU+lqo=,tag:wZx4J5UIfgapqer/aAMv+Q==,type:str]
masked85:
    masked86:
        masked87: ENC[ALGO,data:PurskdE1WZkqGQ==,iv:BTHM56fQF/u0kBCKPoP56NZKuiKuX0a/R+4JJ4n9qZ4=,tag:JKgweRgivLkn6FJfMpIysw==,type:str]
    masked88:
        masked89: ENC[ALGO,data:NmKELUzuO1hx5J2ktUHDuEaRsN0=,iv:Sz9K3P7ecL4d/edaJVcwMDkd2V+m8ThuBL31krsaWV0=,tag:Uj1b1tvpMqnyEgI3iJ2Dew==,type:str]
sops:
    kms:
        - arn: my_key_arn
          created_at: "2023-08-14T16:39:13Z"
          enc: AQICAHjy6h5BC0yY60q92N9nKMcQuOtj5XvbgIz9dB33AklIpwHAFUAipvuX4jyHo7FpDj1BAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMOQ+prX0jAaSyNB1zAgEQgDswl2HOnW9GgEFIAhFITTbo558IO2JS4fHSBcr27PVNy3bGfDFjTfTnBBKM2Wm83ar1MimoSTLa0R1unA==
          aws_profile: ""
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
    lastmodified: "2023-08-14T16:39:13Z"
    mac: ENC[ALGO,data:3DIPdNjJ9JLZFyJqabMEhAkLH+Tp8fzqyZGsW8ZhfpAzpS8pE9fJeGYGPaAnjTSUq4ZQPEJjvzxA5sinWu7rVzuPDhtpIBSJAIzjKFDOMs5ZzFU03oaEJFCWjPdTyTZ2auP4MuXQi8+F/Wgrx2WLYY4mPDRR2aBzBwToUCe+8Sk=,iv:rcT705cj0+RLtKSzLw5xDzCm1VBL5d9Ccln1N4PJDxc=,tag:KmMg8ZrqSKYtnBP5IAwgmw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.1

secrets.yaml DECRYPTED:

masked1:
    masked2: xxxxxxxxxx
    masked3: xxxxxxxxxx
masked4:
    masked5: xxxxxxxxxx
    masked6: xxxxxxxxxx
    masked7: xxxxxxxxxx
    masked8: xxxxxxxxxx
masked9:
    masked10: xxxxxxxxxx
    masked11:
        masked12: xxxxxxxxxx
        masked13: xxxxxxxxxx
        masked14: xxxxxxxxxx
        masked15: xxxxxxxxxx
        masked16: xxxxxxxxxx
        masked17: xxxxxxxxxx
        masked18: xxxxxxxxxx
        masked19: xxxxxxxxxx
        masked21: xxxxxxxxxx
        masked22: xxxxxxxxxx
        masked23: xxxxxxxxxx
        masked24: xxxxxxxxxx
        masked25: xxxxxxxxxx
        masked26: xxxxxxxxxx
        masked27: xxxxxxxxxx
masked28: xxxxxxxxxx
masked29: xxxxxxxxxx
masked30: xxxxxxxxxx
masked31: xxxxxxxxxx
masked32: xxxxxxxxxx
masked33: xxxxxxxxxx
masked34: xxxxxxxxxx
masked35: xxxxxxxxxx
masked36: xxxxxxxxxx
masked37: xxxxxxxxxx
masked38: xxxxxxxxxx
masked39: xxxxxxxxxx
masked40:
    masked41: xxxxxxxxxx
    masked42: xxxxxxxxxx
    masked43: xxxxxxxxxx
    masked44:
        masked45: xxxxxxxxxx
masked46:
    masked47: xxxxxxxxxx
    masked48: xxxxxxxxxx
    masked49: xxxxxxxxxx
    masked50: xxxxxxxxxx
    masked51: xxxxxxxxxx
    masked52: xxxxxxxxxx
masked53:
    masked54: xxxxxxxxxx
    masked55: xxxxxxxxxx
    masked56: xxxxxxxxxx
    masked57: xxxxxxxxxx
    masked58: xxxxxxxxxx
masked59:
    masked60:
        masked61: xxxxxxxxxx
masked62:
    masked63: xxxxxxxxxx
    masked64: xxxxxxxxxx
masked65:
    masked66: xxxxxxxxxx
    masked67: xxxxxxxxxx
masked68: xxxxxxxxxx
masked69: xxxxxxxxxx
masked70:
    masked71:
        masked72: xxxxxxxxxx
        masked73: xxxxxxxxxx
        masked74: xxxxxxxxxx
masked75:
    masked76:
        masked77:
            masked78: xxxxxxxxxx
            masked79: xxxxxxxxxx
masked80:
    masked81: xxxxxxxxxx
masked82:
    masked83: xxxxxxxxxx
    masked84: xxxxxxxxxx
masked85:
    masked86:
        masked87: xxxxxxxxxx
    masked88:
        masked89: ~masked:ab#7i7!;{'".

values.yaml:

myValue: "valueOfMyValue"

When running helmfile --environment myEnv --file my-release.yaml template, I get the following output:

Decrypting secret /home/sahand/cust/helmfile-nest-example/realm/values/env/myEnv/secrets.yaml
in ./my-release.yaml: error during ../../_defaults.yaml.part.0 parsing: template: stringTemplate:10:31: executing "stringTemplate" at <.Values.myValue>: map has no entry for key "myValue"

If I remove the last line of the decrypted secrets file and encrypt again, the error disappears and everything templates properly.

secrets.yaml with the last line removed:

masked1:
    masked2: xxxxxxxxxx
    masked3: xxxxxxxxxx
masked4:
    masked5: xxxxxxxxxx
    masked6: xxxxxxxxxx
    masked7: xxxxxxxxxx
    masked8: xxxxxxxxxx
masked9:
    masked10: xxxxxxxxxx
    masked11:
        masked12: xxxxxxxxxx
        masked13: xxxxxxxxxx
        masked14: xxxxxxxxxx
        masked15: xxxxxxxxxx
        masked16: xxxxxxxxxx
        masked17: xxxxxxxxxx
        masked18: xxxxxxxxxx
        masked19: xxxxxxxxxx
        masked21: xxxxxxxxxx
        masked22: xxxxxxxxxx
        masked23: xxxxxxxxxx
        masked24: xxxxxxxxxx
        masked25: xxxxxxxxxx
        masked26: xxxxxxxxxx
        masked27: xxxxxxxxxx
masked28: xxxxxxxxxx
masked29: xxxxxxxxxx
masked30: xxxxxxxxxx
masked31: xxxxxxxxxx
masked32: xxxxxxxxxx
masked33: xxxxxxxxxx
masked34: xxxxxxxxxx
masked35: xxxxxxxxxx
masked36: xxxxxxxxxx
masked37: xxxxxxxxxx
masked38: xxxxxxxxxx
masked39: xxxxxxxxxx
masked40:
    masked41: xxxxxxxxxx
    masked42: xxxxxxxxxx
    masked43: xxxxxxxxxx
    masked44:
        masked45: xxxxxxxxxx
masked46:
    masked47: xxxxxxxxxx
    masked48: xxxxxxxxxx
    masked49: xxxxxxxxxx
    masked50: xxxxxxxxxx
    masked51: xxxxxxxxxx
    masked52: xxxxxxxxxx
masked53:
    masked54: xxxxxxxxxx
    masked55: xxxxxxxxxx
    masked56: xxxxxxxxxx
    masked57: xxxxxxxxxx
    masked58: xxxxxxxxxx
masked59:
    masked60:
        masked61: xxxxxxxxxx
masked62:
    masked63: xxxxxxxxxx
    masked64: xxxxxxxxxx
masked65:
    masked66: xxxxxxxxxx
    masked67: xxxxxxxxxx
masked68: xxxxxxxxxx
masked69: xxxxxxxxxx
masked70:
    masked71:
        masked72: xxxxxxxxxx
        masked73: xxxxxxxxxx
        masked74: xxxxxxxxxx
masked75:
    masked76:
        masked77:
            masked78: xxxxxxxxxx
            masked79: xxxxxxxxxx
masked80:
    masked81: xxxxxxxxxx
masked82:
    masked83: xxxxxxxxxx
    masked84: xxxxxxxxxx
masked85:
    masked86:
        masked87: xxxxxxxxxx
    masked88:

Output of the command helmfile --environment myEnv --file my-release.yaml template:

Decrypting secret /home/sahand/cust/helmfile-nest-example/realm/values/env/myEnv/secrets.yaml
Templating release=kafka, chart=bitnami/kafka
---
# Source: kafka/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kafka
  namespace: "itoring.coreos.com/v1"
  labels:
    app.kubernetes.io/name: kafka
    helm.sh/chart: kafka-23.0.7
    app.kubernetes.io/instance: kafka
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: kafka
  annotations:
automountServiceAccountToken: true
---
# Source: kafka/templates/scripts-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: kafka-scripts
  namespace: "itoring.coreos.com/v1"
  labels:
    app.kubernetes.io/name: kafka
    helm.sh/chart: kafka-23.0.7
    app.kubernetes.io/instance: kafka
    app.kubernetes.io/managed-by: Helm
data:
  setup.sh: |-
    #!/bin/bash

    ID="${MY_POD_NAME#"kafka-"}"
    # If process.roles is not set at all, it is assumed to be in ZooKeeper mode.
    # https://kafka.apache.org/documentation/#kraft_role

    if [[ -f "/bitnami/kafka/data/meta.properties" ]]; then
        if [[ $KAFKA_CFG_PROCESS_ROLES == "" ]]; then
            export KAFKA_CFG_BROKER_ID="$(grep "broker.id" "/bitnami/kafka/data/meta.properties" | awk -F '=' '{print $2}')"
        else
            export KAFKA_CFG_NODE_ID="$(grep "node.id" "/bitnami/kafka/data/meta.properties" | awk -F '=' '{print $2}')"
        fi
    else
        if [[ $KAFKA_CFG_PROCESS_ROLES == "" ]]; then
            export KAFKA_CFG_BROKER_ID="$((ID + 0))"
        else
            export KAFKA_CFG_NODE_ID="$((ID + 0))"
        fi
    fi

    if [[ $KAFKA_CFG_PROCESS_ROLES == *"controller"* && -z $KAFKA_CFG_CONTROLLER_QUORUM_VOTERS ]]; then
        node_id=0
        pod_id=0
        while :
        do
            VOTERS="${VOTERS}$node_id@kafka-$pod_id.kafka-headless.itoring.coreos.com/v1.svc.cluster.local:9093"
            node_id=$(( $node_id + 1 ))
            pod_id=$(( $pod_id + 1 ))
            if [[ $pod_id -ge 1 ]]; then
                break
            else
                VOTERS="$VOTERS,"
            fi
        done
        export KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=$VOTERS
    fi

    # Configure zookeeper client

    exec /entrypoint.sh /run.sh
---
# Source: kafka/templates/svc-headless.yaml
apiVersion: v1
kind: Service
metadata:
  name: kafka-headless
  namespace: "itoring.coreos.com/v1"
  labels:
    app.kubernetes.io/name: kafka
    helm.sh/chart: kafka-23.0.7
    app.kubernetes.io/instance: kafka
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: kafka
spec:
  type: ClusterIP
  clusterIP: None
  publishNotReadyAddresses: false
  ports:
    - name: tcp-client
      port: 9092
      protocol: TCP
      targetPort: kafka-client
    - name: tcp-internal
      port: 9094
      protocol: TCP
      targetPort: kafka-internal
    - name: tcp-controller
      protocol: TCP
      port: 9093
      targetPort: kafka-ctlr
  selector:
    app.kubernetes.io/name: kafka
    app.kubernetes.io/instance: kafka
    app.kubernetes.io/component: kafka
---
# Source: kafka/templates/svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: kafka
  namespace: "itoring.coreos.com/v1"
  labels:
    app.kubernetes.io/name: kafka
    helm.sh/chart: kafka-23.0.7
    app.kubernetes.io/instance: kafka
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: kafka
spec:
  type: ClusterIP
  sessionAffinity: None
  ports:
    - name: tcp-client
      port: 9092
      protocol: TCP
      targetPort: kafka-client
      nodePort: null
  selector:
    app.kubernetes.io/name: kafka
    app.kubernetes.io/instance: kafka
    app.kubernetes.io/component: kafka
---
# Source: kafka/templates/statefulset.yaml
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: kafka
  namespace: "itoring.coreos.com/v1"
  labels:
    app.kubernetes.io/name: kafka
    helm.sh/chart: kafka-23.0.7
    app.kubernetes.io/instance: kafka
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: kafka
spec:
  podManagementPolicy: Parallel
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: kafka
      app.kubernetes.io/instance: kafka
      app.kubernetes.io/component: kafka
  serviceName: kafka-headless
  updateStrategy:
    rollingUpdate: {}
    type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/name: kafka
        helm.sh/chart: kafka-23.0.7
        app.kubernetes.io/instance: kafka
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: kafka
      annotations:
    spec:
      
      hostNetwork: false
      hostIPC: false
      affinity:
        podAffinity:
          
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/name: kafka
                    app.kubernetes.io/instance: kafka
                    app.kubernetes.io/component: kafka
                topologyKey: kubernetes.io/hostname
              weight: 1
        nodeAffinity:
          
      securityContext:
        fsGroup: 1001
      serviceAccountName: kafka
      containers:
        - name: kafka
          image: docker.io/bitnami/kafka:3.5.1-debian-11-r1
          imagePullPolicy: "IfNotPresent"
          securityContext:
            allowPrivilegeEscalation: false
            runAsNonRoot: true
            runAsUser: 1001
          command:
            - /scripts/setup.sh
          env:
            - name: BITNAMI_DEBUG
              value: "false"
            - name: MY_POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: KAFKA_CFG_ZOOKEEPER_CONNECT
              value: 
            - name: KAFKA_INTER_BROKER_LISTENER_NAME
              value: "INTERNAL"
            - name: KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP
              value: "INTERNAL:PLAINTEXT,CLIENT:PLAINTEXT,CONTROLLER:PLAINTEXT"
            - name: KAFKA_CFG_LISTENERS
              value: "INTERNAL://:9094,CLIENT://:9092,CONTROLLER://:9093"
            - name: KAFKA_CFG_ADVERTISED_LISTENERS
              value: "INTERNAL://$(MY_POD_NAME).kafka-headless.itoring.coreos.com/v1.svc.cluster.local:9094,CLIENT://$(MY_POD_NAME).kafka-headless.itoring.coreos.com/v1.svc.cluster.local:9092"
            - name: ALLOW_PLAINTEXT_LISTENER
              value: "yes"
            - name: KAFKA_ZOOKEEPER_PROTOCOL
              value: PLAINTEXT
            - name: KAFKA_VOLUME_DIR
              value: "/bitnami/kafka"
            - name: KAFKA_LOG_DIR
              value: "/opt/bitnami/kafka/logs"
            - name: KAFKA_CFG_DELETE_TOPIC_ENABLE
              value: "false"
            - name: KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE
              value: "true"
            - name: KAFKA_HEAP_OPTS
              value: "-Xmx1024m -Xms1024m"
            - name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MESSAGES
              value: "10000"
            - name: KAFKA_CFG_LOG_FLUSH_INTERVAL_MS
              value: "1000"
            - name: KAFKA_CFG_LOG_RETENTION_BYTES
              value: "1073741824"
            - name: KAFKA_CFG_LOG_RETENTION_CHECK_INTERVAL_MS
              value: "300000"
            - name: KAFKA_CFG_LOG_RETENTION_HOURS
              value: "168"
            - name: KAFKA_CFG_MESSAGE_MAX_BYTES
              value: "1000012"
            - name: KAFKA_CFG_LOG_SEGMENT_BYTES
              value: "1073741824"
            - name: KAFKA_CFG_LOG_DIRS
              value: "/bitnami/kafka/data"
            - name: KAFKA_CFG_DEFAULT_REPLICATION_FACTOR
              value: "1"
            - name: KAFKA_CFG_OFFSETS_TOPIC_REPLICATION_FACTOR
              value: "1"
            - name: KAFKA_CFG_TRANSACTION_STATE_LOG_REPLICATION_FACTOR
              value: "1"
            - name: KAFKA_CFG_TRANSACTION_STATE_LOG_MIN_ISR
              value: "1"
            - name: KAFKA_CFG_NUM_IO_THREADS
              value: "8"
            - name: KAFKA_CFG_NUM_NETWORK_THREADS
              value: "3"
            - name: KAFKA_CFG_NUM_PARTITIONS
              value: "1"
            - name: KAFKA_CFG_NUM_RECOVERY_THREADS_PER_DATA_DIR
              value: "1"
            - name: KAFKA_CFG_SOCKET_RECEIVE_BUFFER_BYTES
              value: "102400"
            - name: KAFKA_CFG_SOCKET_REQUEST_MAX_BYTES
              value: "104857600"
            - name: KAFKA_CFG_SOCKET_SEND_BUFFER_BYTES
              value: "102400"
            - name: KAFKA_CFG_ZOOKEEPER_CONNECTION_TIMEOUT_MS
              value: "6000"
            - name: KAFKA_CFG_AUTHORIZER_CLASS_NAME
              value: ""
            - name: KAFKA_CFG_ALLOW_EVERYONE_IF_NO_ACL_FOUND
              value: "true"
            - name: KAFKA_CFG_SUPER_USERS
              value: "User:admin"
            - name: KAFKA_ENABLE_KRAFT
              value: "true"
            - name: KAFKA_KRAFT_CLUSTER_ID
              value: "kafka_cluster_id_test1"
            - name: KAFKA_CFG_PROCESS_ROLES
              value: "broker,controller"
            - name: KAFKA_CFG_CONTROLLER_LISTENER_NAMES
              value: "CONTROLLER"
          ports:
            - name: kafka-client
              containerPort: 9092
            - name: kafka-internal
              containerPort: 9094
            - name: kafka-ctlr
              containerPort: 9093
          livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
            tcpSocket:
              port: kafka-client
          readinessProbe:
            failureThreshold: 6
            initialDelaySeconds: 5
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
            tcpSocket:
              port: kafka-client
          resources:
            limits: {}
            requests: {}
          volumeMounts:
            - name: data
              mountPath: /bitnami/kafka
            - name: logs
              mountPath: /opt/bitnami/kafka/logs
            - name: scripts
              mountPath: /scripts/setup.sh
              subPath: setup.sh
      volumes:
        - name: scripts
          configMap:
            name: kafka-scripts
            defaultMode: 0755
        - name: logs
          emptyDir: {}
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes:
          - "ReadWriteOnce"
        resources:
          requests:
            storage: "8Gi"

Surely this is a bug?

 $ helmfile --version
helmfile version 0.155.0
$ sops --version
sops 3.7.1
$ helm version
version.BuildInfo{Version:"v3.12.1", GitCommit:"f32a527a060157990e2aa86bf45010dfb3cc8b8d", GitTreeState:"clean", GoVersion:"go1.20.4"}
@yxxhero
Copy link
Contributor

yxxhero commented Aug 14, 2023

@Sahand1993 please access helmfile/helmfile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yxxhero @Sahand1993