I have a helm deployment on k8s via waypoint similar to this:
app "my-app" {
// ...
deploy {
use "helm" {
name = "my-app"
chart = "${path.app}/helm"
// We use a values file so we can set the entrypoint environment
// variables into a rich YAML structure. This is easier than --set
values = [
file(templatefile("${path.app}/values.yaml.tpl")),
]
set {
name = "image.repository"
value = artifact.image
}
set {
name = "image.tag"
value = artifact.tag
}
}
}
}
The problem is all my secrets are stored on Hashicorp vault, and I want to pass these secrets to helm using something like `` :
set {
name = "env.JWT-SECRET"
value = <my secret from hashicorp vault>
}
How do I achieve this ? Is this possible using the current iteration of Waypoint ?
Hey @ajinkya6 ,
Great question!
You can configure waypoint to pull secrets from vault using the configsourcer and dynamic input variable defaults, and make them available to the app or anywhere else in your waypoint.hcl.
Check out the docs here: Plugin: Vault | Waypoint | HashiCorp Developer, and this example: waypoint-examples/kubernetes/go-multiworkspace at main · hashicorp/waypoint-examples · GitHub
1 Like
Thank you,
I tried the solution its not working. The given example is for deploy->use->kubernetes (in waypoint.hcl) in my case I am using deploy->use->helm (in waypoint.hcl).
Here are my configuration details, I am configuring waypoint with vault as follows, on terminal I type this:
waypoint config source-set -type=vault \
-config="auth_method=token" \
-config="token=...." \
-config="auth_method_mount_path=auth/kubernetes" \
-config="addr=https://hashicorp-waypoint-ui-External-ip" \
-config="kubernetes_role=waypoint" \
-config="skip_verify=true"
Then here is how my waypoint.hcl
file looks:
project = "test-waypoint"
config {
env = {
"MY-SECRET" = configdynamic("vault", {
path = "kv/data/demo"
key = "MY_SECRET"
})
}
}
app "waypoint-demo-web" {
build {
use "pack" {}
registry {
use "docker" {
image = "docker-repo-link"
tag = "latest"
local = false
}
}
}
deploy {
use "helm" {
name = "my-waypoint-app"
chart = "${path.app}/my-app"
version = "1"
values = [
file(templatefile("${path.app}/values.yaml")),
]
}
}
}
My values .yaml files accept secrets as follows:
env:
MY-SECRET:
MY-SECRET2:
Whatever secrets are declared in env variables should ideally be accepted by this values.yaml. But its not happening so, I believe waypoint is unable to take secrets from vault. Any pointers to resolve this will greatly help me.
Hi @ajinkya6, could you please provide the runner logs when you encounter this error so we can dig deeper? Also are you using a local or remote runner? This would not work with a local runner. Thanks!