Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm_release does not respect sensitive attribute anymore #1221

Open
audunsolemdal opened this issue Aug 11, 2023 · 6 comments
Open

helm_release does not respect sensitive attribute anymore #1221

audunsolemdal opened this issue Aug 11, 2023 · 6 comments
Labels
bug

Comments

@audunsolemdal
Copy link

audunsolemdal commented Aug 11, 2023
edited
Loading

Terraform, Provider, Kubernetes and Helm Versions

Terraform version: 1.5.5
Provider version: 2.10.1
Kubernetes version: 1.25.11

Affected Resource(s)

  • helm_release

Terraform Configuration Files

resource "helm_release" "sentry" {
  repository   = "https://sentry-kubernetes.github.io/charts"
  chart        = "sentry"
  version      = "20.2.0"
  name         = "sentry"
  namespace    = kubernetes_namespace.this.metadata[0].name
  max_history  = 3
  atomic       = false #true
  reuse_values = false
  reset_values = true
  timeout      = 600

  values = [templatefile("${path.module}/templates/values.yaml.tpl", {
    sendgrid_apikey   = var.sendgrid_apikey
  })]

  depends_on = [
    kubernetes_namespace.this,
  ]
}

variable "sendgrid_apikey" {
  description = "Apikey to authenticate with sendgrid"
  type        = string
  sensitive   = true
}

relevant part of templates/values.yaml.tpl

mail:
  password: ${sendgrid_apikey}

Debug Output

https://gist.github.com/audunsolemdal/b61129ae5a54dc8a9c23cb47f3d6c7c8

I believe this problem was added through in #1097 prior to that I do not recall this happening.

Steps to Reproduce

  1. change any value in the values.yaml.tpl file
  2. terraform apply

Expected Behavior

sensitive attributes should stay hidden

Actual Behavior

sensitive attributes are displayed in clear text

References

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@arybolovlev
Copy link
Contributor

Hi @audunsolemdal,

Thank you for raising this question. It looks like it happens due the properties of the value attribute. In the schema it doesn't marked as sensitive and it shouldn't be. That is why it ends up in the state file as a plain text, even though it the variable that you use to generate a file from a template has sensitive attribute.

I would advise using the set_sensitive attribute for the sensitive values to address this:

resource "helm_release" "sentry" {
  ...
  set_sensitive {
     name = "mail.password"
     value = var.sendgrid_apikey
   }
}

@phyzical
Copy link

just to hopefully get more visibility, (or any workarounds)

there is still an edgecase where if the name contains a "." there is currently no way to hide the sensitive values in the metadata.

this pr contains an example of this
#746

@kujawa-radoslaw
Copy link

@arybolovlev Can't agree with this kind of approach. You cannot introduce severe security issue and respond with "use this solution" instead. Wondering why the output hides sensitive data correctly on apply but it's not the case for destroy...

Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 5, 2024

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

@github-actions github-actions bot added the stale label Oct 5, 2024
@meysam81
Copy link

meysam81 commented Oct 5, 2024

comment for activity

@github-actions github-actions bot removed the stale label Oct 5, 2024
@ego93
Copy link

ego93 commented Oct 22, 2024
edited
Loading

I'm having an issue with sensitive values outputting into the plan when I use the templatefile function with values.
Even wrapping this with the sensitive function still outputs the data in plain text.

resource "helm_release" "my_helm" {
  name       = "my-helm"
  repository = local.repo
  chart      = "my-chart"
  version    = "0.1.0"
  namespace  = "default"
  values = [
    templatefile("values/my-helm/values.tpl.yml", {
      PASSWORD = sensitive(data.sops_file.my_helm.data["password"])
    })
  ]
}
resource "helm_release" "my_helm" {
  name       = "my-helm"
  repository = local.repo
  chart      = "my-chart"
  version    = "0.1.0"
  namespace  = "default"
  values = [
    sensitive(templatefile("values/my-helm/values.tpl.yml", {
      PASSWORD = data.sops_file.my_helm.data["password"]
    }))
  ]
}
Terraform version: 1.6.6
Provider version: 2.16.1
Kubernetes version: 1.19.13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@arybolovlev @phyzical @kujawa-radoslaw @audunsolemdal @meysam81 @ego93