When trying to use the helm function: lookup, I do not get any result at all as expected.
My Secret that I try to read looks like this
apiVersion: v1
data:
adminPassword: VG9wU2VjcmV0UGFzc3dvcmQxIQ==
adminUser: YWRtaW4=
kind: Secret
metadata:
annotations:
sealedsecrets.bitnami.com/cluster-wide: "true"
name: activemq-artemis-broker-secret
namespace: common
type: Opaque
The template helm chart that should load the adminUser and adminPassword data looks like this
apiVersion: broker.amq.io/v1beta1
kind: ActiveMQArtemis
metadata:
name: {{ .Values.labels.app }}
namespace: common
spec:
{{ $secret := lookup "v1" "Secret" .Release.Namespace "activemq-artemis-broker-secret" }}
adminUser: {{ $secret.data.adminUser }}
adminPassword: {{ $secret.data.adminPassword }}
When deploying this using ArgoCD I get the following error:
failed exit status 1: Error: template: broker/templates/deployment.yaml:7:23:
executing "broker/templates/deployment.yaml" at <$secret.data.adminUser>:
nil pointer evaluating interface {}.adminUser Use --debug flag to render out invalid YAML
Both the secret and the deployment is in the same namespace (common).
If I try to get the secret with kubectl it works as below
kubectl get secret activemq-artemis-broker-secret -n common -o json
{
"apiVersion": "v1",
"data": {
"adminPassword": "VG9wU2VjcmV0UGFzc3dvcmQxIQ==",
"adminUser": "YWRtaW4="
},
"kind": "Secret",
"metadata": {
"annotations": {
"sealedsecrets.bitnami.com/cluster-wide": "true"
},
"creationTimestamp": "2022-10-10T14:40:49Z",
"name": "activemq-artemis-broker-secret",
"namespace": "common",
"ownerReferences": [
{
"apiVersion": "bitnami.com/v1alpha1",
"controller": true,
"kind": "SealedSecret",
"name": "activemq-artemis-broker-secret",
"uid": "edff38fb-a966-47a6-a706-cb197ac1797d"
}
],
"resourceVersion": "127303988",
"uid": "0679fc5c-7465-4fe1-9197-b483073e93c2"
},
"type": "Opaque"
}
What is wrong here. I use helm version: 3.8.1 and Go version: 1.75
CodePudding user response:
This error is the result of two parts working together:
First, helm's lookup
only works in a running cluster, not when running helm template
(without --validate
). If run in that manner it returns nil. (It is usually used as lookup ... | default dict {}
, to avoid a nasty error message).
Second, you're deploying with ArgoCD that is actually running helm template
internally when deploying a helm chart. See open issue: https://github.com/argoproj/argo-cd/issues/5202 . The issue mentions a plugin that can be used to change this behaviour. However, doing so requires some reconfiguration of argocd itself, which is not trivial and is not without side effects.