NetApp logo
Documentation PortalBack to Self Assist PortalBack
Documentation Portal
Contents

Variable Groups for Helm Variables - V 1

To prevent secrets being stored directly in the repo, we have updated our pipeline to support injecting variable group values into your helm chart. These variables can be both secrets (e.g. DB_PASS) or non-secrets (e.g. api_endpoint).

Key Benefits

  1. Keep secrets out of your git repo
  2. Easily modify individual secrets (as opposed to secure files)
  3. Use the same variables across all your services so you no longer need to hard-code the same variable in each of your services

Setup

1. Create variable group(s)

Within your Azure DevOps project, you can create as many variable groups as needed (documentation).

You can use whatever naming schema you prefer and set the custom security permissions as desired.

If the variable is confidential, please make sure to click the lock icon next to the variable to mask it. Just keep in mind that once it is locked and the variable group is saved, it cannot be recovered, however, you can change it later if needed.

Make sure to click 'Save' after creating/modifying your variable group.

Variable groups cannot store a multi-line variable. If you plan on storing a variable such as a tls cert or private key, you will need to use a SecureFile (see example).

2. Update azure-pipelines.yml

You can specify the variableGroups for each environment to load. You can specify multiple variable groups if needed.

If you locked/masked any of the variables, you need to specify the name of the variable(s) in the secretVarKeys section.

Example:

...
    spaces:
      workspace:
        variableGroups:
          - myvars_dev
        secretVarKeys:
          - DB_PASS
          - api_token
        helm:
          overrideFiles: |
            xyz-apiservice/values.workspace.yaml
      xyz-myhs1-stg:
        variableGroups:
          - myvars_stg
        secretVarKeys:
          - DB_PASS
          - api_token
        helm:
          overrideFiles: |
            xyz-apiservice/values.hostspace.yaml
      xyz-myhs1-prd:
        variableGroups:
          - myvars_prd
        secretVarKeys:
          - DB_PASS
          - api_token
        helm:
          overrideFiles: |
            xyz-apiservice/values.hostspace.yaml
...

3. Update helm chart

The helm variables will be injected into the helm chart with Unix variable substitution. You can reference your variables in any of the files in your helm chart (e.g. values.yaml, deployment.yaml, etc..).

Example:

Example is using our recommended configmaps setup (documentation)

...
env_vars:
- name: "primary"
  configs:
      INSTANCE: "primary"
      DB_HOST: "$DB_HOST"
      API_ENDPOINT: "$API_ENDPOINT"
      API_TOKEN: "$api_token"
      DB_USER: "$DB_USER"
      DB_PASS: "$DB_PASS"
- name: "dr"
  configs:
      INSTANCE: "dr"
      DB_HOST: "$DB_HOST"
      API_ENDPOINT: "$API_ENDPOINT_DR"
      API_TOKEN: "$api_token"
      DB_USER: "$DB_USER"
      DB_PASS: "$DB_PASS"
...
CONTENTS