Question: ISD installation process involves creating values.yaml which contains some secrets. Best practice is to push the values.yaml to the same repo as the gitops-repo but I don't want to put any secrets in there. How can we do this?
Answer: The recommended approach is to create kubernetes secrets in the same namespace where the are expected to be used and reference them in the values.yaml. The pre-propcessor mentioned below can substitute the values during execution time. The instructions are as follows:
a) Get the script at: https://github.com/OpsMx/standard-gitops-repo/blob/3.9/SAMPLES/secret-decoder.sh
b) Update the kubectl command in the script as per the instructions provided in the script
c) If you have an "_" charecter in any of the secrets e.g. git-token please replace this with a charecter such as "," or "?" which is NOT present in any of the values in the last few lines of the script.
d) In values.yaml. use "encrypted:secret-name:secret-key" in the place of the real value.
e) Filter the values.yaml through the secret-decoder script.
Representative command for using the script on mac/linux is:
cat values.yaml | ./secret-decoder.sh | helm install oes opsmx/oes -f -