How do I inject a Vault secret via a Kubernetes Secret?

When you inject secrets directly into environment variables, they appear in Deployment yaml as plain text, which is not advisable. It is recommended to rather inject them into a Secret yaml that will itself be mounted as environment variables.

For example, start by injecting the secret into your staging repo’s /env/values.yaml :

myapp
  mysecrets:
    password: vault:path/to/mysecret:password

Then, in your app’s /charts/myapp/templates , create a mysecrets.yaml file, in which you refer to the secret you just added:

apiVersion: v1
kind: Secret
metadata:
  name: mysecrets
data:
  PASSWORD: {{ .Values.mysecrets.password | b64enc }}

Notice how we encode the secret value in Base64, as this is the format expected in a Secret yaml.

Also, make sure to add a default value for the same key in your app’s /charts/myapp/values.yaml :

mysecrets:
  password: ""

That allows Helm to resolve to some value during linting of your mysecrets.yaml , as linting seems not to consider values from the environment. Otherwise, you might get something like:

error: failed to build dependencies for chart from directory '.': failed to lint the chart '.': failed to run 'helm lint --values values.yaml' command in directory '.', output: '==> Linting .
[ERROR] templates/: render error in "myapp/templates/secrets.yaml": template: myapp/templates/secrets.yaml:6:21: executing "myapp/templates/secrets.yaml" at <.Values.mysecrets.password>: nil pointer evaluating interface {}.password

Finally, mount the Secret yaml as environment variables in your app’s /charts/myapp/templates/deployment.yaml :

...
    spec:
      containers:
      - name: {{ .Chart.Name }}
        envFrom:
        - secretRef:
            name: mysecrets
...

in V3 of Jenkins X we use kubernetes external secrets for managing secrets in vault or cloud provider secret managers.

See the secrets admin guide

So to use a secret from Vault ora cloud provider secret manager you can either add an explicit ExternalSecret to your chart or use the built in mapping from Secrets -> ExternalSecrets in Jenkins X to do that for you.