When you inject secrets directly into environment variables, they appear in Deployment yaml as plain text, which is not advisable. It is recommended to rather inject them into a Secret yaml that will itself be mounted as environment variables.
For example, start by injecting the secret into your staging repo’s /env/values.yaml :
myapp
mysecrets:
password: vault:path/to/mysecret:password
Then, in your app’s /charts/myapp/templates , create a mysecrets.yaml file, in which you refer to the secret you just added:
apiVersion: v1
kind: Secret
metadata:
name: mysecrets
data:
PASSWORD: {{ .Values.mysecrets.password | b64enc }}
Notice how we encode the secret value in Base64, as this is the format expected in a Secret yaml.
Also, make sure to add a default value for the same key in your app’s /charts/myapp/values.yaml :
mysecrets:
password: ""
That allows Helm to resolve to some value during linting of your mysecrets.yaml , as linting seems not to consider values from the environment. Otherwise, you might get something like:
error: failed to build dependencies for chart from directory '.': failed to lint the chart '.': failed to run 'helm lint --values values.yaml' command in directory '.', output: '==> Linting .
[ERROR] templates/: render error in "myapp/templates/secrets.yaml": template: myapp/templates/secrets.yaml:6:21: executing "myapp/templates/secrets.yaml" at <.Values.mysecrets.password>: nil pointer evaluating interface {}.password
Finally, mount the Secret yaml as environment variables in your app’s /charts/myapp/templates/deployment.yaml :
...
spec:
containers:
- name: {{ .Chart.Name }}
envFrom:
- secretRef:
name: mysecrets
...