Nested helmfiles and secrets don't work properly in template files #2127
Description
Operating system
Debian GNU/Linux 12 (bookworm)
Helmfile Version
1.1.4
Helm Version
3.18.4
Bug description
I am using helmfiles for apps (using upstream charts) as well as helmfiles for different environments (here: clusters). A cluster helmfile includes one or multiple app helmfiles, with cluster-specific secrets passed to the sub-helmfile using values.
I can reference these secrets easily in app-helmfiles using {{ .Values.some_secret_key }}. This also works in value.yaml files loaded by app-helmfiles. It does not work, when using gotmpl-files.
Example helmfile.yaml
# stored in clusters/dev/helmfile.yaml, with a values.sops.yaml file next to it containing a proper secret
helmfiles:
- path: ../../apps/example/helmfile.yaml
values:
- some_secret_key: '{{ "ref+sops://values.sops.yaml#some_secret_key" | fetchSecretValue }}'
- not_so_secret: true# stored in apps/example/helmfile.yaml
repositories:
- name: helm
url: https://helm.github.io/examples
releases:
- name: hello-world
chart: helm/hello-world
version: 0.1.0
values:
- values1.yaml
- values2.yaml.gotmpl# stored in apps/example/values1.yaml
some_secret_key: '{{ .Values.some_secret_key }}'# stored in apps/example/values2.yaml.gotmpl
some_secret_key: '{{ .Values.some_secret_key }}'Error message you've seen (if any)
Adding repo helm https://helm.github.io/examples
"helm" has been added to your repositories
in clusters/dev/helmfile.yaml: in .helmfiles[0]: in ../../apps/example/helmfile.yaml: failed to render values files "values2.yaml.gotmpl": yaml: did not find expected key
My original error looks a bit different, no idea why:
in ./helmfile.yaml: in .helmfiles[0]: in clusters/in-cluster/apps/argocd/helmfile.yaml: in .helmfiles[0]: in ../../../../apps/argocd/helmfile.yaml: [failed to render values files "values.yaml.gotmpl": expand sops://values.sops.yaml#primary_domain: Failed to read "values.sops.yaml": open values.sops.yaml: no such file or directory]
Steps to reproduce
I can do that if the infos above are not sufficient. You should probably move this field up in the issue template to let the users know, before they put work into the two previous fields.
Working Helmfile Version
no known good version
Relevant discussion
No response