Kubernetes - Use secrets on pre-install job
While Helm hooks are typically Jobs, there's no requirement that they are, and Helm doesn't do any analysis on the contents of a hook object to see what else it might depend on. If you read through the installation sequence described there, it is (7) install things tagged as hooks, (8) wait for those to be ready, then (9) install everything else; it waits for the Job to finish before it installs the Secret it depends on.
The first answer, then, is that you also need to tag your Secret as a hook for it to be installed during the pre-install phase, with a modified weight so that it gets installed before the main Job (smaller weight numbers happen sooner):
apiVersion: v1kind: Secretannotations: "helm.sh/hook": pre-install "helm.sh/hook-weight": "-5"The next question is when this Secret gets deleted. The documentation notes that helm uninstall won't delete hook resources; you need to add a separate helm.sh/hook-delete-policy annotation, or else it will stick around until the next time the hook is scheduled to be run. This reads to me as saying that if you modify the Secret (or the values that make it up) and upgrade (not delete and reinstall) the chart, the Secret won't get updated.
I'd probably just create two copies of the Secret, one that's useful at pre-install time and one that's useful for the primary chart lifecycle. You could create a template to render the Secret body and then call that twice:
{{- define "secret.content" -}}type: Opaquedata: PROP_FROM_SCRETS: eHB0bw=={{- end -}}---apiVersion: v1kind: Secretmetadata: name: "SecretsFileName" labels: app: "MyAppName"{{ include "secret.content" . }}---apiVersion: v1kind: Secretmetadata: name: "SecretsFileName-preinst" labels: app: "MyAppName" annotations: "helm.sh/hook": pre-install "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded{{ include "secret.content" . }}
According to the docs:
pre-install: Executes after templates are rendered, but before any resources are created in Kubernetes