HelmChart
Nyl allows you to inline Helm charts by specifying a HelmChart
resource in your manifest. Just like any other
resource, the Helm chart resource values can be templated using Nyl's structured templating
(for example to inject secrets), and are then rendered to Kubernetes resources that are inlined in your configuration.
Example
apiVersion: inline.nyl.io/v1
kind: HelmChart
metadata:
name: my-release
namespace: default
spec:
chart:
repository: https://charts.bitnami.com/bitnami
name: nginx
# version: "..."
values:
controller:
service:
type: LoadBalancer
Comparison to native ArgoCD Helm applications
Nyl may look similar to Helm in the sense that it allows for templating YAML files. However, there are some important differences between the two that make Nyl the better choice for defining applications in a GitOps repository.
Passing secrets more safely
Values for ArgoCD Helm applications are either stored in a values-file in the repository (in plain-text) or in the
valuesObject
configuration of the ArgoCD Application
spec (again, in plain-text). The valuesObject
like standard
Kubernetes Secret
resources when inspected via the ArgoCD UI, which makes storing the secrets are part of the
application spec undesirable.
Danger
You must still be careful when using Nyl to inject secrets into Helm charts. The Helm chart may pass the secret
value into a resource that is not a Secret
, which would then be rendered in plain-text in the cluster when
inspected in ArgoCD or via kubectl
.
Combining multiple Helm charts
An ArgoCD application supports only a single Helm chart. If you need to deploy multiple Helm charts as part of a single
application, you would need to create a Helm chart that includes all the other charts. However, this can lead to a
complicated setup that is hard to maintain: It either requires you to repeat the same values in multiple places, or
all subcharts support globals
.
Secret injection
Natively, ArgoCD applications do not support injecting secrets into the Helm chart values. With Nyl, you can connect to a secrets provider and inject secrets into the generated resources or the value of a Helm chart parameter. Your YAML template becomes the glue code for propagating secrets from the point of origin into your Kubernetes cluster and application.
In many cases you can work around this limitation by placing a Secret
resource into your cluster, either manually
or by other means (such as using external-secrets), but this does not cover the use case for Helm charts that require
a secret, or more generally, an external parameter, in a place where an existing secret cannot be configured (e.g.
either because the chart simply does not support it or because it needs to be in a specific place/format). This is
most commonly an issue when deploying third-party applications from Helm charts.
Pipelining between applications (TODO)
Nyl supports looking up information in the cluster at time of rendering the resources. This allows for iteratively
reconciling resources in the cluster that depend on each other. For example, it is not uncommon to have an application
generate a Secret
that later needs to be transformed and piped into another Helm chart.
Danger
When this feature is enabled, Nyl would allow lookups across the entire cluster (or the resources that the ArgoCD service account has access to). This is a powerful feature that can be used to build complex applications, but it also comes with a security risk when a cluster is shared between multiple teams.
Todo
Explain how this feature works and how to enable it.