HelmRelease
Post Renderer
https://fluxcd.io/flux/components/helm/helmreleases/#post-renderers
HelmRelease resources has a built-in Kustomize compatible Post Renderer, which provides some Kustomize directives.
Note that the patchesStrategicMerge
and patchesJson6902
directive is deprecated, just use patches
instead.
Troubleshooting
Experiment with helm template
locally first. See also Flux Helm Release Troubleshooting.
Secrets
K8s Secrets
Manage with sealed-secrets.
With kubeseal
, secrets can be safely committed in Git. After reconciliation, use kubectl get -A sealedsecret
to check decryption status.
Reference Secrets from HelmRelease
Secrets used in valuesFrom
should be put into the same namespace as the HelmRelease. kubeseal
encryption is associated with cluster namespace, so if you got it wrong, it has to be re-encrypted.
Note that targetPath
in arrays like array[0].name
is not supported. See https://github.com/helm/helm/issues/8320.
Deploy Credentials Rotation
Fine-grained PAT from GitHub only lasts for a year.
To rotate the SSH key generated at bootstrap, first delete the secret from the cluster with:
Then run flux bootstrap
again.