How can we specify custom path to .Files.Get when creating ConfigMap with Helm

Question

I am creating a config map as below

kubectl create configmap testconfigmap --from-file=testkey=/var/opt/testfile.txt

As I am using helm charts, I would like to create the config map using YAML file instead of running kubectl. I went through Kubernetes - How to define ConfigMap built using a file in a yaml? and we can use .Files.Get to access the files. But then testfile.txt needs to be a part of helm. I would like to have something like

kind: ConfigMap
metadata:
  name: testconfigmap
data:
  fromfile: |-
{{ .Files.Get "/var/opt/testfile.txt" | indent 4 }}

It works when "testfile.txt" is under the main helm directory. So, {{ .Files.Get "testfile.txt" | indent 4 }} works but {{ .Files.Get "/var/opt/testfile.txt" | indent 4 }} doesn't. With custom path, the value for the ConfigMap is empty.

Is is possible to place the file at a custom path outside the helm folder, so I can define my path in Values.yaml and read it in my ConfigMap yaml ?

Answer 1

As mdaniel and mario already mentioned, for now this is not possible, as it's considered a security risk.

But actually there is a workaround.
You can use Helm templating to parse your property file and load it into a ConfigMap.

# create the following ConfigMap in your Chart
# this is just a simple prototype
# it requires strict key=value syntax in your property file (no empty strings etc.)
# but it shows the idea - improve the syntax, if needed
apiVersion: v1
kind: ConfigMap
metadata:
  name: example
data:
  {{- if .Values.example.map }}
  {{- range $line := splitList "\n" .Values.example.map }}
  {{- $words := splitList "=" $line }}
  {{- $key := index $words 0 | trim }}
  {{- $value := rest $words | join "=" | trim }}
  {{ $key }}: "{{ $value }}"
  {{- end }}
  {{- end }}
{{- end }}

And after that you may load your properties file into this ConfigMap.

helm install mychart --set-file example.map="/test/my.properties"

Of course it is safe to use ONLY if you fully control the input, i. e. how each and every line of your property file is populated.

Answer 2

This is a Community Wiki answer so feel free to edit it and add any additional details you consider important.

As mdaniel has already stated in his comment:

Is is possible to place the file at a custom path outside the helm folder no, because helm considers that a security risk – mdaniel 2 days ago

You can also compare it with this feature request on GitHub where you can find very similar requirement described in short e.g. in this comment:

I have this exact need. My chart publishes a secret read from file at /keybase. This file is deliberately not in the chart.

I believe files for .Files.Get should not be assumed to be inside the chart ...

One interesting comment:

lenalebt commented on Dec 23, 2017 I am quite sure .Files.Get not being able to access the file system arbitrarily is a security feature, so I don't think the current behaviour is wrong - it just does not fulfill all use cases.

This issue was created quite long time ago (Dec 19, 2017) but has been recently reopened. There are even some specific proposals on how it could be handled:

titou10titou10 commented on Apr 2 @misberner can you confirm that using--include-dir =will allow us to use .Files.Glob().AsConfig(), and so create a ConfigMap with one entry in the CM per file in?

@misberner misberner commented on Apr 2 Yeah that's the idea. An open question from my point of view is whether an --include-dir with a specified introduces an overlay, or shadows everything under / from previous args and from the bundle itself. I'm not super opinionated on that one but would prefer the former.

The most recent comments give some hope that this feature might become available in future releases of helm.