Great question! Converting that kubectl create secret command into a reusable Helm template is straightforward—let's walk through how to do it properly, with dynamic values instead of hardcoded strings.

First, Understand the Secret Structure #

When you run the kubectl create secret docker-registry command, Kubernetes generates a Secret of type kubernetes.io/dockerconfigjson. The core part is the .dockerconfigjson data field, which is a base64-encoded JSON object containing your registry auth details.

Helm Template Implementation #

Here's the complete Helm template for your Secret (save this as templates/registry-secret.yaml in your chart):

apiVersion: v1
kind: Secret
metadata:
  name: regsecret
  # Use namespace from values, fall back to "mynamespace" if not set
  namespace: {{ .Values.namespace | default "mynamespace" }}
type: kubernetes.io/dockerconfigjson
data:
  # Dynamically generate the docker config JSON and base64 encode it
  .dockerconfigjson: {{- $auth := printf "%s:%s" .Values.docker.username .Values.docker.password | b64enc -}}
    {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .Values.docker.server .Values.docker.username .Values.docker.password .Values.docker.email $auth | b64enc }}

Configure Values #

Add these settings to your values.yaml to populate the template:

# values.yaml
docker:
  server: docker.example.com
  username: kube
  password: PW_STRING
  email: my@email.com
# Optional: Override default namespace here
namespace: mynamespace

How It Works #

• Dynamic Namespace: The namespace uses .Values.namespace with a default of "mynamespace", so you can override it during installation.
• Auth Encoding: We first base64-encode the username:password string (for the auth field in the JSON), then wrap the entire auth JSON object and base64-encode it again—this matches exactly what the kubectl command does.
• Reusability: All sensitive and environment-specific values are pulled from values.yaml, making it easy to adjust for different clusters or environments.

Using the Template #

When installing your Helm chart, you can override values on the fly (especially useful for sensitive data like passwords):

helm install my-chart ./my-chart-directory \
  --set docker.password="my-secure-password" \
  --set namespace="production-namespace"

Important Notes #

• Never commit plaintext passwords to version control. Use Helm's --set flag, a secrets management tool like Helm Secrets, or your CI/CD pipeline to inject sensitive values securely.
• Ensure your Docker registry server URL is correct (include https:// if required by your registry—most public/private registries expect it).

内容的提问来源于stack exchange，提问作者Rotareti