Remove env.configFilePath and env.secretsFilePath

USA-RedDragon · USA-RedDragon · commit eb25547a23b1 · 2025-06-30T10:59:46.000-05:00
These utilize `.Files.Get` in Helm Per the Helm docs (https://helm.sh/docs/chart_template_guide/accessing_files/): > Some files cannot be accessed through the .Files object, usually for security reasons. > Files outside of a Helm application subchart, including those of the parent, cannot be accessed Because of this, `.env.configFilePath` and `env.secretsFilePath` are only ever usable if you have a copy of this repo in your local directory when installing. When installing the Helm chart through the https://helm.releases.hashicorp.com release, because the chart is pulled from the HashiCorp repo, these files are not considered a part of the chart, causing `.env.configFilePath` and `env.secretsFilePath` to always be a no-op. This has caused confusion on a support ticket, so I propose we remove these two values entirely. Examples/proof: Working because we edit the chart itself (install `.`) ```bash echo 'TFE_HOSTNAME: "testing"' > env-config.yaml helm template tfe . --set "env.configFilePath=`pwd`/env-config.yaml" ``` Not working because we are pulling from the HashiCorp repo ```bash echo 'TFE_HOSTNAME: "testing"' > env-config.yaml helm template tfe hashicorp/terraform-enterprise --set "env.configFilePath=`pwd`/env-config.yaml" ```
diff --git a/env-config.yaml b/env-config.yaml
diff --git a/env-secrets.yaml b/env-secrets.yaml
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -84,20 +84,6 @@ and base64 encodes the value.
 {{- end }}
 {{- end }}
 
-{{/*
-Prints the file contents of the environment secrets file
-and base64 encodes the value from the key-value pair.
-*/}}
-{{- define "helpers.enc-b64-secrets-file" }}
-{{- range .Files.Lines .Values.env.secretsFilePath }}
-{{- $kv := splitList ":" . -}}
-{{- $k := first $kv -}}
-{{- if and ($k) (eq (hasPrefix "#" $k) false)  }}
-{{ $k }}: {{ trim (last $kv) | b64enc }}
-{{- end }}
-{{- end }}
-{{- end }}
-
 {{/*
 Define helper to conditionally add securityContext to agentWorkerPodTemplate.
 It does not output anything if agentWorkerPodTemplate is empty and OpenShift is not enabled.
diff --git a/templates/config-map.yaml b/templates/config-map.yaml
@@ -34,6 +34,3 @@ data:
   TFE_METRICS_HTTP_PORT: "{{ .Values.tfe.metrics.httpPort }}"
   TFE_METRICS_HTTPS_PORT: "{{ .Values.tfe.metrics.httpsPort }}"
   {{- end }}
-{{- if .Values.env.configFilePath }}
-{{ .Files.Get .Values.env.configFilePath | indent 2 }}
-{{- end }}
diff --git a/templates/secret.yaml b/templates/secret.yaml
@@ -50,6 +50,3 @@ metadata:
   namespace: {{ .Release.Namespace }}
 data:
 {{- include "helpers.list-env-secrets" . | indent 2 }}
-{{- if .Values.env.secretsFilePath }}
-{{- include "helpers.enc-b64-secrets-file" . | indent 2 }}
-{{- end }}
diff --git a/values.yaml b/values.yaml
@@ -264,8 +264,6 @@ openshift:
   enabled: false
 
 env:
-  # configFilePath: env-config.yaml
-  # secretsFilePath: # env-secrets.yaml
   # configMapRefs:
   #   - name:
   # secretRefs:
