[14:03:08] I'm looking at T404162 (security ACL) in which we're trying to populate a kubernetes Secret with the `wikiadmin_pass` password currently defined in /srv/git/private/modules/passwords/manifests/init.pp. The way I understand it, only secrets defined in `hieradata/role/common/deployment_server/kubernetes.yaml` get materialized in [14:03:08] /etc/helmfile-default/private on the deployment server. is there a way to pull that secret as well without having to duplicate it into hieradata/role/common/deployment_server/kubernetes.yaml? [14:17:08] brouberol: I didn't check but it is puppet that renders /etc/helmfile-defaults/private on the deployment servers, so any logic should be there [14:17:45] * brouberol facepalms. of course [14:17:49] thanks! [14:18:11] it also renders that with wmflib::inject_secret() wrapped around it [14:29:49] oh so I could have password_key: secret(passwords::misc::scripts::wikiadmin_pass) within my service secrets, in the kubernetes.yaml file ? [14:32:50] seems like its more `secret(path/to/secretfile)` [14:33:49] which means that I could define the admin password in a dedicated file and use `secret(path/to/that/file)` in both `modules/passwords/manifests/init.pp` and `hieradata/role/common/deployment_server/kubernetes.yaml` [14:36:32] am I correct in that interpretation, cdanis? [14:38:42] I believe so yeah brouberol -- and you should be able to test that out with labs-private and PCC [14:40:06] (aiui the 'passwords' class in secret puppet is long-deprecated but still of course in wide use) [16:57:40] does it really take 6+ minutes to helm-lint admin_ng 🫠 [17:56:34] yep. It's the bed we made for ourselves [17:57:06] thanks for the feedback. I had to manage the kiddo this afternoon but I'll have a look at all of this tomorrow [17:57:28] the issue isn't manifesting anywhere public at least [17:57:33] yeah, I saw, that's good [17:57:47] if you get stuck tomorrow on the puppet bits, feel free to poke me [18:01:31] thanks