helm-secrets
Usage
Decrypt secrets via plugin command
Wraps the whole helm command. Slow on multiple value files.
helm secrets upgrade name . -f secrets.yamlDecrypt secrets via protocol handler
Run decrypted command on specific value files.
helm upgrade name . -f secrets://secrets.yamlSee: docs/USAGE.md for more information
ArgoCD
For running helm-secrets with ArgoCD, see docs/ARGOCD.md for more information.
Installation and Dependencies
SOPS
If you use sops with helm-secrets, the sops CLI tool is needed.
You can install it manually using Homebrew:
brew install sopsDownload: https://github.com/mozilla/sops/releases/latest
sops 3.2.0 is required at minimum.
vals
vals is a tool for managing configuration values and secrets form various sources.
It supports various backends including:
- Vault
- AWS SSM Parameter Store
- AWS Secrets Manager
- AWS S3
- GCP Secrets Manager
- Azure Key Vault
- SOPS-encrypted files
- Terraform State
- Plain File
All clients are integrated into vals, no additional tools required.
Download: https://github.com/variantdev/vals/releases/latest
Hashicorp Vault
If you use Vault with helm-secrets, the vault CLI tool is needed.
You can install it manually using Homebrew:
brew install vaultDownload: https://www.vaultproject.io/downloads
envsubst
If you have stored you secret inside environment variables, you could use the envsubst driver.
brew install gettextDoppler
If you use Doppler with helm-secrets, the doppler CLI tool is needed.
brew install dopplerhq/cli/dopplerYou need to make sure chart folder or parent one is in correct CLI's scope with enough access to project.
SOPS git diff
Git config part is installed with the plugin, but to be fully functional the following needs to be added to the .gitattributes file in the root directory of a charts repo:
secrets.yaml diff=sopsdiffer
secrets.*.yaml diff=sopsdiffer
More info on sops page
By default, helm plugin install does this for you.
Using Helm plugin manager
Install a specific version (recommend)
helm plugin install https://github.com/jkroepke/helm-secrets --version v3.8.2Install latest unstable version from main branch
helm plugin install https://github.com/jkroepke/helm-secretsFind the latest version here: https://github.com/jkroepke/helm-secrets/releases
Manual installation
Latest version
Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-MacOS / Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-Specific version
Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.8.2/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-MacOS / Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.8.2/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-Installation on Helm 2
Helm 2 doesn't support downloading plugins. Since unknown keys in plugin.yaml are fatal plugin installation needs special handling.
Error on Helm 2 installation:
# helm plugin install https://github.com/jkroepke/helm-secrets
Error: yaml: unmarshal errors:
line 12: field platformCommand not found in type plugin.Metadata
Workaround:
- Install helm-secrets via manual installation, but extract inside helm2 plugin directory e.g.:
$(helm home)/plugins/ - Strip
platformCommandfromplugin.yamllike:sed -i '/platformCommand:/,+2 d' "${HELM_HOME:-"${HOME}/.helm"}/plugins/helm-secrets*/plugin.yaml" - Done
Client here for an example!
Explicitly specify binary path
If sops is installed at the non-default location or if you have multiple versions of sops on your system, you can use HELM_SECRETS_$DRIVER_PATH to explicitly specify the sops binary to be used.
# Example for in-tree drivers via environment variable
HELM_SECRETS_SOPS_PATH=/custom/location/sops helm secrets view ./tests/assets/helm_vars/secrets.yaml
HELM_SECRETS_VALS_PATH=/custom/location/vals helm secrets view ./tests/assets/helm_vars/secrets.yamlChange secret driver
It's possible to use another secret driver then sops, e.g. Hasicorp Vault.
Start by a copy of sops driver and adjust to your own needs.
The custom driver can be load via HELM_SECRETS_DRIVER parameter or -d option (higher preference):
Example for in-tree drivers via option
helm secrets -d sops view ./tests/assets/helm_vars/secrets.yamlExample for in-tree drivers via environment variable
HELM_SECRETS_DRIVER=vault helm secrets view ./tests/assets/helm_vars/secrets.yamlExample for out-of-tree drivers
helm secrets -d ./path/to/driver.sh view ./tests/assets/helm_vars/secrets.yamlPull Requests are much appreciated.
The driver option is a global one. A file level switch isn't supported yet.
Pass additional arguments to secret driver
helm secrets -a "--verbose" view ./tests/assets/helm_vars/secrets.yamlresults into:
[PGP] INFO[0000] Decryption succeeded fingerprint=D6174A02027050E59C711075B430C4E58E2BBBA3
[SOPS] INFO[0000] Data key recovered successfully
[SOPS] DEBU[0000] Decrypting tree
[helm-secrets] Decrypt: tests/assets/values/sops/secrets.yaml
==> Linting examples/sops
[INFO] Chart.yaml: icon is recommended
1 chart(s) linted, 0 chart(s) failed
[helm-secrets] Removed: tests/assets/values/sops/secrets.yaml.dec
Main features
The current version of this plugin using mozilla/sops by default as backend.
Hashicorp Vault is supported as secret source since v3.2.0, too. In addition, sops support vault since v3.6.0 natively.
What kind of problems this plugin solves:
- Simple replaceable layer integrated with helm command for encrypting, decrypting, view secrets files stored in any place.
- On the fly decryption and cleanup for helm install/upgrade with a helm command wrapper
If you are using sops (used by default) you have some additional features:
- Support for YAML/JSON structures encryption - Helm YAML secrets files
- Encryption per value where visual Diff should work even on encrypted files
- On the fly decryption for git diff
- Multiple key management solutions like PGP, AWS KMS and GCP KMS at same time
- Simple adding/removing keys
- With AWS KMS permissions management for keys
- Secrets files directory tree separation with recursive .sops.yaml files search
- Extracting sub-elements from encrypted file structure
- Encrypt only part of a file if needed. Example encrypted file
An additional documentation, resources and examples can be found here.
ArgoCD support
helm-secrets could detect an ArgoCD environment by the ARGOCD_APP_NAME environment variable. If detected, HELM_SECRETS_QUIET is set to true.
See USAGE.md for example.
Terraform support
The terraform helm provider does not support downloader plugins.
An example how to use helm-secrets with terraform could be found in contrib/terraform.
Moving parts of project
scripts/run.sh- Main helm-secrets plugin code for all helm-secrets plugin actions available inhelm secrets helpafter plugin installscripts/drivers- Location of the in-tree secrets driversscripts/commands- Sub Commands ofhelm secretsare defined here.scripts/lib- Common functions used byhelm secrets.scripts/wrapper- Wrapper scripts for Windows systems.tests- Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. Seetests/README.mdfor more informations.examples- Some example secrets.yaml
Copyright and license
© 2020-2021 Jan-Otto Kröpke (jkroepke)
© 2017-2020 Zendesk
Licensed under the Apache License, Version 2.0
![@dependabot[bot]](https://waybackassets.bk21.net/20211006235042im_/https://avatars.githubusercontent.com/in/29110?v=4){kind=small}
