helm-secrets
About
helm-secrets is a Helm plugin for decrypt encrypted Helm value files on the fly.
- Use sops to encrypt value files and store them into git.
- Store your secrets a cloud native secret manager like AWS SecretManager, Azure KeyVault or HashiCorp Vault and inject them inside value files or templates.
- Use helm-secret in your favorite deployment tool or GitOps Operator like ArgoCD
Who’s actually using helm-secrets? If you are using helm-secrets in your company or organization, we would like to invite you to create a PR to add your information to this file.
Installation
See Installation for more information.
Usage
For full documentation, read GitHub wiki.
Decrypt secrets via protocol handler
Run decrypted command on specific value files. This is method is preferred over the plugin command below. This mode is used in ArgoCD environments.
On Windows, the command helm secrets patch windows
needs to be run first.
helm upgrade name . -f secrets://secrets.yaml
See Usage for more information
Decrypt secrets via plugin command
Wraps the whole helm
command. Slow on multiple value files.
helm secrets upgrade name . -f secrets.yaml
Evaluate secret reference inside helm template
requires helm 3.9+; vals 0.20+
helm-secrets supports evaluating vals expressions inside Helm templates by
enable the flag --evaluate-templates
.
secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: secret
type: Opaque
stringData:
password: "ref+awsssm://foo/bar?mode=singleparam#/BAR"
Run
helm secrets --evaluate-templates upgrade name .
Cloud support
Use AWS Secrets Manager or Azure KeyVault for storing secrets securely and reference them inside values.yaml
helm secrets --backend vals template bitnami/mysql --name-template mysql \
--set auth.rootPassword=ref+awsssm://foo/bar?mode=singleparam#/BAR
See Cloud Integration for more information.
ArgoCD support
For running helm-secrets with ArgoCD, see ArgoCD Integration for more information.
Example
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app
spec:
source:
helm:
valueFiles:
- secrets+gpg-import:///helm-secrets-private-keys/key.asc?secrets.yaml
- secrets+gpg-import-kubernetes://argocd/helm-secrets-private-keys#key.asc?secrets.yaml
- secrets://secrets.yaml
# fileParameters (--set-file) are supported, too.
fileParameters:
- name: config
path: secrets://secrets.yaml
# directly reference values from Cloud Providers
- name: mysql.rootPassword
path: secrets+literal://ref+azurekeyvault://my-vault/secret-a
Terraform support
The Terraform Helm provider does not support downloader plugins.
helm-secrets can be used together with the Terraform external data source provider.
Example
data "external" "helm-secrets" {
program = ["helm", "secrets", "decrypt", "--terraform", "../../examples/sops/secrets.yaml"]
}
resource "helm_release" "example" {
values = [
file("../../examples/sops/values.yaml"),
base64decode(data.external.helm-secrets.result.content_base64),
]
}
An example of how to use helm-secrets with Terraform could be found in examples/terraform.
Secret backends
helm-secrets support multiple secret backends. Currently, sops and vals are supported.
See Secret-Backends how to use them.
Documentation
An additional documentation, resources and examples can be found here.
Moving parts of project
scripts/run.sh
- Main helm-secrets plugin code for all helm-secrets plugin actions available inhelm secrets help
after plugin installscripts/backends
- Location of the in-tree secrets backendsscripts/commands
- Sub Commands ofhelm secrets
are defined here.scripts/lib
- Common functions used byhelm secrets
.scripts/wrapper
- Wrapper scripts for Windows systems.tests
- Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. Seetests/README.md
for more informations.examples
- Some example secrets.yaml
Copyright and license
© 2020-2022 Jan-Otto Kröpke (jkroepke)
© 2017-2020 Zendesk
Licensed under the Apache License, Version 2.0