• Stars
    star
    937
  • Rank 48,766 (Top 1.0 %)
  • Language
    Shell
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A helm plugin that help manage secrets with Git workflow and store them anywhere

CI License Current Release GitHub all releases GitHub issues GitHub pull requests codecov Artifact Hub

helm-secrets

About

helm-secrets is a Helm plugin for decrypt encrypted Helm value files on the fly.

  • Use sops to encrypt value files and store them into git.
  • Store your secrets a cloud native secret manager like AWS SecretManager, Azure KeyVault or HashiCorp Vault and inject them inside value files or templates.
  • Use helm-secret in your favorite deployment tool or GitOps Operator like ArgoCD

Who’s actually using helm-secrets? If you are using helm-secrets in your company or organization, we would like to invite you to create a PR to add your information to this file.

Installation

See Installation for more information.

Usage

For full documentation, read GitHub wiki.

Decrypt secrets via protocol handler

Run decrypted command on specific value files. This is method is preferred over the plugin command below. This mode is used in ArgoCD environments.

On Windows, the command helm secrets patch windows needs to be run first.

helm upgrade name . -f secrets://secrets.yaml

See Usage for more information

Decrypt secrets via plugin command

Wraps the whole helm command. Slow on multiple value files.

helm secrets upgrade name . -f secrets.yaml

Evaluate secret reference inside helm template

requires helm 3.9+; vals 0.20+

helm-secrets supports evaluating vals expressions inside Helm templates by enable the flag --evaluate-templates.

secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: secret
type: Opaque
stringData:
  password: "ref+awsssm://foo/bar?mode=singleparam#/BAR"

Run

helm secrets --evaluate-templates upgrade name .

Cloud support

Use AWS Secrets Manager or Azure KeyVault for storing secrets securely and reference them inside values.yaml

helm secrets --backend vals template bitnami/mysql --name-template mysql \
  --set auth.rootPassword=ref+awsssm://foo/bar?mode=singleparam#/BAR

See Cloud Integration for more information.

ArgoCD support

For running helm-secrets with ArgoCD, see ArgoCD Integration for more information.

Example

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app
spec:
  source:
    helm:
      valueFiles:
        - secrets+gpg-import:///helm-secrets-private-keys/key.asc?secrets.yaml
        - secrets+gpg-import-kubernetes://argocd/helm-secrets-private-keys#key.asc?secrets.yaml
        - secrets://secrets.yaml
      # fileParameters (--set-file) are supported, too. 
      fileParameters:
        - name: config
          path: secrets://secrets.yaml
        # directly reference values from Cloud Providers
        - name: mysql.rootPassword
          path: secrets+literal://ref+azurekeyvault://my-vault/secret-a

Terraform support

The Terraform Helm provider does not support downloader plugins.

helm-secrets can be used together with the Terraform external data source provider.

Example

data "external" "helm-secrets" {
  program = ["helm", "secrets", "decrypt", "--terraform", "../../examples/sops/secrets.yaml"]
}

resource "helm_release" "example" {
  

  values = [
    file("../../examples/sops/values.yaml"),
    base64decode(data.external.helm-secrets.result.content_base64),
  ]
}

An example of how to use helm-secrets with Terraform could be found in examples/terraform.

Secret backends

helm-secrets support multiple secret backends. Currently, sops and vals are supported.

See Secret-Backends how to use them.

Documentation

An additional documentation, resources and examples can be found here.

Moving parts of project

  • scripts/run.sh - Main helm-secrets plugin code for all helm-secrets plugin actions available in helm secrets help after plugin install
  • scripts/backends - Location of the in-tree secrets backends
  • scripts/commands - Sub Commands of helm secrets are defined here.
  • scripts/lib - Common functions used by helm secrets.
  • scripts/wrapper - Wrapper scripts for Windows systems.
  • tests - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See tests/README.md for more informations.
  • examples - Some example secrets.yaml

Copyright and license

© 2020-2022 Jan-Otto Kröpke (jkroepke)

© 2017-2020 Zendesk

Licensed under the Apache License, Version 2.0

More Repositories

1

2Moons

Open Source Browsergame Framework
PHP
146
star
2

lens-extension-certificate-info

See expire date from certificates inside kubernetes secrets.
TypeScript
44
star
3

openvpn-auth-azure-ad

openvpn-auth-azure-ad connects to the OpenVPN management interface and handle the authentication ageist Azure AD.
Python
27
star
4

openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC auth flows
Go
21
star
5

draw-io-cncf-shape

This is collection of the CNCF logos packed into a draw.io importable file to draw cloud native architectures
JavaScript
17
star
6

homebrew-openlens

TAP to distribute OpenLens
Ruby
15
star
7

homelab

Personal homelab environment for everything what I do.
HCL
10
star
8

github_exporter

Export various metrics including insights about github repositories
JavaScript
9
star
9

helm-kubectl

A helm plugin for ArgoCD to support the lookup function
Shell
8
star
10

jenkins-declarative-gdsl

gdsl declarative Jenkins pipeline
6
star
11

postgres-database-operator

A Kubernetes operator to create databases inside a running postgresql instance.
Python
5
star
12

puppet-systemctl

puppet module to manage systemd services
Puppet
3
star
13

adventofcode

JavaScript
2
star
14

setup-vals

Github Action for installing vals (https://github.com/helmfile/vals)
JavaScript
2
star
15

azure-managed-identity-oidc-demo

This repo this for demo purpose. This is a demo demonstrate, how to assume a Azure user managed identity as external user using azure workload identity.
HTML
2
star
16

terraform-module-azurerm-yaml

Terraform module for describing resources as YAML file
HCL
1
star
17

jkroepke

1
star
18

webhook

Simple webhook service written in python
Python
1
star
19

keycloak-extension-oidc-cloud-identities

Java
1
star
20

docker-backuppc

Docker Container for BackupPC 4
Dockerfile
1
star
21

featurebook-js

Fork of SOFTWARE-CLINIC/featurebook-*
JavaScript
1
star
22

create-commit

A GitHub actions to create signed commits from actions.
1
star
23

rhn-yum-plugin

Additional YUM Plugin to successfully build docker images in a enterprise RHEL world
Python
1
star
24

openshift-mta

MTA in a Docker primary designed for secure Openshift environment
Shell
1
star
25

puppet-systemd

Puppet
1
star
26

terraform-provider-azureakscommand

Terraform provider for running commands on private AKS clusters without reach them
Go
1
star
27

grafana-provisioner-reloader

A Grafana App which trigger the provisioner reload API on filesystem changes.
1
star