Skip to content

Latest commit

 

History

History
181 lines (122 loc) · 6.91 KB

README.md

File metadata and controls

181 lines (122 loc) · 6.91 KB

CI License Current Release GitHub Repo stars GitHub all releases GitHub issues GitHub pull requests codecov Artifact Hub

helm-secrets

⭐ Don't forget to star this repository! ⭐

About

helm-secrets is a Helm plugin to decrypt encrypted Helm value files on the fly.

  • Use sops to encrypt value files and store them in git.
  • Store your secrets in a cloud native secret manager like AWS SecretManager, Azure KeyVault or HashiCorp Vault and inject them inside value files or templates.
  • Use helm-secret in your favorite deployment tool or GitOps Operator like ArgoCD

Who’s actually using helm-secrets? If you are using helm-secrets in your company or organization, we would like to invite you to create a PR to add your information to this file.

Installation

See Installation for more information.

Usage

For full documentation, read GitHub wiki.

Decrypt secrets via protocol handler

Run decrypted command on specific value files. This method is preferred over the plugin command below. This mode is used in ArgoCD environments.

helm upgrade name . -f secrets://secrets.yaml

See Usage for more information

Decrypt secrets via plugin command

Wraps the whole helm command. Slow on multiple value files.

helm secrets upgrade name . -f secrets.yaml

Evaluate secret reference inside helm template

requires helm 3.9+; vals 0.20+

helm-secrets supports evaluating vals expressions inside Helm templates with the flag --evaluate-templates.

secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: secret
type: Opaque
stringData:
  password: "ref+awsssm://foo/bar?mode=singleparam#/BAR"

Run

helm secrets --evaluate-templates upgrade name .

Cloud support

Use AWS Secrets Manager or Azure KeyVault for storing secrets securely and reference them inside values.yaml

helm secrets --backend vals template bitnami/mysql --name-template mysql \
  --set auth.rootPassword=ref+awsssm://foo/bar?mode=singleparam#/BAR

See Cloud Integration for more information.

ArgoCD support

For running helm-secrets with ArgoCD, see ArgoCD Integration for more information.

Example

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app
spec:
  source:
    helm:
      valueFiles:
        - secrets+gpg-import:///helm-secrets-private-keys/key.asc?secrets.yaml
        - secrets+gpg-import-kubernetes://argocd/helm-secrets-private-keys#key.asc?secrets.yaml
        - secrets://secrets.yaml
      # fileParameters (--set-file) are supported, too. 
      fileParameters:
        - name: config
          path: secrets://secrets.yaml
        # directly reference values from Cloud Providers
        - name: mysql.rootPassword
          path: secrets+literal://ref+azurekeyvault://my-vault/secret-a

Terraform support

The Terraform Helm provider does not support downloader plugins.

helm-secrets can be used together with the Terraform external data source provider.

Example

data "external" "helm-secrets" {
  program = ["helm", "secrets", "decrypt", "--terraform", "../../examples/sops/secrets.yaml"]
}

resource "helm_release" "example" {
  

  values = [
    file("../../examples/sops/values.yaml"),
    base64decode(data.external.helm-secrets.result.content_base64),
  ]
}

An example of how to use helm-secrets with Terraform can be found in examples/terraform.

Secret backends

helm-secrets support multiple secret backends. Currently, sops and vals are supported.

See Secret-Backends how to use them.

Documentation

Additional documentation, resources and examples can be found here.

Moving parts of project

  • scripts/run.sh - Main helm-secrets plugin code for all helm-secrets plugin actions available in helm secrets help after plugin install
  • scripts/backends - Location of the in-tree secrets backends
  • scripts/commands - Sub Commands of helm secrets are defined here.
  • scripts/lib - Common functions used by helm secrets.
  • scripts/wrapper - Wrapper scripts for Windows systems.
  • tests - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See tests/README.md for more information.
  • examples - Some example secrets.yaml

Open Source Sponsors

Thanks to all sponsors!

Copyright and license

© 2020-2022 Jan-Otto Kröpke (jkroepke)

© 2017-2020 Zendesk

Licensed under the Apache License, Version 2.0

Thanks

JetBrains-Logo (Haupt) logo