jkroepke / helm-secrets Goto Github PK

View Code? Open in Web Editor NEW

1.4K 11.0 125.0 1.44 MB

A helm plugin that help manage secrets with Git workflow and store them anywhere

Home Page: https://github.com/jkroepke/helm-secrets/wiki

License: Apache License 2.0

Shell 95.53% Batchfile 3.09% Ruby 0.17% Dockerfile 1.22%

helm helm-plugin helm-plugins kubernetes k8s helm-charts helm-chart sops kubernetes-secrets kms

helm-secrets's Introduction

helm-secrets

⭐ Don't forget to star this repository! ⭐

About

helm-secrets is a Helm plugin to decrypt encrypted Helm value files on the fly.

Use sops to encrypt value files and store them in git.
Store your secrets in a cloud native secret manager like AWS SecretManager, Azure KeyVault or HashiCorp Vault and inject them inside value files or templates.
Use helm-secret in your favorite deployment tool or GitOps Operator like ArgoCD

Who’s actually using helm-secrets? If you are using helm-secrets in your company or organization, we would like to invite you to create a PR to add your information to this file.

Installation

See Installation for more information.

Usage

For full documentation, read GitHub wiki.

Decrypt secrets via protocol handler

Run decrypted command on specific value files. This method is preferred over the plugin command below. This mode is used in ArgoCD environments.

helm upgrade name . -f secrets://secrets.yaml

See Usage for more information

Decrypt secrets via plugin command

Wraps the whole helm command. Slow on multiple value files.

helm secrets upgrade name . -f secrets.yaml

Evaluate secret reference inside helm template

requires helm 3.9+; vals 0.20+

helm-secrets supports evaluating vals expressions inside Helm templates with the flag --evaluate-templates.

secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: secret
type: Opaque
stringData:
  password: "ref+awsssm://foo/bar?mode=singleparam#/BAR"

Run

helm secrets --evaluate-templates upgrade name .

Cloud support

Use AWS Secrets Manager or Azure KeyVault for storing secrets securely and reference them inside values.yaml

helm secrets --backend vals template bitnami/mysql --name-template mysql \
  --set auth.rootPassword=ref+awsssm://foo/bar?mode=singleparam#/BAR

See Cloud Integration for more information.

ArgoCD support

For running helm-secrets with ArgoCD, see ArgoCD Integration for more information.

Example

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app
spec:
  source:
    helm:
      valueFiles:
        - secrets+gpg-import:///helm-secrets-private-keys/key.asc?secrets.yaml
        - secrets+gpg-import-kubernetes://argocd/helm-secrets-private-keys#key.asc?secrets.yaml
        - secrets://secrets.yaml
      # fileParameters (--set-file) are supported, too. 
      fileParameters:
        - name: config
          path: secrets://secrets.yaml
        # directly reference values from Cloud Providers
        - name: mysql.rootPassword
          path: secrets+literal://ref+azurekeyvault://my-vault/secret-a

Terraform support

The Terraform Helm provider does not support downloader plugins.

helm-secrets can be used together with the Terraform external data source provider.

Example

data "external" "helm-secrets" {
  program = ["helm", "secrets", "decrypt", "--terraform", "../../examples/sops/secrets.yaml"]
}

resource "helm_release" "example" {
  

  values = [
    file("../../examples/sops/values.yaml"),
    base64decode(data.external.helm-secrets.result.content_base64),
  ]
}

An example of how to use helm-secrets with Terraform can be found in examples/terraform.

Secret backends

helm-secrets support multiple secret backends. Currently, sops and vals are supported.

See Secret-Backends how to use them.

Documentation

Additional documentation, resources and examples can be found here.

Moving parts of project

scripts/run.sh - Main helm-secrets plugin code for all helm-secrets plugin actions available in helm secrets help after plugin install
scripts/backends - Location of the in-tree secrets backends
scripts/commands - Sub Commands of helm secrets are defined here.
scripts/lib - Common functions used by helm secrets.
scripts/wrapper - Wrapper scripts for Windows systems.
tests - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See tests/README.md for more information.
examples - Some example secrets.yaml

Copyright and license

Licensed under the Apache License, Version 2.0

Thanks

JetBrains IDEs

helm-secrets's People

Contributors

Stargazers

Watchers

Forkers

astropuffin ducthinh993 jbouyoud s0obi morelina baowei aditmeno rasta-rocket michalmela-tomtom clix-dev-llc marvel-works devopstoday11 netaskd nirmalaj bryanasdev000 scruplelesswizard dargor qbui acundari dunglp nverdhan cuebiq alainlompo jrevolt fulcrumapp tommyreilly umeshkumhar zhm022726 veeramreddyhari syllogy banna2019 mailmahee lgustafson oofnikj soft-sysops tvajgely raszkiewicz mkilchhofer patrikbeno ronaldmonesbrix prein peyerroger kostas-theo luisfmcalado jmclean-starburst va-dick fernandobove nsvijay04b1 arjundandagi sid-habu koomekiriinya jinx-heniux smerle33 torvalds9 rsmets kanaksinghal daniloraisi eternalerrors mamoit joeywang2020 everesio acumenix roman-kpax rafaelcpalmeida jackkrasn distorhead danlenar fischerlgln theerk jamacku diepes almereyda kaywindcosta yangli-test-org sitata alekseybykovesprow arabian777 sahakanush pczerkas shakahl doytsujin nicojone polim clouddevopsengineer02 rezaebrahimi1 szicari-streambit alceufreitas aatarasoff an-toine octoenergy eirikaskheim rflj brconnell4 stoned chenhan-sz kumarcc1 strassea ndeman dmore adadeeeh

helm-secrets's Issues

Vault driver does not abort on error

If there's error with the raw vault command, execution continues with helm deploying values with invalid/missing data.

Example:

$ VAULT_ADDR= helm secrets -d vault upgrade test examples/vault -f examples/vault/secrets.yaml

Get "https://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/production": dial tcp 127.0.0.1:8200: connect: connection refused
Error while get secret from vault!
vault kv get -format=yaml -field=pod_annotation secret/production
[helm-secrets] Decrypt: examples/vault/secrets.yaml
Error: UPGRADE FAILED: "test" has no deployed releases

[helm-secrets] Removed: examples/vault/secrets.yaml.dec
Error: plugin "secrets" exited with error

The Error: UPGRADE FAILED line is where helm would have deployed broken values.

I'm not a raw shell guy, so I don't know why exactly this change fixes it, but it does:

--- a/scripts/commands/dec.sh
+++ b/scripts/commands/dec.sh
@@ -34,7 +34,7 @@ decrypt_helper() {

     file_dec="$(file_dec_name "${file}")"

-    if ! driver_decrypt_file "yaml" "${file}" "${file_dec}"; then
+    if ! $(driver_decrypt_file "yaml" "${file}" "${file_dec}"); then
         printf 'Error while decrypting file: %s\n' "${file}"
         exit 1
     fi

Result:

$ VAULT_ADDR= helm secrets -d vault upgrade test examples/vault -f examples/vault/secrets.yaml

Get "https://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret/production": dial tcp 127.0.0.1:8200: connect: connection refused
Error while get secret from vault!
vault kv get -format=yaml -field=pod_annotation secret/production
Error while decrypting file: examples/vault/secrets.yaml
Error: plugin "secrets" exited with error

My suspicion is that it has to do with return vs exit codes, set -e and subshells ¯\_(ツ)_/¯. There may be more instances of this.

Example with sops age encryption configuration

Problem Statement

I've configured sops with modern age encryption backend and it works via direct commands like this:

sops --encrypt --age age16nq3gv6rjuqkk73wkt5ek0qm9m7gesnj4enhwqm2cqv78p8whsssyed2kw ./secrets.yaml > ./secrets.yaml.enc

But I can't understand how to configure helm secrets plugin to work with age mode of sops?

If I simply run the helm secrets enc file.yaml command - I've got an error:

$ helm secrets enc ./secrets.yaml 
Encrypting ./secrets.yaml
config file not found and no keys provided through command line options
Error: plugin "secrets" exited with error

What config file I must create and in what format, to tell that I want to use sops with age backend in helm secrets plugin?

Can you please add documentation with configuration examples? Thanks!

Proposed Solution

Seems we need to pass the --age age16nq3gv6rjuqkk73wkt5ek0qm9m7gesnj4enhwqm2cqv78p8whsssyed2kw argument using -a argument to encode? Something like this:

$ helm secrets -a "--age age16nq3gv6rjuqkk73wkt5ek0qm9m7gesnj4enhwqm2cqv78p8whsssyed2kw" enc ./secrets.yaml

And for decode - some other argument? The direct argument for sops must be like this:

$ age --decrypt -i ~/.config/sops/keys.txt ./secrets.yaml.enc

and it decrypts well, but when I try to do the same with helm secrets - it fails with error:

$ helm secrets -a "-i ~/.config/sops/keys.txt" dec ./secrets.yaml
[helm-secrets] Decrypting ./secrets.yaml
config file not found and no keys provided through command line options
[helm-secrets] Error while decrypting file: ./secrets.yaml
Error: plugin "secrets" exited with error

Environment

Helm Version: v3.7.0
Helm Secrets Version: 3.12.0-dev
OS: Ubuntu 20.04
Shell: bash

Additional information

No response

Acceptance Criteria

No response

Cleanup temporary files

Using secrets 3.5.1-dev and sops 3.6.1 (latest) with vault driver, everything works fine but the plugin leaves every yaml unencrypted in /tmp.

Age encryption in ArgoCD is not working: the URL scheme 'secrets+age-import' is not allowed

Current Behavior

When I'm trying to add an application via ArgoCD UI or via CLI I'm getting error that "File does not exist"

Error log:
[helm-secrets] File does not exist: secrets+age-import:///helm-secrets-private-keys/key.txt?secrets.yaml\\nError: plugin \\\"secrets\\\" exited with error\",\"type\":\"ComparisonError\"}]}}" application=wordpress

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: wordpress
spec:
  destination:
    name: ''
    namespace: wordpress
    server: 'https://kubernetes.default.svc'
  source:
    path: xyz/example-wordpress
    repoURL: '<REPO_URL>'
    targetRevision: init
    helm:
      valueFiles:
        - values.yaml
        - secrets+age-import:///helm-secrets-private-keys/key.txt?secrets.yaml
  project: default

project tree

example-wordpress$ tree .
.
├── Chart.yaml
├── secrets.yaml
└── values.yaml

I double-checked:

volume with the secret is properly mounted and accessible
executed helm template . -f secrets+age-import:///helm-secrets-private-keys/key.txty?secrets.yaml locally in repo-server pod and it works as expected, decrypted values are correct
tried the approach with k8s secret for getting age key

Expected Behavior

When I add the application in ArgoCD with values that are encrypted using age, helm secrets should decrypt it and install app with decrypted values

Steps To Reproduce

No response

Environment

Helm Version: 3.6.0
Helm Secrets Version: 3.12.0
OS: Ubuntu 21.04
Shell: bash, version 5.1.4(1)-release

Anything else?

No response

[ArgoCD] Failed to get the data key required to decrypt the SOPS file

Current Behavior

When I try to deploy an applications on argo-cd with secret like:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-app
  namespace: argo-cd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  project: default
  source:
    path: apps/
    repoURL: [email protected]:user/my-app.git
    targetRevision: HEAD
    helm:
      valueFiles:
        - values.yaml
        - secrets://secrets.yaml
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
    automated:
      prune: true
      selfHeal: true

I have an error from SOPS

 failed exit status 2: Failed to get the data key required to decrypt the SOPS file. Group 0: FAILED 42884C51FAE6259CA8BABC4363F0C9212B8974F0: FAILED - | could not decrypt data key with PGP key: | golang.org/x/crypto/openpgp error: Could not load secring: | open /app/config/gpg/keys/secring.gpg: no such file or | directory; GPG binary error: exit status 2 Recovery failed because no master key was able to decrypt the file. In order for SOPS to recover the file, at least one key has to be successful, but none were. panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x1ae9207] goroutine 1 [running]: bytes.(*Buffer).Bytes(...) bytes/buffer.go:54 helm.sh/helm/v3/pkg/cli/values.readFile(0xc000135890, 0x16, 0xc0006efe80, 0x3, 0x4, 0xc0000a1400, 0x0, 0x0, 0x0, 0x0) helm.sh/helm/v3/pkg/cli/values/options.go:120 +0x167 helm.sh/helm/v3/pkg/cli/values.(*Options).MergeValues(0xc0004a4360, 0xc0006efe80, 0x3, 0x4, 0x1, 0x33, 0x0) helm.sh/helm/v3/pkg/cli/values/options.go:48 +0x115 main.runInstall(0xc00065c000, 0x1, 0x7e, 0xc00041a2c0, 0xc0004a4360, 0x2292040, 0xc000182008, 0x0, 0x1ffdae6, 0xa) helm.sh/helm/v3/cmd/helm/install.go:193 +0x24e main.newTemplateCmd.func2(0xc0004e8500, 0xc00065c000, 0x1, 0x7e, 0x0, 0x0) helm.sh/helm/v3/cmd/helm/template.go:82 +0x146 github.com/spf13/cobra.(*Command).execute(0xc0004e8500, 0xc00032b800, 0x7e, 0x80, 0xc0004e8500, 0xc00032b800) github.com/spf13/[email protected]/command.go:852 +0x472 github.com/spf13/cobra.(*Command).ExecuteC(0xc0002fe500, 0xc00013e1b0, 0x1, 0xc00079ff60) github.com/spf13/[email protected]/command.go:960 +0x375 github.com/spf13/cobra.(*Command).Execute(...) github.com/spf13/[email protected]/command.go:897 main.main() helm.sh/helm/v3/cmd/helm/helm.go:80 +0x25b

Expected Behavior

Secrets file are decrypt with gpg keys added on argo-cd

Steps To Reproduce

deploy argo-cd with helm chart
configure init container to install helm-secrets and sops

repoServer:
    env:
    - name: HELM_PLUGINS
      value: /app/helm-plugins/
  volumes:
    - name: custom-tools
      emptyDir: {}

  initContainers:
    - name: download-tools
      image: alpine:3.8
      command: [sh, -c]
      args:
        - |
          apk add curl && cd /custom-tools;
          echo "Install binaries"
          curl -fSSL https://github.com/mozilla/sops/releases/download/v3.7.1/sops-v3.7.1.linux -o sops && chmod +x sops;
          
          echo "Install plugins"
          mkdir -p /custom-tools/helm-plugins && cd /custom-tools/helm-plugins;
          echo "Install helm-secrets"
          curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.8.3/helm-secrets.tar.gz | tar -xzf-;
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
  volumeMounts:
    - mountPath: /usr/local/bin/sops
      name: custom-tools
      subPath: sops
    - mountPath: /app/helm-plugins/
      name: custom-tools
      subPath: helm-plugins

add your gpg key to argocd and try to deploy an application with encrypted secret

Environment

argocd 2.1.2

Anything else?

Sorry i cant retrieve where i found this configuration.

Does helm secrets uninstall exist?

Hi Jan,
I would like to know if helm secrets uninstall ... command exists and does it make sense to uninstall the helm chart using secrets plugin from K8s cluster if I already have installed helm chart (with sops encrypted files) using helm secrets upgrade ... ?
Thanks and best regards,
Jayesh

Remote values files

helm supports different method to get a value file.

https://helm.sh/docs/helm/helm_install/

  -f, --values strings               specify values in a YAML file or a URL (can specify multiple)

Checksum mismatch for sops with helm plugin install

I'm running into a 'checksum mismatch' error when installing using helm plugin install, which results in sops not being installed as part of the plugin installation. This is in a debian linux docker image. It's not a huge issue, it's easy enough to work around by installing sops separately, but just wanted to point this out.

Digging into it a little bit, it looks like the default checksum that's used in install.sh is still set to the checksum for sops-v3.5.0.linux.

enc overwrites .dec file

according to USAGE.md:
"The encrypt operation encrypts a secrets.yaml.dec file and saves the encrypted result in secrets.yaml:"

But command enc overwrites decrypted file every time. How is the recommended workflow to this?

helm-secrets Version 1.8.1 on windows bash

Cannot install multiple versions of SOPS simultaneously - Proposal to allow flexibility for SOPS installation

Problem: I am trying to create a wrapper on top of Helm for an internal use-case. For this, I need to install multiple version of Helm and it's plugins on the same system. I have managed to install multiple versions of Helm but am limited by the installation of multiple versions of the plugins. e.g. helm-secrets expects SOPS to be at a hard-coded location.

Proposal:

Add/change the installation script to allow users to specify the SOPS installation location. Variable can be HELM_SECRETS_SOPS_PATH . The default value will be current hard-coded value /usr/local/bin/sops in Linux.
Modify the command script to lookup for the variable to find the SOPS location.

Comments:
This should not be a breaking change and would allow flexibility to install helm-secret dependencies. It will not only satisfy the above use-case but can serve a bigger audience as well who want control over installation of helm-secrets dependencies.

If the owner is fine with the above proposed changes, I would like to take a shot at this.

Thank you.

Typos in Argo CD integration wiki

Current Behavior

Just wanted to point out a couple of typos going through the Argo CD Integration wiki.

ArgoCD%20Integration.md?plain=1#L152

gpg --armor --export-key <key-id> > key.asc

--export-key should be --export-secret--key

ArgoCD%20Integration.md?plain=1#L243

kubectl auth can-i get secrets --namespace argo-cd --as system:serviceaccount:$NAMESPACE:argo-cd-argocd-repo-server

Service account name argo-cd-argocd-repo-server should be argocd-repo-server based on the example service account created.
Also using $NAMESPACE environment variable when already referencing argo-cd as namespace in the same line.

Expected Behavior

No response

Steps To Reproduce

No response

Environment

Helm Version:
Helm Secrets Version:
OS:
Shell:

Anything else?

No response

Check for changes in external values

Problem Statement

I've modified ArgoCD installation and used workaround to use external values.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app
spec:
source:
helm:
valueFiles:
# if AWS KMS or GCP is used
- secrets://https://raw.githubusercontent.com/org/repo/ref/pathtofile.yml

It works, but if I change remote file - it won't trigger ArgoCD sync. Does anyone tried to resolve this issue?

Proposed Solution

No response

Environment

Helm Version: 3.7.1
Helm Secrets Version: 3.11.0
ArgoCD: v2.2.2

Additional information

No response

Acceptance Criteria

No response

Error when decrypting secrets on ArgoCD

Current Behavior

Error:
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 0

Full Error

rpc error: code = Unknown desc = `helm template . --name-template app-argocd --namespace argo-cd-2 --kube-version 1.21 --values values.yaml --values secrets+gpg-import:///helm-secrets-key/key.asc?secrets.yaml --api-versions admissionregistration.k8s.io/v1 --api-versions admissionregistration.k8s.io/v1beta1 --api-versions apiextensions.k8s.io/v1 --api-versions apiextensions.k8s.io/v1beta1 --api-versions apiregistration.k8s.io/v1 --api-versions apiregistration.k8s.io/v1beta1 --api-versions apps/v1 --api-versions argoproj.io/v1alpha1 --api-versions authentication.k8s.io/v1 --api-versions authentication.k8s.io/v1beta1 --api-versions authorization.k8s.io/v1 --api-versions authorization.k8s.io/v1beta1 --api-versions autoscaling/v1 --api-versions autoscaling/v2beta1 --api-versions autoscaling/v2beta2 --api-versions batch/v1 --api-versions batch/v1beta1 --api-versions certificates.k8s.io/v1 --api-versions certificates.k8s.io/v1beta1 --api-versions coordination.k8s.io/v1 --api-versions coordination.k8s.io/v1beta1 --api-versions discovery.k8s.io/v1 --api-versions discovery.k8s.io/v1beta1 --api-versions events.k8s.io/v1 --api-versions events.k8s.io/v1beta1 --api-versions extensions/v1beta1 --api-versions flowcontrol.apiserver.k8s.io/v1beta1 --api-versions metrics.k8s.io/v1beta1 --api-versions networking.k8s.io/v1 --api-versions networking.k8s.io/v1beta1 --api-versions node.k8s.io/v1 --api-versions node.k8s.io/v1beta1 --api-versions policy/v1 --api-versions policy/v1beta1 --api-versions rbac.authorization.k8s.io/v1 --api-versions rbac.authorization.k8s.io/v1beta1 --api-versions scheduling.k8s.io/v1 --api-versions scheduling.k8s.io/v1beta1 --api-versions snapshot.storage.k8s.io/v1 --api-versions snapshot.storage.k8s.io/v1beta1 --api-versions storage.k8s.io/v1 --api-versions storage.k8s.io/v1beta1 --api-versions v1 --include-crds` failed exit status 2: **Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 0** panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x1ae9207] goroutine 1 [running]: bytes.(*Buffer).Bytes(...) bytes/buffer.go:54 helm.sh/helm/v3/pkg/cli/values.readFile(0xc0004d2e40, 0x3d, 0xc000711500, 0x3, 0x4, 0xc000831800, 0x0, 0x0, 0x0, 0x0) helm.sh/helm/v3/pkg/cli/values/options.go:120 +0x167 helm.sh/helm/v3/pkg/cli/values.(*Options).MergeValues(0xc0007de8a0, 0xc000711500, 0x3, 0x4, 0x1, 0x47, 0x0) helm.sh/helm/v3/pkg/cli/values/options.go:48 +0x115 main.runInstall(0xc000835500, 0x1, 0x62, 0xc0006a6420, 0xc0007de8a0, 0x2292040, 0xc000130008, 0x0, 0x1ffbaea, 0x9) helm.sh/helm/v3/cmd/helm/install.go:193 +0x24e main.newTemplateCmd.func2(0xc0001df400, 0xc000835500, 0x1, 0x62, 0x0, 0x0) helm.sh/helm/v3/cmd/helm/template.go:82 +0x146 github.com/spf13/cobra.(*Command).execute(0xc0001df400, 0xc000834e00, 0x62, 0x70, 0xc0001df400, 0xc000834e00) github.com/spf13/[email protected]/command.go:852 +0x472 github.com/spf13/cobra.(*Command).ExecuteC(0xc0005faa00, 0xc00000e318, 0x1, 0xc00079ff60) github.com/spf13/[email protected]/command.go:960 +0x375 github.com/spf13/cobra.(*Command).Execute(...) github.com/spf13/[email protected]/command.go:897 main.main() helm.sh/helm/v3/cmd/helm/helm.go:80 +0x25b

Config:

Repo Server

argo-cd:
  repoServer:
    env:
      - name: HELM_PLUGINS
        value: /custom-tools/helm-plugins/
      - name: HELM_SECRETS_SOPS_PATH
        value: /custom-tools/sops
      - name: HELM_SECRETS_KUBECTL_PATH
        value: /custom-tools/kubectl
    volumes:
      - name: custom-tools
        emptyDir: {}
      - name: helm-secrets-key
        secret:
          secretName: helm-secrets-key
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools
      - mountPath: /helm-secrets-key/
        name: helm-secrets-key
    initContainers:
      - name: download-tools
        image: alpine:latest
        command: [sh, -ec]
        env:
          - name: HELM_SECRETS_VERSION
            value: "3.9.1"
          - name: SOPS_VERSION
            value: "3.7.1"
          - name: KUBECTL_VERSION
            value: "1.22.2"
        args:
          - |
            mkdir -p /custom-tools/helm-plugins
            wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;

            wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
            wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl

            chmod +x /custom-tools/*
        volumeMounts:
          - mountPath: /custom-tools
            name: custom-tools

Secret:

apiVersion: v1
kind: Secret
metadata:
  name: helm-secrets-key
data:
  key.asc: {{ .Values.helmSecretsKey | toString | b64enc }}
type: Opaque

I verified that the key is mounted. Also the tools are mounted. If I execute a similar command as on ArgoCD locally, everything is working fine.:

helm upgrade abc-argo-cd . -f values.yaml -f 'secrets+gpg-import:///Users/abc/dev/misc/keys/key.asc?secrets.yaml' --namespace=argo-cd --create-namespace --install

Helm version on Argo is 3.6.0. On my local machine it is 3.7.1. Could it be a dependency issue?

Expected Behavior

The secret should be decrypted.

Steps To Reproduce

No response

Environment

Helm 3.6.0 on ArgoCD

    - name: HELM_SECRETS_VERSION
      value: "3.9.1"
    - name: SOPS_VERSION
      value: "3.7.1"
    - name: KUBECTL_VERSION
      value: "1.22.2"

Anything else?

No response

Any plan for `helm secrets diff` and `helm secrets template` (sub-)command support?

I got redirected from https://github.com/zendesk/helm-secrets repo.

I would like to know if you are planning to support helm secrets template and helm secrets diff with on-the-fly secret decryption and auto-deletion at the end of (sub-)command execution.

Thanks and best regards,
Jayesh

Support multiple secret engines

Move all sops code to a sops driver
Create a noop driver for examples

Wrong HELM_SECRETS_SOPS_PATH variable name in readme

Current Behavior

HELM_SECRETS_SOPS_BIN

See https://github.com/jkroepke/helm-secrets/blob/v3.8.3/scripts/drivers/sops.sh

#!/usr/bin/env sh

_SOPS="${HELM_SECRETS_SOPS_BIN:-sops}"

Expected Behavior

HELM_SECRETS_SOPS_PATH per Readme:

Steps To Reproduce

No response

Environment

No response

Anything else?

No response

[question] how to integrate with vault approle?

i cant seem to find an example of using helm-secrets with vault via approle. can anyone point me to the location of the docs?

Plaintext key-value pair in encrypted file

This may be more like a question, but how are we supposed to encrypt and push the secrets to Git?

To reproduce:

# cat > secrets.yaml <<EOF
my-key: my-value
EOF
# helm secrets enc secrets.yaml 
Encrypting secrets.yaml
Encrypted secrets.yaml
# cat secrets.yaml 
my-key: my-value
sops:
    kms: []
    gcp_kms:
    -   resource_id: projects/xxx/locations/global/keyRings/automation-keys-1/cryptoKeys/encrypt-decrypt-key-2
        created_at: '2021-09-27T08:53:44Z'
        enc: CiQAyfB29SUCJ3daBi0RF+2ITEBnQXPnKX0m/4UAJny2yEhbBooSSQBc4PjB41Fxzswqd/hYFHFgi+oi24mNOFcBBREzQ8d0bOhoKh9X+91FjGU2B8Ld5vGpallDJd4CX2WZgc5Vhkv3iwHUl2NIVUA=
    azure_kv: []
    hc_vault: []
    lastmodified: '2021-09-27T08:53:44Z'
    mac: ENC[AES256_GCM,data:EaqYeROwz2HSjCe7CfHbOOgsIB8hm+gvkrsnyDY2BeKc590RqCNkVO/lDx4lU8QtKZ1X2j4mbS9ZPGXl1qXY6lX34DAqCKwUuzH4hOFcapU/ZaaUyWg7fccgwF1KVxqyU0v83OF+YcyrVPBMaGtiQ2nXwuUjRoQTOv5k7uTF/aE=,iv:31HDf9cDb0btD3XvK7+l0+wxwJiw4uqbYRSVZRTz+gk=,tag:cOJGonYhvfFe2Fkph1SqhA==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.6.1
    
# helm secrets --version
   3.8.4-dev

How to diff or install helm chart with encrypted K8s secret manifests?

Hi Jan,

I know that helm-secrets plugin uses sops encrypted secrets as values file to override the secret value in K8s secrets template manifest.
I have a generic helm chart and I wanted to use helm-secrets plugin to diff, template etc. the chart by using sops-encrypted K8s secret manifest. Do you know how can I achieve it?

thanks,
Jayesh

Helm template temporary file too long

Current Behavior

I was setting up Helm secrets for ArgoCD deployment and got the following error when importing the key.

 mktemp: failed to create directory via template '/tmp/tmp.fjNVPdZAIK/tmp.AxRzHACJg6/tmp.Gpd5hRlXku/tmp.Tns7tIZyVU/tmp.FSZWjiQlhs/tmp.eTSrztcsXq/tmp.7Y6aJ64Ktz/tmp.Dq0mN1jgek/tmp.ZlrVzUvqhX/tmp.j6ayPfkfbm/tmp.ioMcELVCDD/tmp.FCwDyjFbz9/tmp.8UkhYeTWkF/tmp.v7H7fsYJg5/tmp.bJ3MA6R5Vk/tmp.d8g6JlQzw3/tmp.tGB2ZAIyLe/tmp.PDddJi6hpH/tmp.ucj3OLCfSq/tmp.znW6ah1DgA/tmp.S8rBfXw8z9/tmp.7nRTV52PNA/tmp.Onsr1wGJN3/tmp.uqKcxuQJPS/tmp.H1Xozx2tAj/tmp.OMBbWfoKRg/tmp.b8Ty8xBKlv/tmp.JoMzqqu78m/tmp.z36vvr5l0r/tmp.0dYuVFGji1/tmp.OSGTA9Vxob/tmp.Ps0Vl6MAzu/tmp.jU3enKmAy1/tmp.hbW7g8TSz4/tmp.nSKkpwbwyK/tmp.qXVy4S7g8p/tmp.DpnssbtwUx/tmp.GC4oNQNBYB/tmp.GTAZPkNOdw/tmp.RMw4OGBOGJ/tmp.pLu8lgbCfE/tmp.Vix5Bf1my1/tmp.3oZqS1mmBp/tmp.hQctaqZQAn/tmp.sdbWj1abBK/tmp.CdJgZfzzRO/tmp.B0soHsK0hf/tmp.XC0mSc21HV/tmp.3nr6Pxzkq9/tmp.wtBh7xY01O/tmp.CIpLUfq2FR/tmp.hw9okChPjb/tmp.rx448WHjUj/tmp.BZg9JSemHG/tmp.d8N7IgWsyW/tmp.ekgOkfbdAk/tmp.UmJVGWeUtL/tmp.Q2vKFrsiqV/tmp.jbldGh6mzp/tmp.NeLMGgUkcj/tmp.dj9cSpRaJS/tmp.LWbxoQIB6v/tmp.8fjATmGDgH/tmp.58qUJmbrkX/tmp.SE4Kq4KQXY/tmp.0LCuNTILXC/tmp.N5pf6rbpn9/tmp.vt00dgD5rW/tmp.4PXgRbDfgg/tmp.08UKqDB5Bn/tmp.o37UErfCK0/tmp.UMaGhYrF39/tmp.Jp8c3rV8V4/tmp.zQxLvATwwP/tmp.LB7UmiLlRY/tmp.Xw4HbTv9BV/tmp.BZd2QBeSBp/tmp.eGWt0i2j5n/tmp.DDiWLAahte/tmp.aYM7caQ03V/tmp.ZooZkUuu2K/tmp.HjvQSKwvoq/tmp.dlMLRPqPKU/tmp.3WzZOVIRmX/tmp.eyLwYIl50a/tmp.l1nwfhpuQz/tmp.9JjFSV51dD/tmp.U9Rzta51hu/tmp.4n40WQzAhK/tmp.mC7h47JfDm/tmp.S13kBUVzZP/tmp.iJOkJUr7G0/tmp.894rHfRzRw/tmp.dCSnreK8Vy/tmp.vKmNKA3vCZ/tmp.doUyOAQ3Ul/tmp.dXQndnpEbg/tmp.wX0rhiNXsO/tmp.ZfsEs5EtfB/tmp.ycZvAxPTN2/tmp.7HyAuNM0fz/tmp.yf4YQJeb28/tmp.ZoxGVQ5L53/tmp.DQjmLj5jOU/tmp.95rI8ctAVF/tmp.8eGYo439g0/tmp.rQeFt8Utmy/tmp.9Q31L68swZ/tmp.qlj3SlgRYk/tmp.g4kDn61Mi2/tmp.MuLeIVA4AE/tmp.OxiTHkqS6I/tmp.Yq5Fn2708X/tmp.SVcYZOni0r/tmp.onYMI9mcdK/tmp.WhQdCTGV6V/tmp.W8xvYB0GJQ/tmp.3PHBqwoRDU/tmp.RbKHM7Zm3O/tmp.qqhkeqSnNH/tmp.1FExThqGk8/tmp.dMU3fMXJe9/tmp.ModWXXd00f/tmp.vIYq1eYQnB/tmp.J7f1q08oHy/tmp.riI4V6m4WQ/tmp.EMfnCjR2Vv/tmp.VY69dTFRwZ/tmp.zyHq8ivaa4/tmp.7R6oM1A9CV/tmp.HZDPN6sMpd/tmp.rgRN6DbfzP/tmp.D0aCw2Uw3A/tmp.56he5bTfl5/tmp.1Ro1xI01rT/tmp.VAeY1ezQny/tmp.hyMDiEmtnr/tmp.ZZpZ7PePFE/tmp.iMInAaEpbN/tmp.CDPv6kNOQj/tmp.NlHiGAVnby/tmp.qm64yv8All/tmp.loDrY3AlZh/tmp.GcnQINFy3J/tmp.KcV1Li9an9/tmp.9VjVxzax3d/tmp.mKcKxDpAh1/tmp.GFovGdyTTN/tmp.cjE1615y5Q/tmp.Bdb1mYxLJ7/tmp.n4hCJyDCsL/tmp.5qxS86QnOw/tmp.O0hWHrCI4v/tmp.DQfprGGg6I/tmp.KLEwXXmaEY/tmp.xZkH39KbvU/tmp.vnOfc4htOj/tmp.Qetiws33gS/tmp.bs68h8hatH/tmp.C2LcpIHPav/tmp.qQ7sXC5djn/tmp.lgYXMez9t1/tmp.bKvxLBTNkW/tmp.VcyPicWFjg/tmp.jcL4gDWe1M/tmp.8N3DWCLsGE/tmp.kktpUAuw2k/tmp.1CXXKdojIH/tmp.PFbjRtdFgT/tmp.Ssjp6jKOLK/tmp.fcWZZugsPG/tmp.dVvZbuzn8R/tmp.lYxbSxdzXV/tmp.09K1VExc0L/tmp.W5V58UAgQh/tmp.ufIdQC3yIY/tmp.rBWOYKoU8U/tmp.7450DAjoVD/tmp.6UNTt3TRF7/tmp.VQl6E43WpH/tmp.06xDWsD5PU/tmp.rzUBZ39FSg/tmp.GDlF5yCQmR/tmp.3S0GUy3Nif/tmp.IU8Y2JP7Vd/tmp.r2rCfBU5sA/tmp.lnzDHOn7bI/tmp.bqM3lyyPHv/tmp.5ffCN8gWQZ/tmp.MQIxEu9nY5/tmp.M0TIXSXjF7/tmp.ptPE5Iilb6/tmp.ZC3EHwkvkU/tmp.a8s7e5zFn1/tmp.hbyAkZHERY/tmp.CouJhkYVOc/tmp.WwCVynMFWA/tmp.5tjg37N4K3/tmp.1bqcJbMrtZ/tmp.QDwaUdZQxK/tmp.ckM79hdKDO/tmp.O6W7tAIkbf/tmp.Hq4rAis770/tmp.0cvEySyhiH/tmp.6cUOCresRh/tmp.9zebDbra5X/tmp.jtvIua5AbM/tmp.tSeXLYYWlz/tmp.kJvPS1iWdZ/tmp.l6CuHA7CrM/tmp.J3UERKtVvy/tmp.avCoxo9GJr/tmp.0mpodArGns/tmp.7BL4jYXtyq/tmp.rNfQHTyAvV/tmp.c4rI48HE4Z/tmp.qUT8xuFJ6w/tmp.vUl9LYG7J5/tmp.b90ne2w5UK/tmp.ifAXpwSpXT/tmp.aL3HoAUxL3/tmp.8vIcdEg1Ni/tmp.kjah5Kn4as/tmp.cKRbCJh6MP/tmp.mU7H3SGxKG/tmp.DZOgBoMeMe/tmp.viAe0oDBmm/tmp.QoAn6UOyEf/tmp.ADL7DFa1R2/tmp.sekWhqNqLH/tmp.mhTaRJUCzG/tmp.eIPRkhLG88/tmp.rPZV2oO6H6/tmp.jySDCEZZAi/tmp.N9oU7ci3H1/tmp.4TvJY6s6VP/tmp.YyyjT0k6Ec/tmp.suu00Io3ZF/tmp.VErMYXmyjI/tmp.f6vGCss94h/tmp.jeQqzmrjT6/tmp.0qLPzEM8FE/tmp.nq9K4UOBMg/tmp.xLxO1DDkNa/tmp.m3AfgzTbzS/tmp.imWpyOSzdo/tmp.nNRSBgqc1C/tmp.oH89d8fNKo/tmp.mkoEfeuwpn/tmp.jys4Bt1VCR/tmp.YaZxrO3Hbc/tmp.xoNkVwQOmZ/tmp.Cc65rQtMmL/tmp.1W61eMvE5W/tmp.nLXbUCilCA/tmp.i8BdCWq94Z/tmp.D8rJ1m8MZu/tmp.hmUO0aOQEM/tmp.QL2BQfxGvn/tmp.98mno6Ngq4/tmp.InpFKrooON/tmp.MjXyW5wwgC/tmp.Q0nmAgZIGV/tmp.DO3QIuxvMl/tmp.j50MVFo3fa/tmp.UturnsCPKG/tmp.WbJrd3r389/tmp.Kvy0RnuEkw/tmp.lqRdkM47M0/tmp.cxu1yAV6so/tmp.UgsFw78Jsq/tmp.pNoDhI1l9f/tmp.XXXXXXXXXX': File name too long\nError: plugin \"secrets\" exited with error\n[helm-secrets] File does not exist: secrets+age-import:///helm-secrets-private-keys/key.txt?secrets.yaml\

The valuefile is configured with secrets+age-import:///helm-secrets-private-keys/key.txt?secrets.yaml.

Expected Behavior

I was expecting that the secrets was decrypted and helm use the secrets.yaml.dec.

Steps To Reproduce

No response

Environment

Helm Version: 3.6.0
OS: ubuntu 21.04

Anything else?

As a workaround I baked the age key into the ArgoCD custom image. And helm secrets is able to decrypt the secret if the valuefile is secrets.yaml.

Support for ArgoCD

How can helm secrets run via ArgoCD?

This is not working https://github.com/jkroepke/helm-secrets#argocd-support

Improve the Argo CD Integration Documentation

Problem Statement

It is not very straight forward to use Helm Secrets with Argo CD.

Proposed Solution

Improve the documentation.

Environment

No response

Additional information

No response

Acceptance Criteria

As a user it should be simple to get Helm Secrets to work with Argo CD

Incorrect vault_regexp

Hi, trying to use vault driver and getting grep error.
I'm not sure why, but [A-z]* leads to grep: Invalid range end error.
Replacing it with [a-zA-Z] seems to resolve this.

Encoding issue

In some cases decrypted content is printed in one line but original it was a multiline entry.

an example:

# Administrator credentials when not using an existing secret (see below)
grafana:
    ldap:
        config: |-
            # query example 
            # (&(ObjectClass=posixAccount)(uid=username)(memberOf=cn=groupname,ou=groups,dc=domain,dc=de))
            group_search_filter = '(&(objectClass=posixGroup)(uniqueMember=%s))'
            group_search_filter_user_attribute = 'uid'
            group_search_base_dns = ['ou=Gruppen,dc=domain,dc=de']
            # ## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
            # group_search_filter = '(&(objectClass=posixGroup)(memberUid=%s))'
            # ## An array of the base DNs to search through for groups. Typically uses ou=groups
            # group_search_base_dns = ['ou=Gruppen,dc=domain,dc=de']
            # ## the %s in the search filter will be replaced with the attribute defined below
            # group_search_filter_user_attribute = 'uid'

after helm secrets edit filename.yaml

# Administrator credentials when not using an existing secret (see below)
grafana:
    ldap:
        config: "# query example \n# (&(ObjectClass=posixAccount)(uid=username)(memberOf=cn=groupname,ou=Gruppen,dc=domain,dc=de))\ngroup_search_filter = '(&(objectClass=posixGroup)(uniqueMember=%s))'\ngroup_search_filter_user_attribute = 'uid'\ngroup_search_base_dns = ['ou=Gruppen,dc=domain,dc=de']\n# ## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)\n# group_search_filter = '(&(objectClass=posixGroup)(memberUid=%s))'\n# ## An array of the base DNs to search through for groups. Typically uses ou=groups\n# group_search_base_dns = ['ou=Gruppen,dc=domain,dc=de']\n# ## the %s in the search filter will be replaced with the attribute defined below\n# group_search_filter_user_attribute = 'uid'"

Have you a work around for this or better - a fix?

Thank anybody for supporting this and for developing this smart tool further.

Implement Tests

Run Tests agists different commands:

GNU sed on OSX

Hello 😅 ,

I saw that the tool is able to handle multiple setup (Linux, OSX) in order to use sed the good way 💪 .

Would it be possible to handle that setup: GNU sed on OSX (my primary sed binary is pointing to the GNU one)

I installed it in order to not be in this kind of trouble 🤣

Thx

Cheers 😉

cannot decrypt secrets

Hello all,

for a few weeks I have been evaluating ways to encrypt secrets for Kubernetes / Helm in order to be able to push them into our git repository without entering into security issues. I noticed this fork from helm secrets positively. However, I currently have problems decrypting the secret files. To describe it exactly, an example:

helm secrets enc secrets.yml <-- Secret is properly encrypted
helm secrets view secrets.yml <-- Displays the decrypted secrets
helm secrets dec secrets.yml <-- Throws an error:

helm secrets dec secrets.yml
[helm-secrets] Decrypting secrets.yml
Incorrect Usage. flag provided but not defined: -output

The same applies to the following:

helmet secrets upgrade name . -f secrets.yml

[helm-secrets] Decrypt: secrets.yml
Error: open secrets.yml: no such file or directory

rm: cannot remove 'secrets.yml.dec': No such file or directory
Error: plugin "secrets" exited with error

Unfortunately, I couldn't find anything to solve this problem anywhere. Also in the sops documentation I did not find any clues.

Since I would love to use the plugin, I hope that anyone can help me.

Question: How to use with terraform helm provider?

In the README.md it describes using downloader to apply and says "Useful if you plan to use the helm terraform provider." Do you have an example of how it would be used together?

How does cloud kms know what key to use while decrypting?

Feature Request: Allow creating a new file

With sops, you can create a new secrets file by running sops <filename> and passing a file that doesn't already exist. It'd be nice if you could do similarly with helm secrets edit <filename> or helm secrets create <filename> or some other command along those lines.

File is not encrypted when trying to decript just encrypted file

Current Behavior

I've got a problem, that helm-secrets plugin can encrypt a file normally, but can't decrypt it, even if I launch the action immediately on the same system with the same file. Example:

$ helm secrets enc secrets.yaml
Encrypting secrets.yaml
INFO found a configuration for 'secrets.yaml' in '.sops.yaml'
INFO: generating and storing data encryption key
Encrypted secrets.yaml
$ helm secrets dec secrets.yaml
[helm-secrets] Decrypting secrets.yaml
[helm-secrets] File is not encrypted: secrets.yaml
Error: plugin "secrets" exited with error
$

There is no problem with permissions or saving to file action, because after enc action I see that it contents is encrypted successfully. Here is original content:

mysecret: pAssw0rd

And here - after helm secrets enc secrets.yaml command:

mysecret: ENC[AES256_GCM,data:uYZsd1m1lLM=,iv:b3+7LgRnp+iRpDKBUNVPhDFFUviPbhrmPwSYBvi9uIs=,tag:dBNWsyNPxzif0Gj35BjPLQ==,type:str]
sops:
    attention: This section contains key material that should only be modified with
        extra care. See `sops -h`.
    version: '1.18'
    unencrypted_suffix: _unencrypted
    pgp:
    -   fp: A72531DF5735B86F75AAFAB12A5E049BBBD2CEA9
        enc: |
            -----BEGIN PGP MESSAGE-----

            hQGMA4ThOGDdjD/iAQv/b0TJ0KQVkT19ppDDtewmSWXRWt4LRIvw3IdShYP0Asnu
            KxyTaavatgCBXseEm7KpkVB7gydff7WMYDHHAKQ0pNhVrM0lwQ+RL6nS4wg/XC42
            Jo2DlDP+g/HIRijJ1owR+QwjIDSAZe7QWjtykldxopENPMjT8VV6gW+rQAbGjOw2
            F53S0lxbjGhfjrBhgtry/BfvtS2L6KqTztjULwP0uSsDsc6WdzJQgH9W5GpuGwJ7
            wcWxIl+msywkyZhy45Goo/unNoBcDTeikUCgh6WDMYS6Va5RsJPUmsUO32JA16dL
            8uF316fjoLEf5xI5NO2hWQS/c6Uj54W0YswOzpQ2M7gtw2QUq5eoPfsdg7uvo2G5
            yGvIu4QHJzzcjpqLOjO0AVEiiJkYmLDAR0Og5kID5X7e96/JgDHH1yVSBVx5Ry48
            ehfvMNIs2cRf9Ne8MgGAIwP5jgbAGlsJx6ZEpYk2pKe7Bt8ZXBmYru7/z4oOFwBx
            agGT7VnF1NDf/yrgdMDH0l4BAz+BzLQK3XABhaCXxwW4hrBspDHlKHacdfQAprTP
            Xrwe6L4/AHMEmPrmCyHqFVqN8EEEyK+W5uJqnc1J4Zb9WVhn4/QWBdykmP/Z137x
            NyjqQtIY9GJddrq5dyW2
            =YjiI
            -----END PGP MESSAGE-----
        created_at: '2021-12-13T13:16:00Z'
    lastmodified: '2021-12-13T13:16:00Z'
    mac: ENC[AES256_GCM,data:LECRIuU7MRYQnpjgEOGqd4CHIenhRme7xMjrOfah87WzAFxe9IWN8Eh6lKO/D9GTa22dutq+SFlgCYBQFmjvi2ma/Sfi777EKlJWdnm4o5JTFJtWb2aoaD9mkCw/7wLVFGoW6l/k7yCtGAXaEDcm3O1K0co8nw7vrm/GD9i+SRU=,iv:Gy4sjg0xsVPvKuIZZ6Q7zRxSe8LsKOKHa9GaZ6q9y4w=,tag:2MxX3FbMZjA2uN6Tn3itgQ==,type:str]

Also a helm secrets edit secrets.yaml command successfully decrypts the file and opens it in console editor, where I see decrypted content.
But helm secrets view secrets.yaml shows me an encrypted content of the file.

How can I investigate deeply what can be the source of failing the decrypt action?

Expected Behavior

helm secrets dec action should work well.

Environment

Helm Version: v3.7.0
Helm Secrets Version: 3.12.0-dev
OS: Ubuntu 20.04
Shell: bash

Installation fails - Unable to update repository: exit status 1

Hallo,
I'm trying to install helm secrets using the command from the readme:

$ helm plugin install https://github.com/jkroepke/helm-secrets --version v3.6.0 --debug
[debug] vcs_installer.go:162: updating https://github.com/jkroepke/helm-secrets
Error: Unable to update repository: exit status 1
helm.go:81: [debug] Unable to update repository: exit status 1

$ helm version
version.BuildInfo{Version:"v3.5.3", GitCommit:"041ce5a2c17a58be0fcd5f5e16fb3e7e95fea622", GitTreeState:"dirty", GoVersion:"go1.16"}

What am I doing wrong ?
Best Regards
SH

Error when installing secrets encrypted with age

Current Behavior

Hi, I generated age keys in key.txt and encrypted a test secrets in templates/secrets.yaml. I get an error when trying to install the chart that includes the encrypted Secret. See below.

Expected Behavior

I shouldn't get an error on install.

Steps To Reproduce

[ ~/mychart]$ export SOPS_AGE_KEY_FILE=/home/blah/mychart/key.txt
[ ~/mychart]$ export SOPS_AGE_RECIPIENTS=age1ju90kke0mncldqcsc4mrvlq3snuuqt0htn706raw4vvtc8u4r97qj2rr3u
[ ~/mychart]$ helm secrets enc templates/secrets.yaml
Encrypting templates/secrets.yaml
Encrypted secrets.yaml
[ ~/mychart]$ helm upgrade -i testrelease . -f 'secrets+age-import://key.txt?templates/secrets.yaml'
Release "testrelease" does not exist. Installing it now.
Error: unable to build kubernetes objects from release manifest: unable to recognize "": no matches for kind "ENC[AES256_GCM,data:7La03wOQ,iv:K1MVcCpTZrocCwmyiHSDTZa+oAocz4U7Wkwcinr2Z4k=,tag:xZvsmYJz10bOM6kOglbnhg==,type:str]" in version "ENC[AES256_GCM,data:Fwk=,iv:pLG9fXiyz2+AfaINd9evjYUOTIPZPdCIPTlxaFkoA8U=,tag:JMQuEMJKbIfN5XuJkWvmjw==,type:str]"

Environment

Helm Version: 3.7.0
Helm Secrets Version: 3.12.0
OS: Ubuntu
Shell: Bash

Anything else?

No response

Secret value not referenced if upstream chart doesn't use `tpl` function

In a use-case where I have my secrets.yaml like this

postgresPassword: !vault secrets/superset#postgresPassword

and then I am trying to deploy superset chart and in my values I set

postgresql:
  postgresqlPassword: '{{ .Values.postgresPassword }}'

for the dependency chart, the generated secret is

# Source: superset/charts/postgresql/templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: superset-postgresql
  labels:
    app.kubernetes.io/name: postgresql
    helm.sh/chart: postgresql-10.2.0
    app.kubernetes.io/instance: superset
    app.kubernetes.io/managed-by: Helm
type: Opaque
data:
  postgresql-password: "e3sgLlZhbHVlcy5wb3N0Z3Jlc1Bhc3N3b3JkIH19"

which corresponds literally to {{ .Values.postgresPassword }}. This is because the dependency chart doesn't use tpl to refer to this value and of course I can't control it. Same issue exists for the superset chart itself. Where the chart templates refer to values via tpl function, the value from secret is correctly rendered.

I am using the following command to check:

helm secrets -d vault upgrade --install superset .tmp/superset-master/helm/superset -f superset/prod/secrets.yaml -f superset/prod/values.yaml --dry-run

Am I just doing something wrong or is this an issue with the plugin?

Allow git remote repository file

Hello,

This is about a new feature :

Allow to gain secrets file from remote location (in this case from git repository)

This issue should be about how to implement it.
I'll see the following options:

Not here

This is not the purpose of this plugin. Let's create a specific one, or your specific driver....

Pros

No new code here

Cons

helm command growth more and more ;-)
this is not very huge logic

Add a new kind of driver to be able to retrieve file from a location

Introduce a new kind of driver. Interface could be something like is_supported $1 ; get_content $1

Pros

Extensible
Retrieve logic is well sperated, is it growth is could be easilly moved in another plugin

Cons

Introduce a second kind of driver (global complexity)

As a new driver

Build a new sops_git driver

Pros

Isolated

Cons

Need to change the actual driver interface, need to add a driver_is_supported_file , and replace all [ -f ... ]
Specific (get a remote file and then decrypt with sops, or with vault)

I'll be glad to create a PR on that subject, please let me know.

Maintenance status of this fork

Since upstream looks dead I'll start to maintain a forked version of helm-secrets.

Issues to be fixed here:

zendesk/helm-secrets#151 (#5)

Issues and pull requests covered by: #1

zendesk/helm-secrets#128 (name of secret more relaxed)
zendesk/helm-secrets#141 (name of secret more relaxed)
zendesk/helm-secrets#149
zendesk/helm-secrets#150
zendesk/helm-secrets#129 (All name restrictions dropped)
zendesk/helm-secrets#143
zendesk/helm-secrets#142 (dpkg variant dropped; you should never run helm plugin install as root)
zendesk/helm-secrets#136 (verbose output is not on stderr)

ArgoCD w/ SOPS leveraging AWS KMS

Problem Statement

I am unable to leverage this plugin in its current state while using AWS KMS Keys and SOPS. do you know if there is support for this or am I just leveraging helm-secrets incorrectly

helm secrets version = v3.9.1

Proposed Solution

No response

Environment

Helm Version:
OS:
Shell:

Additional information

No response

Acceptance Criteria

No response

Helm Wrapper is not work well on cygwin

I'm using cygwin, when i run helm wrapper upgrade, it reports error:

$ helm secrets upgrade mychart .
[helm-secrets] Decrypt skipped: secrets.yaml
C:\Users\joelee\AppData\Roaming\helm\plugins\helm-secrets/scripts/commands/helm.sh: line 109: D:\cygwin64\home\joelee\.local\bin\helm.exe: command not found
Error: plugin "secrets" exited with error

currently i fix this by add following code in run.sh, are you able to fix this issue ?

# Path to current directory
SCRIPT_DIR="$(dirname "$0")"
if [ $(uname -o) == "Cygwin" ]; then
    HELM_BIN="${HELM_BIN//\\//}"
    SCRIPT_DIR="${SCRIPT_DIR//\\//}"
fi

[Q] Example of usage with GCP Secret Manager

Is there any good example how to use it with GCP Secret Manger and images pulled from the docker hub (like MySQL, MongoDB, Rabbit MQ etc)?

Hashicorp Vault driver

Allow to gain secrets from Hashicorp Vault.

This issue should be about how to implement it. External programs should written in go to preserve the compatibility across all environments.

bare vault cli

Using vault kv get to gain secrets.

Pros

Always up2date with latest vault features

Cons

Manual parsing of yaml files (getting hard in shell)

actano/vault-template

A tool in go template style to replace placeholder with values from vault

Pros

syntax is known from helm
small feature set (just replace vault placeholders)

Cons

Project looks inactive
High limit to install (no prebuilt binaries available)
no vault kv API v2 support

hairyhenderson/gomplate

Pros

Easy to install (prebuilt binaries available)

Cons

Full featured template parser
Complex syntax for vault data source

geofffranks/spruce

Pros

Easy to install (prebuilt binaries available)
Some debugging features like spruce vaultinfo

Cons

Full featured template parser

helm wrapper doesn't process args of the form `--value=my_sops_file.yaml`

Just hit a minor issue with this otherwise very useful fork (not sure if fork specific) - it doesn't spot the alternative form of specifying --values arguments where you use an equals sign between option and optarg. I.e. the first line works:

helm secrets template myrelease myrepo/mychart --values my_sops_file.yaml
helm secrets template myrelease myrepo/mychart --values=my_sops_file.yaml

... whereas the second invisibly skips decryption (i.e. inserts ciphertext values instead of plaintext). Hopefully you can extend the arg processing in helm.sh...

mktemp Error Message with v3.6.0

Hello,

I seem to be getting back an odd error when upgrading a release using the latest version of the plugin (3.6.0).

Example:

helm secrets upgrade --install sops-demo-app helm -f helm/env/local/secrets.sops.yaml -f helm/env/local/values.yaml --dry-run --debug
mktemp: too few X's in template ‘helm-secrets’
Error: plugin "secrets" exited with error
helm.go:81: [debug] plugin "secrets" exited with error

The very same deployment seems to work just fine with the previous version 3.5.0.

Here's the versions I'm using:

OS: macOS Big Sur Version 11.2.3
Helm: version.BuildInfo{Version:"v3.5.2", GitCommit:"167aac70832d3a384f65f9745335e9fb40169dc2", GitTreeState:"dirty", GoVersion:"go1.15.7"}
Kubectl/Cluster: Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-21T20:21:49Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.7", GitCommit:"1dd5338295409edcfff11505e7bb246f0d325d15", GitTreeState:"clean", BuildDate:"2021-01-13T13:15:20Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}
SOPS: sops 3.6.1

Let me know if there's any other info I can provide to help debug.

Error "sops: not found" after installing helm secrets plugin

Current Behavior

The helm-secrets plugin installs successfully without errors:

$ helm plugin install https://github.com/jkroepke/helm-secrets
Installed plugin: secrets

But if I try to encrypt some file, I got the error:

$ helm secrets enc secrets.yaml
Encrypting secrets.yaml
/home/user/.local/share/helm/plugins/helm-secrets/scripts/run.sh: 8: sops: not found
Error: plugin "secrets" exited with error

As I understand from docs, the sops package must be downloaded automatically when plugin installs, but seems it isn't happen.

Expected Behavior

Plugin must show some warning, if the system misses the sops package, and it fails to install its own.

Or the helm-secrets plugin stops installing it's own sops package on self-installing action by default, and needs some argument to install it?

Steps To Reproduce

Install plugin on Ubuntu 20.04 without pre-installed sops package.
Try to encrypt some file via command helm secrets enc secrets.yaml and got an error:

$ helm secrets enc secrets.yaml
Encrypting secrets.yaml
/home/user/.local/share/helm/plugins/helm-secrets/scripts/run.sh: 8: sops: not found
Error: plugin "secrets" exited with error

Environment

Helm Version: v3.7.0
Helm Secrets Version: 3.12.0-dev
OS: Ubuntu 20.04
Shell: bash

Support Windows

Goal:

Run helm plugin install from windows cmd
Run helm secrets from windows cmd
Support sops.exe if no sops installed on WSL. (This supports gpg programs like gpg4win)

Support for encrypted Helm templates.

Plugin version: 3.8.1
SOPS version: 3.7.1

if you have a secret that starts with:

{{- if not (lookup "v1" "secret" .Release.Namespace .Values.postgresql.existingSecret) -}}
apiVersion: v1
kind: Secret
....

{{- end -}}
or something like that, the 'helm secret enc' will remove the if blocks.
If you add the if block manually to the encrypted file, the decription will fail.

support json sops container (currently only yaml is supported)

hi,

I'm using helm-secrets with helmfile. and some of my secrets have the yaml.gotmpl extension. sops is able to encrypt and decrypt them, but helm-secrets doesn't like them and exits with the following error:

Error: plugin "secrets" exited with error
COMBINED OUTPUT:
[helm-secrets] Decrypting /tmp/[email protected]_myorg_helm/env/stage-001.yaml.gotmpl
[helm-secrets] File is not encrypted: /tmp/[email protected]_myorg_helm/env/stage-001.yaml.gotmpl

it seems like there's a whitelist for allowed extensions or something like that.

it's also vitally important to helmfile that the unencrypted secret will retain the yaml.gotmpl extension, not just yaml. (this basically tells it to run this file through the template engine.)

helm-secrets not decrypt a partly encrypted file

When I encrypt my file with --encrypted-regex flag helm doesn't decrypt secrets. Also notice that there aren't helm-secrets messages in stdout:

❯ sops -e --encrypted-regex '^secretContents$' secret-values.aws.dec.yaml > secret-values.aws.enc.yaml

❯ helm secrets template velero . -f secret-values.aws.enc.yaml | grep cloud:
  cloud: "RU5DW0FFUzI1Nl9HQ00sZGF0YTpXaUY2RHMwbkJUR1FYSzhIUlpzMXlhdnB0VWhsQS9kemJNTy9OQjM1Z0t2d1R1d2pKR1BtYW51WjUxWVBXZ1VsbDhva3YzWUhyMng0LGl2OnpXakVnUzRqK2
45cERsOWd6VThPeGhSTFBGeUROeE9JZmozaTUyTUFzNnM9LHRhZzpKZEl4NnhhVE40QnVnT1dnMjNNWWN3PT0sdHlwZTpzdHJd"

❯ echo RU5DW0FFUzI1Nl9HQ00sZGF0YTpXaUY2RHMwbkJUR1FYSzhIUlpzMXlhdnB0VWhsQS9kemJNTy9OQjM1Z0t2d1R1d2pKR1BtYW51WjUxWVBXZ1VsbDhva3YzWUhyMng0LGl2OnpXakVnUzRqK245c
ERsOWd6VThPeGhSTFBGeUROeE9JZmozaTUyTUFzNnM9LHRhZzpKZEl4NnhhVE40QnVnT1dnMjNNWWN3PT0sdHlwZTpzdHJd | base64 -d
ENC[AES256_GCM,data:WiF6Ds0nBTGQXK8HRZs1yavptUhlA/dzbMO/NB35gKvwTuwjJGPmanuZ51YPWgUll8okv3YHr2x4,iv:zWjEgS4j+n9pDl9gzU8OxhRLPFyDNxOIfj3i52MAs6s=,tag:JdIx6xa
TN4BugOWg23MYcw==,type:str]%  
             
❯ cat secret-values.aws.enc.yaml
velero:
    credentials:
        secretContents:
            cloud: ENC[AES256_GCM,data:tayHAkwRh9BsJGRK1Mf9tZmGwAGXqybwcHgz7e4V/ysEZjl2vYMZULx7AwygQ/+MV3whZahP51N/,iv:9WhwD6zWlsd/7Beuq2PQay/s2J4dAkAM33NDA
V+TOUM=,tag:0wDWurjXF2zam3A5ALBM1Q==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1pwu2rdym3247spepxz7mxlvvqzysxf66wfflk6gvx5k749cpyp8qsthzaj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUE94cjZQR3EvWG9uOEt2
            SE9wanBmUFJ6V1B2VTQxWDM0bGc3VlpWMUFjCnBJYmRVd21vVXBoczdWSWsyTGhu
            MTB4TkJoTjVkd0xzdzZ6a3pENVdJUVUKLS0tIFVUdDY4ME1FT2RVNlpaeUJDck1R
            djRLc2ZsOXNEL2JMa0UxeHNYVWZBM1UKHRVBJ+KnxNhN0Vq0W+6zl5t6IaFDvmUV
            dWgd5m5JMocHL/CmuvKpg+ao9d5rPIuiRC0wblnETHPEt21HmHp1vA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2021-07-13T08:11:14Z"
    mac: ENC[AES256_GCM,data:Hg6M7UiUUuCHFFb+P2qLxlNCNwyIzeYU6zpWuBJacUiP0uyuuC7QDzWZMYcOrNvYncxRRt0Ij1e5/YSwb8s0uedxKhfannN5Ee4xAaCfxxfh3x+KHg4MP2GFYm5LNlk
ayboq0taL6XqR8HZiDY+cTygkGGLaQ/prJ2Xq/dLSpUw=,iv:TekwLU57VGy/O40syryc55fVrU5z00dZq3AtNQ2/D0g=,tag:HnDO2uBI/lb1q1Xn2Iuyhw==,type:str]
    pgp: []
    encrypted_regex: ^secretContents$
    version: 3.7.1

❯ sops -d secret-values.aws.enc.yaml
velero:
    credentials:
        secretContents:
            cloud: |-
                [default]
                aws_access_key_id=123
                aws_secret_access_key=asd

Without --encrypted-regex flag works fine. Notice helm-secrets messages presence in stdout:

❯ sops -e secret-values.aws.dec.yaml > secret-values.aws.enc.yaml        
                      
❯ helm secrets template velero . -f secret-values.aws.enc.yaml | grep cloud:                   
[helm-secrets] Decrypt: secret-values.aws.enc.yaml
  cloud: "W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkPTEyMwphd3Nfc2VjcmV0X2FjY2Vzc19rZXk9YXNk"

[helm-secrets] Removed: secret-values.aws.enc.yaml.dec

❯ echo W2RlZmF1bHRdCmF3c19hY2Nlc3Nfa2V5X2lkPTEyMwphd3Nfc2VjcmV0X2FjY2Vzc19rZXk9YXNk | base64 -d
[default]
aws_access_key_id=123
aws_secret_access_key=asd%                               

❯ cat secret-values.aws.enc.yaml
velero:
    credentials:
        secretContents:
            cloud: ENC[AES256_GCM,data:5galdxRtDX5+htq9/tzXsnUfv+Q9pgCQDyafbgFbNagxZ6ixgGJyMwON4sehlc2IwmKTsp7oYKdT,iv:BgSLHEocMkIbSQZ9+6Q8DhLi4usPAxtZXefBu
8zB5EI=,tag:cx09r8V2s1ggmIR4qY93Zg==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1pwu2rdym3247spepxz7mxlvvqzysxf66wfflk6gvx5k749cpyp8qsthzaj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3Q1pZcWg3ZlR0Mm9RdGFB
            dm1oaEdPaEwwK2tKMmw5RDY5YzI0UTgwSDBrCmx5YVRYWkQzeHhjTXUrbURDRVNi
            WXFVa0kvT05mY1JVWXFrY2JZb2VIeUkKLS0tIDVBSkZCSnBqcm4yMWhtU1BkVmZS
            enRvYU9Yc1AwSmkzdm1XOVNVcDREcGcKJzzkHJtW0hWMSL+WYGQ2clBkoMggITnb
            KtgeGjZSTEtCht+fjQvbp7lwHy2odIlAhqrGwE2VZzxC4YlIAS5Gwg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2021-07-13T08:11:53Z"
    mac: ENC[AES256_GCM,data:RyBZV+QtYRVh+x7Rlhj/9bcYtXDfpNO9nBeWaF4d065Yog7P8fTei9mBYChetwXub/FkQF12uEGjKq/IrZsfGDbuPMpnIpTRFuvwTTvRdvCJEh2ILrJ9Tcc4u40rihp
phw9Ot2tOLV4zQlhd0NDQ/H71fvi49g2HK6h0ybsYaKU=,iv:60C2BKCb9KckC6KGWvJrXSN2YYWon7BPvdYiry3QA2U=,tag:lPqP6TEg46cqghZaU8Xo8w==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.1

❯ sops -d secret-values.aws.enc.yaml
velero:
    credentials:
        secretContents:
            cloud: |-
                [default]
                aws_access_key_id=123
                aws_secret_access_key=asd

❯ cat secret-values.aws.dec.yaml         
velero:
    credentials:
        secretContents:
            cloud: |-
                [default]
                aws_access_key_id=123
                aws_secret_access_key=asd

❯ helm version                                                                                                                       
version.BuildInfo{Version:"v3.6.2", GitCommit:"ee407bdf364942bcb8e8c665f82e15aa28009b71", GitTreeState:"dirty", GoVersion:"go1.16.5"}

❯ helm plugin list | grep secrets                                                            
secrets 3.8.1   This plugin provides secrets values encryption for Helm charts secure storing

❯ sops --version    
sops 3.7.1 (latest)

encrypting voilating yaml is possible but decrypting not

In case of human mistake you may lose your secrets (ok. this is possible for all kind of human and technical things ;-) ).

given yaml:

mistakeLevel:
  foo: bar
mistakeLevel:
  foo2: bar2

This will encrypted and looks like

mistakeLevel:
    foo: ENC[AES256_GCM,data:kqbu,iv:mNoiQHiftiKhkrpJEwBybLG123WGtk1KFxlAF/R/Hdo=,tag:x+7tNtSXKaZ2nV+hzOXMLw==,type:str]
mistakeLevel:
    foo2: ENC[AES256_GCM,data:0shAng==,iv:Rj0+QPDnUcoZHDsGkOuD9RgX9qCSHuL5xzL5cR4u1cw=,tag:mEanDBW1MOc+L0uZGKbivA==,type:str]
sops:
    kms: []
    gcp_kms: []
    azure_kv: []
...

So far so nice.

$ helm secrets edit filename.yaml
filename.yaml
Error unmarshalling input yaml: yaml: unmarshal errors:
  line 3: mapping key "mistakeLevel" already defined at line 1
Error: plugin "secrets" exited with error

So better have a second source for your secrets or make no mistakes ;-).

One possible point may this:
before encoding and closing file try to decode file without error. This may a simple check procedure to prevent such a situation. But i dont be a developer so i can´t give you a PR for this.

Using sops.yaml Azure_keyvault for China

Hello

I'm trying to encrypt / decrypt a secrets.yaml file via a key in the Azure Vault, i've got a sops.yaml file as follows

creation_rules: - azure_keyvault: https://[URI]/keys/[KEY]

Which when I'm running helm secrets enc secrets.yaml It errors with the following;

[AZKV] ERRO[0015] Failed to create Azure authorizer error="Invoking Azure CLI failed with the following error: ERROR: CLIInternalError: The command failed with an unexpected error. Here is the traceback:\nERROR: Get Token request returned http error: 400 and server response: {\"error\":\"invalid_resource\",\"error_description\":\"AADSTS500011: The resource principal named https://vault.azure.net was not found in the tenant named [TENANT-ID]

If you look here - https://docs.microsoft.com/en-us/azure/china/resources-developer-guide

You'll see that https://vault.azure.net is the global URI, but for China it needs to be *.vault.azure.cn

Is there a way to be able to switch from using .net to .cn please?

Unable to use helm-secrets in ArgoCD with age encryption

Current Behavior

First of all, thanks for this repo and all its documentation ! 🎉

For now, I'm stuck with some weird error. I'm trying to setup the use of helm-secrets within my ArgoCD implementation.

I'm using init container method and mount secrets method. Based on this, I'm trying to use helm secrets with an age encryption.

For this, I have the following files :

ArgoCD helm charts values:

repoServer:
  env:
    ## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#option-2-init-container
    - name: HELM_PLUGINS
      value: /custom-tools/helm-plugins/
    - name: HELM_SECRETS_SOPS_PATH
      value: /custom-tools/sops
    - name: HELM_SECRETS_KUBECTL_PATH
      value: /custom-tools/kubectl
  volumeMounts:
    ## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#option-2-init-container
    - mountPath: /custom-tools
      name: custom-tools
    ## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#method-1-mount-the-private-key-from-a-kubernetes-secret-as-volume
    - mountPath: /helm-secrets-private-keys/
      name: helm-secrets-private-keys

  # -- Additional volumes to the repo server pod
  volumes:
    ## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#option-2-init-container
    - name: custom-tools
      emptyDir: {}
    ## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#method-1-mount-the-private-key-from-a-kubernetes-secret-as-volume
    - name: helm-secrets-private-keys
      secret:
        secretName: helm-secrets-private-keys
  initContainers:
    ## See https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#option-2-init-container
    - name: download-tools
      image: alpine:latest
      command: [sh, -ec]
      env:
        - name: HELM_SECRETS_VERSION
          value: "3.9.0"
        - name: SOPS_VERSION
          value: "3.7.1"
        - name: KUBECTL_VERSION
          value: "1.22.0"
      args:
        - |
          mkdir -p /custom-tools/helm-plugins
          wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;

          wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
          wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl

          chmod +x /custom-tools/*
      volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools

Private helm charts with encrypted values

ArgoCD application:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: spark-dem-soa-1
  namespace: argocd
  # Finalizer that ensures that project is not deleted until it is not referenced by any application
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source:
    repoURL: myRepo
    targetRevision: feature/add-argocd
    path: spark/spark
    helm:
      version: v3
      releaseName: spark-app
      valueFiles:
        - secrets+age-import:///helm-secrets-private-keys/key.txt?values_enc.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: dem-soa-1
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

Because I don't have any sensitive values from (just make some tests), the setup using the unencryted values works

Unencrypted value

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: spark-dem-soa-1
  namespace: argocd
  # Finalizer that ensures that project is not deleted until it is not referenced by any application
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source:
    repoURL: myRepo
    targetRevision: feature/add-argocd
    path: spark/spark
    helm:
      version: v3
      releaseName: spark-app
      valueFiles:
        - values.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: dem-soa-1
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

When I'm installing my app with encryted values, I get the error open secrets+age-import:///helm-secrets-private-keys/key.txt?values_enc.yaml: no such file or directory.

I made several tests and :

The command run by argocd works locally but not on the server when made manually (so this seems not to be a "server error")
The secrets key file is well mounted on reposerver
The repo is well pulled
SOPS commands are returning the correct values
helm secrets template commands (when the environment variable SOPS_AGE_KEY_FILE is set) are returning the correct values

I'll try

Expected Behavior

When installing my app, ArgoCD should be able to decrypt my value file correctly using age.

Steps To Reproduce

No response

Environment

Keycloak Version: [e.g. 10.0.1]
keycloak-config-cli Version: [e.g. 1.4.0]
Java Version: [e.g. 11]

Anything else?

I'll try to use gpg to see if I have a different results