Wraps the whole helm command. Slow on multiple value files.
helm secrets upgrade name . -f secrets.yamlRun decrypted command on specific value files.
helm upgrade name . -f secrets://secrets.yamlSee: docs/USAGE.md for more information
For running helm-secrets with ArgoCD, see docs/ARGOCD.md for more information.
If you use sops with helm-secrets, the sops CLI tool is needed.
You can install it manually using Homebrew:
brew install sopsDownload: https://github.com/mozilla/sops/releases/latest
sops 3.2.0 is required at minimum.
vals is a tool for managing configuration values and secrets form various sources.
It supports various backends including:
- Vault
- AWS SSM Parameter Store
- AWS Secrets Manager
- AWS S3
- GCP Secrets Manager
- Azure Key Vault
- SOPS-encrypted files
- Terraform State
- Plain File
All clients are integrated into vals, no additional tools required.
Download: https://github.com/variantdev/vals/releases/latest
If you use Vault with helm-secrets, the vault CLI tool is needed.
You can install it manually using Homebrew:
brew install vaultDownload: https://www.vaultproject.io/downloads
If you have stored you secret inside environment variables, you could use the envsubst driver.
brew install gettextIf you use Doppler with helm-secrets, the doppler CLI tool is needed.
brew install dopplerhq/cli/dopplerYou need to make sure chart folder or parent one is in correct CLI's scope with enough access to project.
Install a specific version (recommend)
helm plugin install https://github.com/jkroepke/helm-secrets --version v3.10.0Install latest unstable version from main branch
helm plugin install https://github.com/jkroepke/helm-secretsFind the latest version here: https://github.com/jkroepke/helm-secrets/releases
Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-MacOS / Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.10.0/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-MacOS / Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.10.0/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-Helm 2 doesn't support downloading plugins. Since unknown keys in plugin.yaml are fatal plugin installation needs special handling.
Error on Helm 2 installation:
# helm plugin install https://github.com/jkroepke/helm-secrets
Error: yaml: unmarshal errors:
line 12: field platformCommand not found in type plugin.Metadata
Workaround:
- Install helm-secrets via manual installation, but extract inside helm2 plugin directory e.g.:
$(helm home)/plugins/ - Strip
platformCommandfromplugin.yamllike:sed -i '/platformCommand:/,+2 d' "${HELM_HOME:-"${HOME}/.helm"}/plugins/helm-secrets*/plugin.yaml" - Done
Client here for an example!
If sops is installed at the non-default location or if you have multiple versions of sops on your system, you can use HELM_SECRETS_$DRIVER_PATH to explicitly specify the sops binary to be used.
# Example for in-tree drivers via environment variable
HELM_SECRETS_SOPS_PATH=/custom/location/sops helm secrets view ./tests/assets/helm_vars/secrets.yaml
HELM_SECRETS_VALS_PATH=/custom/location/vals helm secrets view ./tests/assets/helm_vars/secrets.yamlIt's possible to use another secret driver then sops, e.g. Hasicorp Vault.
Start by a copy of sops driver and adjust to your own needs.
The custom driver can be load via HELM_SECRETS_DRIVER parameter or -d option (higher preference):
Example for in-tree drivers via option
helm secrets -d sops view ./tests/assets/helm_vars/secrets.yamlExample for in-tree drivers via environment variable
HELM_SECRETS_DRIVER=vault helm secrets view ./tests/assets/helm_vars/secrets.yamlExample for out-of-tree drivers
helm secrets -d ./path/to/driver.sh view ./tests/assets/helm_vars/secrets.yamlPull Requests are much appreciated.
The driver option is a global one. A file level switch isn't supported yet.
helm secrets -a "--verbose" view ./tests/assets/helm_vars/secrets.yamlresults into:
[PGP] INFO[0000] Decryption succeeded fingerprint=D6174A02027050E59C711075B430C4E58E2BBBA3
[SOPS] INFO[0000] Data key recovered successfully
[SOPS] DEBU[0000] Decrypting tree
[helm-secrets] Decrypt: tests/assets/values/sops/secrets.yaml
==> Linting examples/sops
[INFO] Chart.yaml: icon is recommended
1 chart(s) linted, 0 chart(s) failed
[helm-secrets] Removed: tests/assets/values/sops/secrets.yaml.dec
The current version of this plugin using mozilla/sops by default as backend.
Hashicorp Vault is supported as secret source since v3.2.0, too. In addition, sops support vault since v3.6.0 natively.
What kind of problems this plugin solves:
- Simple replaceable layer integrated with helm command for encrypting, decrypting, view secrets files stored in any place.
- On the fly decryption and cleanup for helm install/upgrade with a helm command wrapper
If you are using sops (used by default) you have some additional features:
- Support for YAML/JSON structures encryption - Helm YAML secrets files
- Encryption per value where visual Diff should work even on encrypted files
- On the fly decryption for git diff
- Multiple key management solutions like PGP, AWS KMS and GCP KMS at same time
- Simple adding/removing keys
- With AWS KMS permissions management for keys
- Secrets files directory tree separation with recursive .sops.yaml files search
- Extracting sub-elements from encrypted file structure
- Encrypt only part of a file if needed. Example encrypted file
An additional documentation, resources and examples can be found here.
helm-secrets could detect an ArgoCD environment by the ARGOCD_APP_NAME environment variable. If detected, HELM_SECRETS_QUIET is set to true.
See USAGE.md for example.
The terraform helm provider does not support downloader plugins.
An example how to use helm-secrets with terraform could be found in contrib/terraform.
scripts/run.sh- Main helm-secrets plugin code for all helm-secrets plugin actions available inhelm secrets helpafter plugin installscripts/drivers- Location of the in-tree secrets driversscripts/commands- Sub Commands ofhelm secretsare defined here.scripts/lib- Common functions used byhelm secrets.scripts/wrapper- Wrapper scripts for Windows systems.tests- Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. Seetests/README.mdfor more informations.examples- Some example secrets.yaml
© 2020-2021 Jan-Otto Kröpke (jkroepke)
© 2017-2020 Zendesk
Licensed under the Apache License, Version 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent