zendesk / helm-secrets Goto Github PK
View Code? Open in Web Editor NEWDEPRECATED A helm plugin that help manage secrets with Git workflow and store them anywhere
License: Apache License 2.0
DEPRECATED A helm plugin that help manage secrets with Git workflow and store them anywhere
License: Apache License 2.0
if, say, I invoke helm improperly ( this case I'm omitting the -f secrets.yaml
that pull in the secret values), I get this error, and exit code 1;
$ helm upgrade --install ci-develop --namespace ci -f values.yaml .
Release "ci-develop" does not exist. Installing it now.
Error: render error in "dod/templates/dod_secrets.yml": template: dod/templates/dod_secrets.yml:13:54: executing "dod/templates/dod_secrets.yml" at <b64enc>: invalid value; expected string
$ echo $?
1
As it should be. But when I run with helm secrets, the same error is generated ,but the exit code becomes 0.
$ helm secrets upgrade --install ci-develop --namespace ci -f values.yaml .
Release "ci-develop" does not exist. Installing it now.
echo $?
Error: render error in "dod/templates/dod_secrets.yml": template: dod/templates/dod_secrets.yml:13:54: executing "dod/templates/dod_secrets.yml" at <b64enc>: invalid value; expected string
danfarrell@mac 2018.12.12 16:50:58 develop ~/git/k8s_dev/dod
$ echo $?
0
This completely breaks my CI/CD process, and I think it would break any CI/CD process which needs to fail if helm doesn't work.
I think it's because we exit 0
at the end of the secrets.sh
script so I'll throw a PR out to exit with the helm code instead and see what folks think.
On many environments install-binary is not working because it needs sudo rights.
Can we add env variable that will disable this installation ?
Hi, thanks a lot for maintaining the great project ๐
I've encountered an error like the following while trying examples according to the README:
$ helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
[PGP] WARN[0000] Decryption failed fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
4434EA5D05F10F59D0DF7399AF1D073646ED4927: FAILED
- | could not decrypt data key with PGP key:
| golang.org/x/crypto/openpgp error: Could not load secring:
| open /Users/mumoshu/.gnupg/secring.gpg: no such file or
| directory; GPG binary error: exit status 2
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Error: plugin "secrets" exited with error
Obviously, I had to have ~/.gnupg/secring.gpg
and the example private keys imported into it, which can be achieved by running:
gpg --import example/pgp/project{x,y}.asc
Could I add this step to the README? Thanks!
i would like to lock in the version of helm secrets i am using, but version 2 is not tagged. the only way to currently install version 2 is from master which could change at any time.
Hey everyone. This may be a local problem on my machine, but I thought I'd report it anyways, since it seems I am on the latest version on everything.
First tried to go through the example and it failed immediately:
helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
โ helm-secrets git:(master) โ
And then I tried to run test.sh which also failed.
โ R git clone [email protected]:futuresimple/helm-secrets.git
Cloning into 'helm-secrets'...
remote: Counting objects: 409, done.
remote: Total 409 (delta 0), reused 0 (delta 0), pack-reused 409
Receiving objects: 100% (409/409), 147.13 KiB | 617.00 KiB/s, done.
Resolving deltas: 100% (202/202), done.
โ R cd helm-secrets
โ helm-secrets git:(master) brew install sops
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 3 taps (heroku/brew, homebrew/core, caskroom/cask).
==> New Formulae
jthread wp-cli
==> Updated Formulae
erlang โ nginx โ docker frugal groovyserv libswiften meson pygobject3 talloc
git โ arx docker-completion gdcm gst-python libucl openrct2 pytouhou unixodbc
heroku โ aws-sdk-cpp exploitdb gitlab-runner lean-cli mackup osquery sdlpop vips
heroku/brew/heroku โ czmq flow gom libbi mat parallel spigot xdot
heroku/brew/heroku-node โ diffoscope fribidi grip librealsense mbedtls pgroonga svgcleaner zeromq
==> Downloading https://homebrew.bintray.com/bottles/sops-3.0.2.high_sierra.bottle.tar.gz
Already downloaded: /Users/stoyle/Library/Caches/Homebrew/sops-3.0.2.high_sierra.bottle.tar.gz
==> Pouring sops-3.0.2.high_sierra.bottle.tar.gz
๐บ /usr/local/Cellar/sops/3.0.2: 5 files, 16.8MB
โ helm-secrets git:(master) ./test.sh
+++ Installing helm-secrets plugin
[OK] helm-ecrets plugin installed
+++ Importing private pgp key for projectx
gpg: key AF1D073646ED4927: "helm-secrets-example-projectx <[email protected]>" not changed
gpg: key AF1D073646ED4927: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Importing private pgp key for projectx
gpg: key 19F6A67BB1B8DDBE: "helm-secrets-example-projecty <[email protected]>" not changed
gpg: key 19F6A67BB1B8DDBE: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Show helm_vars tree from example
example/helm_vars/
โโโ .sops.yaml
โโโ projectX
โย ย โโโ .sops.yaml
โย ย โโโ production
โย ย โย ย โโโ us-east-1
โย ย โย ย โโโ java-app
โย ย โย ย โโโ secrets.yaml
โย ย โย ย โโโ value.yaml
โย ย โโโ sandbox
โย ย โโโ us-east-1
โย ย โโโ java-app
โย ย โโโ secrets.yaml
โย ย โโโ value.yaml
โโโ projectY
โย ย โโโ .sops.yaml
โย ย โโโ production
โย ย โย ย โโโ us-east-1
โย ย โย ย โโโ java-app
โย ย โย ย โโโ secrets.yaml
โย ย โย ย โโโ value.yaml
โย ย โโโ sandbox
โย ย โโโ us-east-1
โย ย โโโ java-app
โย ย โโโ secrets.yaml
โย ย โโโ value.yaml
โโโ secrets.yaml
โโโ values.yaml
14 directories, 13 files
+++ Testing ./example/helm_vars/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
[OK] File decrypted and viewable
+++ Decrypt
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
[OK] File decrypted
+++ Cleanup Test
[OK] Cleanup specified directory
[OK] Cleanup specified .dec file
[OK] Cleanup specified encrypted secret file
+++ Once again Encrypt and Test
[PGP] INFO[0000] Encryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[PGP] INFO[0001] Encryption succeeded fingerprint=40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE
[CMD] INFO[0001] File written successfully
[OK] File properly encrypted
+++ Testing ./example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
[OK] File decrypted and viewable
+++ Decrypt
[PGP] INFO[0000] Decryption succeeded fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS] INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
General error
โ helm-secrets git:(master) โ
So, is it my machine, or is this a bug?
Cheers,
Alf
Using centos7 and bash 4 I receive the following error when trying to run helm secrets update
/root/.helm/plugins/helm-secrets/secrets.sh: line 262: local: -n: invalid option
local: usage: local [option] name[=value]
I was able to fix this by changing secrets.sh: line 265 from:
if [[ ${BASH_VERSINFO[0]} -lt 4 ]]
to:
if [[ ${BASH_VERSINFO[0]} -lt 5 ]]
so now the script is using the eval commands per the comment on line 250:
# Name references ("declare -n" and "local -n") are a Bash 4 feature.
# For previous versions, work around using eval.
I've read the great blog https://lab.getbase.com/helm-secrets-a-missing-piece-in-kubernetes and am trying the example out but I'm running into a problem. It's probably down to me but figured I'd raise an issue to check.
I've run:
helm plugin install https://github.com/futuresimple/helm-secrets
I've also cloned this repo and try to run the first usage example https://github.com/futuresimple/helm-secrets#usage-examples
helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
[PGP] WARN[0000] Decryption failed fingerprint=xx
Failed to get the data key required to decrypt the SOPS file.
Group 0: FAILED
xx: FAILED
- | could not decrypt data key with PGP key:
| golang.org/x/crypto/openpgp error: Could not load secring:
| open /Users/jr/.gnupg/secring.gpg: no such file or
| directory; GPG binary error: exit status 2
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Error: plugin "secrets" exited with error
I have a new osx machine so I figured I need to create a gpg key (is that right?)
brew install gpg
Now generated a new key:
gpg --gen-key
This created a file ~/.gnupg/pubring.kbx
but no ~/.gnupg/secring.gpg
which the error message above was looking for. I came across this https://superuser.com/questions/1037401/pubring-gpg-and-secring-gpg-are-missing-after-key-generation which may be related.
I'm wondering if I've fallen down a wrong path or if this is a valid issue.
Any ideas or thoughts?
I have been working on a file (secrets.yaml) which I had encrypted but it had some issues so I deleted the file, now when I try to run
helm secrets enc secrets.yaml
it gives the following error:
Error unmarshalling file: Error unmarshaling input YAML: yaml: line 6: found unexpected ':'
Error: plugin "secrets" exited with error
The secrets.yaml file is no longer there, is it being cached somewhere?
-- I figured it out, had the template secrets.yaml in a subfolder and it was also drilling into the subfolder.
In version 2.0.0, the passphrase prompt does not make it to the console but instead ends up in the decrypted file:
$ helm secrets dec secrets.yaml
Decrypting secrets.yaml
$ cat secrets.yaml.dec
gpg-agent not found, continuing with manual passphrase input...
Enter PGP key passphrase:
...
secrets 1.2.9 with sops 3.0.5.
If you enter something like:
helm secrets edit foo.yaml
and foo.yaml doesn't exist but there is a secrets.yaml in the cwd, it will edit that secrets.yaml instead, instead of giving an error message about the path not existing.
I have helm-secrets setup to encrypt secrets with sops. My .sops.yaml
looks like this:
creation_rules:
- path_regex: xyz-secrets.yaml$
kms: arn:aws:kms:us-east-1:01234:key/abcd-01234-...
# Catchall to raise an error for unmatched secrets
- pgp: "nonexistent-key-will-fail-for-unmatched"
I've successfully created and encrypted xyz-secrets.yaml
. I'm able to helm secrets [edit|view]
it and the contents look as I would expect them to.
When I try to helm secrets install
or helm secrets upgrade
my chart it completes successfully and the resources in k8s are created. However the values deployed to the cluster have not been decrypted and all begin with ENC[AES256_GCM,data
.
In case it helps here are the versions I'm running:
$ helm plugin list
NAME VERSION DESCRIPTION
secrets 2.0.0 This plugin provides secrets values encryption for Helm charts secure storing
$ sops --version
sops 3.2.0 (latest)
And here's the exact command (under the fish shell) I deployed with:
$ env AWS_PROFILE=myprofile \
helm secrets install \
--name=my-release-name \
--namespace=prod \
-f helm_values/xyz-values.yaml \
-f helm_values/xyz-secrets.yaml \
del-shared-config
It looks like helm-secrets is failing to detect that xyz-secrets.yaml
should be decrypted. Am I using it incorrectly or have I discovered a bug in KMS support?
I have a simple setup just using pgp
.sops.yml
---
creation_rules:
- pgp: B6EE067A65308CA16B0D39FE27FAE19092947959
I can run enc
and view
just fine
$ helm secrets enc ./secrets.yml
Encrypting ./secrets.yml
Encrypted secrets.yml
When I try to decrypt I'm getting the following
$ helm secrets dec ./secrets.yml
Decrypting ./secrets.yml
sops metadata not found
Error: plugin "secrets" exited with error
$ ls secrets.yml
ls: secrets.yml: No such file or directory
$ sops -v
sops 3.2.0 (latest)
secrets 1.2.9, sops 3.0.5
rdmurray@conrad:~/projects/live_storagemanager/deploy/test[93cfac3...]>helm secrets edit
Edit encrypted Chart secrets.yaml
Decrypt encrypted file, edit and then encrypt
You can use plain sops to edit - https://github.com/mozilla/sops
Example:
$ helm secrets edit <SECRET_FILE_PATH>
or $ sops <SECRET_FILE_PATH>
$ git add <SECRET_FILE_PATH>
$ git commit
$ git push
Error: Chart package required.
Error: plugin "secrets" exited with error
The "Error: Chart package required" would appear to be spurious, since it doesn't show up when successfully editing a file.
The new secrets wrapper logic does not support the template command.
When using helm-wrapper
to decrypt files, we randomly get errors about the decrypted file not being found:
>>>>>> Decrypt
Decrypting /tmp/tmp.BdvUTnv8Ji/config-server/secrets.yaml
Release "config-server" does not exist. Installing it now.
Error: open /tmp/tmp.BdvUTnv8Ji/config-server/secrets.yaml.dec: no such file or directory
The general setup works fine, since there are other charts being deployed the exact same way in parallel where it works fine, and there is also no pattern in where its failing, as far as I can see. Sometimes its this chart, sometimes another and other times none at all... :(
Helm version: v2.9.1
Helm secrets version: 1.3.0
Sops version: 3.0.3
UPDATE: The issue only appears if multiple instances are run in parallel. But those instances are not sharing the same secrets.yaml
files, in which case this would be expected.
Any proposals appreciated!
Symptoms
When I try to edit a secret file, I receive an error:
$ helm secrets edit dp-apache-drill/secrets.yaml
Could not create temporary file: open /var/folders/bl/sr0tdr1s3wzdn0mzwkq846l9fg7039/T/782685853: is a directory
Error: plugin "secrets" exited with error
Plugin Version
$ helm plugin list
NAME VERSION DESCRIPTION
secrets 1.1.2 This plugin provides secrets values encryption for Helm charts secure storing
Platform
macOS Sierra 10.12.5
More information
Running the script with debug enabled:
$ helm secrets edit dp-apache-drill/secrets.yaml
+ [[ 2 -lt 1 ]]
+ case "${1:-"help"}" in
+ :
+ [[ 2 -lt 2 ]]
+ edit dp-apache-drill/secrets.yaml
+ type vim
+ chart=dp-apache-drill/secrets.yaml
+ vars_load dp-apache-drill/secrets.yaml
+ export templates_dir=dp-apache-drill/secrets.yaml
+ templates_dir=dp-apache-drill/secrets.yaml
+ [[ -f dp-apache-drill/secrets.yaml/templates/secrets.yaml ]]
+ [[ -f dp-apache-drill/secrets.yaml/secrets.yml ]]
+ [[ -f dp-apache-drill/secrets.yaml ]]
+ export yml=dp-apache-drill/secrets.yaml
+ yml=dp-apache-drill/secrets.yaml
+ edit_helper
+ file dp-apache-drill/secrets.yaml
+ sops_config
+ DEC_SUFFIX=.dec
+ SOPS_CONF_FILE=.sops.yaml
++ which dp-apache-drill/secrets.yaml
+ sops ''
Could not create temporary file: open /var/folders/bl/sr0tdr1s3wzdn0mzwkq846l9fg7039/T/296699382: is a directory
Error: plugin "secrets" exited with error
When running helm commands via the helm secrets
wrapper, if the underlying helm command has an error that would return a non-zero exit code, the helm secrets plugin seems to swallow it. Here are some examples. (My helm version was 2.11.0 in these examples):
$ helm install fakechart
Error: failed to download "fakechart" (hint: running `helm repo update` may help)
$ echo $?
1
$ helm secrets install fakechart
Error: failed to download "fakechart" (hint: running `helm repo update` may help)
$ echo $?
0
$ helm upgrade --install fakerelease fakechart
Error: failed to download "fakechart" (hint: running `helm repo update` may help)
$ echo $?
1
$ helm secrets upgrade --install fakerelease fakechart
Error: failed to download "fakechart" (hint: running `helm repo update` may help)
$ echo $?
0
This behavior causes scripts to not be able to detect when an error has occurred.
I cloned repo, imported PGP keys:
gpg --import example/pgp/projectx.asc
and then tried to view secret from example:
helm secrets view example/helm_vars/projectX/production/us-east-1/java-app/secrets.yaml
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error`
Info:
#sops --version
sops 3.0.5 (latest)
#gpg --version
gpg (GnuPG) 2.2.1
libgcrypt 1.8.1
#helm version
Client: &version.Version{SemVer:"v2.7.2", GitCommit:"8478fb4fc723885b155c924d1c8c410b7a9444e6", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.8.1", GitCommit:"6af75a8fd72e2aa18a2b278cfe5c7a1c5feca7f2", GitTreeState:"clean"}
If you try and install in a docker container (e.g. alpine), you will get this error
docker run -it --rm alpine bash
wget -q https://raw.githubusercontent.com/futuresimple/helm-secrets/master/install-binary.sh
chmod +x ./install-binary.sh
./install-binary.sh
bash: line 18: HELM_BIN: unbound variable
This is because the script is running with set -u
.
How are others automating the installation?
Hello.
The test doesn't work. Maybe I'm doing something wrong?
โ ./test.sh
+++ Installing helm-secrets plugin
[OK] helm-ecrets plugin installed
+++ Importing private pgp key for projectx
gpg: key AF1D073646ED4927: "helm-secrets-example-projectx <[email protected]>" not changed
gpg: key AF1D073646ED4927: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Importing private pgp key for projectx
gpg: key 19F6A67BB1B8DDBE: "helm-secrets-example-projecty <[email protected]>" not changed
gpg: key 19F6A67BB1B8DDBE: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
+++ Show helm_vars tree from example
example/helm_vars/
โโโ .sops.yaml
โโโ projectX
โย ย โโโ .sops.yaml
โย ย โโโ production
โย ย โย ย โโโ us-east-1
โย ย โย ย โโโ java-app
โย ย โย ย โโโ secrets.yaml
โย ย โย ย โโโ secrets.yaml.dec
โย ย โย ย โโโ value.yaml
โย ย โโโ sandbox
โย ย โโโ us-east-1
โย ย โโโ java-app
โย ย โโโ secrets.yaml
โย ย โโโ value.yaml
โโโ projectY
โย ย โโโ .sops.yaml
โย ย โโโ production
โย ย โย ย โโโ us-east-1
โย ย โย ย โโโ java-app
โย ย โย ย โโโ secrets.yaml
โย ย โย ย โโโ value.yaml
โย ย โโโ sandbox
โย ย โโโ us-east-1
โย ย โโโ java-app
โย ย โโโ secrets.yaml
โย ย โโโ value.yaml
โโโ secrets.yaml
โโโ values.yaml
14 directories, 14 files
+++ Testing ./example/helm_vars/projectX/production/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
Could not decrypt the data key with any of the master keys:
[GPG]: 4434EA5D05F10F59D0DF7399AF1D073646ED4927: Could not load secring: open /Users/kivagant/.gnupg/secring.gpg: no such file or directory
Error: plugin "secrets" exited with error
[OK] File decrypted and viewable
+++ Decrypt
Could not decrypt the data key with any of the master keys:
[GPG]: 4434EA5D05F10F59D0DF7399AF1D073646ED4927: Could not load secring: open /Users/kivagant/.gnupg/secring.gpg: no such file or directory
Error: plugin "secrets" exited with error
General error
Update:
โ gpg --version
gpg (GnuPG) 2.1.22
libgcrypt 1.8.0
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/kivagant/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
โ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2019-07-31
/Users/kivagant/.gnupg/pubring.kbx
----------------------------------
pub rsa4096 2017-05-04 [SC]
4434EA5D05F10F59D0DF7399AF1D073646ED4927
uid [ unknown] helm-secrets-example-projectx <[email protected]>
sub rsa4096 2017-05-04 [E]
pub rsa4096 2017-05-04 [SC]
40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE
uid [ unknown] helm-secrets-example-projecty <[email protected]>
sub rsa4096 2017-05-04 [E]
Is there a way of decrypting secrets in dependent projects during install?
Suppose we had chart A who has a dependency on chart B. Chart B has a secrets.yaml file along side it's values.yaml.
Is it possible to do helm-wrapper install
in chart A and have it decrypt and use values from Chart B's secrets.yaml file? If so how to do it?
Helm secrets doesn't run install-binary on update.
This patch solves that.
#54
# helm plugin list
NAME VERSION DESCRIPTION
diff 2.11.0+2 Preview helm upgrade changes as a diff
secrets 2.0.0 This plugin provides secrets values encryption for Helm charts secure storing
helm secrets
fails for me with:
Error: Get http://localhost:8080/api/v1/namespaces/kube-system/pods?labelSelector=app%3Dhelm%2Cname%3Dtiller: dial tcp 127.0.0.1:8080: connect: connection refused
I do not have tiller connection - but why is it needed for secrets?
hello - First: this is great! Thank you.
Reading & learning from your README, i wondered if it could be clearer. Specifically,
helm-wrapper
- what exactly is this referring to? Is it part of this repo? Are you referring to wrapper.sh
script here? IS it part of helm
?
what is the work flow for using helm secrets
? ie. how do i install a chart with a sops secret? Does it do it automagically? Do i need to decrypt first and store output? A working example here would be nice.
With guidance, i'd love to submit a PR and improve this project.
/home/helm/plugins/helm-secrets/install-binary.sh: line 38: lsb_release: command not found
Error: plugin install hook for "secrets" exited with error
Howdy folks, SOPS maintainer here. Just wanted to let you know that brew install sops
installs sops 1.x, the old python version, and not the more recent sops 2.x written in Go.
We don't publish MacOS binaries (yet?), so I'd recommend using go get -u go.mozilla.org/sops/cmd/sops
to install 2.x on macos.
I keep getting Error loading file metadata: sops metadata not found
when trying to interact with any secret files using helm-wrapper
(see output below). I wonder if it is an issue with sops v3, or using GCP KMS, or if I am missing any config. Any help would be appreciated!
> sops -v ---
sops 3.0.0 (latest)
------------------------------------------------------------
> cat .sops.yaml ---
creation_rules:
- gcp-kms: 'projects/my-gcp-project/locations/global/keyRings/sops/cryptoKeys/my-app'
------------------------------------------------------------
> cat k8s/my-app/secrets.yaml ---
SECRET_1: ENC[AES256_GCM,data:<data>,iv:<iv>=,tag:<tag>==,type:str]
SECRET_2: ENC[AES256_GCM,data:<data>,iv:<iv>=,tag:<tag>==,type:str]
SECRET_3: ENC[AES256_GCM,data:<data>,iv:<iv>=,tag:<tag>==,type:str]
sops:
kms: []
gcp_kms:
- resource_id: projects/cz-kms/locations/global/keyRings/sops/cryptoKeys/my-app
created_at: '2017-10-12T02:50:29Z'
enc: <enc_data>
lastmodified: '2017-10-12T02:50:48Z'
mac: <enc_data>
pgp: []
unencrypted_suffix: _unencrypted
version: 3.0.0
------------------------------------------------------------
> sops -d k8s/my-app/secrets.yaml ---
[GCPKMS] WARN[0000] Decryption succeeded resourceID=projects/cz-kms/locations/global/keyRings/sops/cryptoKeys/my-app
[SOPS] INFO[0000] Data key recovered successfully
SECRET_1: foo
SECRET_2: bar
SECRET_3: baz
------------------------------------------------------------
> helm-wrapper secrets view k8s/my-app/secrets.yaml ---
Error loading file metadata: sops metadata not found
Error: plugin "secrets" exited with error
------------------------------------------------------------
Hi @szibis
I wanted to show you a rewrite I have done of helm-secrets.
https://github.com/mhyllander/helm-secrets/tree/fixes
I find the plugin idea very useful and it would have solved the problems I and my team had when starting to use kubernetes and helm. But I had some problems using it, so I started on a fork and ended up rewriting most of the plugin.
I realize my changes are probably too much to be merged back to this repo (and maybe I haven't encountered all use cases), but I wanted to notify you about my fork in case you were interested.
lsb_release
lsb_release
package/etc/os-release
Running Ubuntu 16.04 with helm 2.4.2:
$ helm plugin install https://github.com/futuresimple/helm-secrets
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3909k 100 3909k 0 0 4078k 0 --:--:-- --:--:-- --:--:-- 4076k
Wrong SHA256
* Helm-secrets wrapper for helm binary: No /usr/local/bin/helm-wrapper installed
Installed plugin: secrets
The Wrong SHA256
and failure to install helm-wrapper seem to leave me in a broken state.
I'd like to retrieve my secrets from an Azure Key Vault
secrets 1.2.9, sops 3.0.5
rdmurray@conrad:~/bin>helm secrets edit foo.yaml
/home/rdmurray/.helm/plugins/helm-secrets/secrets.sh: line 276: yml: unbound variable
Error: plugin "secrets" exited with error
I get this error after resolving some merge conflicts:
MAC mismatch. File has 11D93911D63273D0303CE8EF2587D418739BBC928B06339768BC747D3DDA2EDF6F6B919A2091F33E5D1BECA7029F5B6F44123446118B3E8A9916F37094BCCE14, computed 24D9784D6514E9E76EBA002E2EF010930E7DAFEB86F1CA4A934519A01FF7194174D1772EE6BA0F5EC36096570D31EA8CF0FB370C0933FF608586F8E77A51303F
Error: plugin "secrets" exited with error
Please help, we cannot deploy because of this.
Would be nice being able to suppress any exit 0
(non-errors) messages with a --quiet
flag.
I run helm plugin update secrets
and got version 2.0.0
earlier today.
This newer version produces this error where version 1.3.1
worked fine:
$ helm secrets enc kubernetes/charts/apps/xxx/values/xxx/secrets.yaml
Encrypting kubernetes/charts/apps/xxx/values/xxx/secrets.yaml
error loading config: no matching creation rules found
Error: plugin "secrets" exited with error
I noticed there is no 2.0.0
release on Github. What's the deal?
Running "helm plugin install https://github.com/futuresimple/helm-secrets" on a Microsoft Windows system results in the message:
Error: symlink C:\Users\THIS.USER\.helm\cache\plugins\https-github.com-futuresimple-helm-secrets C:\Users\THIS.USER\.helm\plugins\helm-secrets: A required privilege is not held by the client.
Looking at the install.sh script, it appears to only check for Mac and Linux operating systems.
Can this be added, or will it never be possible?
Awesome tool! Ran into an issue while implementing it that I thought I'd bring up. I haven't been able to find a related issue (open or closed), but feel free to close this if it's been answered before!
Helm itself allows values to be simple go templates, not enclosed in quotation marks. It actually templates them out in this this way using helm create
. Adding helm-secrets
to an existing project with this requirement introduces a lot of unnecessary work.
I've have a minimal example to show what I mean:
# templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: example
labels:
app: {{ include "mychart.name" . }}
chart: {{ include "mychart.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: Opaque
data:
foo: bar
$ helm lint
==> Linting .
[INFO] Chart.yaml: icon is recommended
1 chart(s) linted, no failures
$ helm secrets lint . -f templates/secrets.yaml
Not encrypted: templates/secrets.yaml
Error: failed to parse templates/secrets.yaml: error converting YAML to JSON: yaml: invalid map key: map[interface {}]interface {}{".Release.Name":interface {}(nil)}
Required to work with helm-secrets
# templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: example
labels:
app: '{{ include "mychart.name" . }}'
chart: '{{ include "mychart.chart" . }}'
release: '{{ .Release.Name }}'
heritage: '{{ .Release.Service }}'
type: Opaque
data:
foo: bar
$ helm secrets lint . -f templates/secrets.yaml
Not encrypted: templates/secrets.yaml
==> Linting .
[INFO] Chart.yaml: icon is recommended
1 chart(s) linted, no failures
System Specs
# OS
MacOS 10.14.1 (18B75)
# Helm
Client: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
# Helm Plugins
NAME VERSION DESCRIPTION
secrets 2.0.0 This plugin provides secrets values encryption for Helm charts secure storing
I had this issue while using helm-secrets to upgrade a release today: helm/helm#3480
Immediately I noticed that the the revision was completely broken. All the Secret resources contained the cyphertext inside secrets.yaml and not the decrypted values.
How is this possible? At what point in the steps that call out to helm does this plugin decrypt the secrets file? This seems like a very bad issue to have. It's more than just a false alarm on a CD system; all the secrets for a large umbrella chart were clobbered.
Hi,
I've been playing with the plugin and noticed that the cleanup was not happening upon upgrade error
$ helm-wrapper upgrade my-releasev1 myrepo/mychart --install --namespace myns --values helm_vars/secrets.yaml
>>>>>> Decrypt
Decrypting helm_vars/secrets.yaml
[GCPKMS] WARN[0001] Decryption succeeded resourceID=projects/myproject/locations/global/keyRings/mykeyring/cryptoKeys/mykey
[SOPS] INFO[0001] Data key recovered successfully
Error: UPGRADE FAILED: render error in "mychart/templates/secrets.yaml": template: mychart/templates/secrets.yaml:12:64: executing "mychart/templates/secrets.yaml" at <b64enc>: wrong type for value; expected string; got float64
$ ll helm_vars/*dec
-rw-rw-r-- 1 snebel snebel 220 Feb 1 17:21 helm_vars/secrets.yaml.dec
Feels to me that somehow the subshell created here
https://github.com/futuresimple/helm-secrets/blob/4b076e032e66356b6cb6258ce3d0c2cec01b7a0a/wrapper.sh#L93
is not acting as you would expect from a subshell but exits and stop the whole execution at that point.
Native Helm supports installing a remote chart from a charts server. For example:
$ helm repo update # Make sure we get the latest list of charts
$ helm install stable/mysql
Released smiling-penguin
This is one of the major benefits of using Helm: You can package up your charts as build artifacts, host them on a charts server, and then install them as needed.
However, with helm-secrets, I haven't found a way to remotely install a chart and use the secrets found within that chart. Here's the helm-wrapper example from the helm-secrets documentation:
AWS_PROFILE=sandbox helm-wrapper upgrade \
helloworld \
stable/java-app \
--install \
--timeout 600 \
--wait \
--kube-context=sandbox \
--namespace=projectx \
--set global.app_version=bff8fc4 \
-f helm_vars/projectx/sandbox/us-east-1/java-app/helloworld/secrets.yaml \
-f helm_vars/projectx/sandbox/us-east-1/java-app/helloworld/values.yaml \
-f helm_vars/secrets.yaml \
-f helm_vars/values.yaml
It appears to assume that the source code of the chart is available and unpacked locally. What I would expect to be able to do is perform a helm-wrapper install
or upgrade
of a remote chart and not specify local helm_vars
files to pull secrets from, but rather implicitly or explicitly pull secrets/values from within the chart being installed.
A work-around for this gap is to first helm fetch
and unpack the remote chart in question so that the source is available locally. However, this work-around simply doesn't work with multi-chart solutions like helmfile, in which it helm upgrade
s multiple charts in one go, without the opportunity to intervene with a helm fetch
hack.
So, any thoughts on how to support this remote install use case?
Passing in multiple values
-files by comma-separating them works just fine in regular helm. Not so much with helm-wrapper
:
$ helm-wrapper install \
-f ./helm_vars/staging/values.yaml,./helm_vars/staging/secrets.yaml \
./chart
Error no secrets found. No secret files in chart or secrets files defined
Instead you have to do:
$ helm-wrapper install \
-f ./helm_vars/staging/values.yaml -f ./helm_vars/staging/secrets.yaml \
./chart
>>>>>> Decrypt
Decrypting ./helm_vars/staging/secrets.yaml
NAME: traefik
...
I'd label this a minor issue, but thought it might be worth reporting.
helm lint
for example takes --values
now, and so do other plugins. What would be the best way to add those to the wrapper?
PR #67
Hi,
The BSD xargs
does not support -r
, and as such, when using helm secrets
, this issue arises:
>>>>>> Cleanup
/usr/bin/xargs: illegal option -- r
usage: xargs [-0opt] [-E eofstr] [-I replstr [-R replacements]] [-J replstr]
[-L number] [-n number [-x]] [-P maxprocs] [-s size]
[utility [argument ...]]
Error: plugin "secrets" exited with error
The usage of xargs
is here: https://github.com/futuresimple/helm-secrets/blob/76b7f29c18a7f47885cb4a76392a2ed6b0086ec2/secrets.sh#L342
Would be nice to be able to run helm secrets dec ./path/to/secrets.yaml
without it cluttering secrets in one's project structure. Actually I'd go as far as to say that this should be the default. Would make it less likely that someone in the organization accidentally commits decrypted secrets.
To stdout:
helm secrets dec ./path/to/secrets.yaml
To file (current behavior):
helm secrets dec --save ./path/to/secrets.yaml
helm secrets dec -s ./path/to/secrets.yaml
ENV:
MacOS 10.14.
Helm 2.11
prepare:
$ helm plugin install https://github.com/futuresimple/helm-secret
$ brew install gnu-getopt
$ brew reinstall gnu-getopt # just for sure
issue:
$ helm secrets help
Iโm sorry, "getopt --test" failed in this environment.
You may need to install enhanced getopt, e.g. on OSX using
"brew install gnu-getopt".
Error: plugin "secrets" exited with error
$ getopt --test && echo $?
0
I have no ideas what is going wrong, can you give me any idea?
Thank you!
I tried to install helm-secrets and not sure if this is helm-secrets issue or helm issue... I am running Arch Linux and helm 2.8.0.
First, I had to set up --version
because of this.
then I didn't have lsb-release
:
$ helm plugin install https://github.com/futuresimple/helm-secrets --version v1.2.8 --debug
[debug] updating https://github.com/futuresimple/helm-secrets
[debug] setting version to "v1.2.8"
[debug] symlinking /home/dan/.helm/cache/plugins/https-github.com-futuresimple-helm-secrets to /home/dan/.helm/plugins/helm-secrets
[debug] loading plugin from /home/dan/.helm/plugins/helm-secrets
[debug] running install hook: &{/usr/bin/sh [sh -c $HELM_PLUGIN_DIR/install-binary.sh] [] <nil> <nil> <nil> [] %!s(*syscall.SysProcAttr=<nil>) %!s(*os.Process=<nil>) <nil> <nil> <nil> %!s(bool=false) [] [] [] [] %!s(chan error=<nil>) %!s(chan struct {}=<nil>)}
/home/dan/.helm/plugins/helm-secrets/install-binary.sh: line 38: lsb_release: command not found
Error: plugin install hook for "secrets" exited with error
installing lsb-release
helped. It should be clearly definied in README that it is a dependency.
Then, I ended up with this issue:
$ helm plugin install https://github.com/futuresimple/helm-secrets --version v1.2.8 --debug
[debug] updating https://github.com/futuresimple/helm-secrets
[debug] setting version to "v1.2.8"
[debug] symlinking /home/dan/.helm/cache/plugins/https-github.com-futuresimple-helm-secrets to /home/dan/.helm/plugins/helm-secrets
[debug] loading plugin from /home/dan/.helm/plugins/helm-secrets
[debug] running install hook: &{/usr/bin/sh [sh -c $HELM_PLUGIN_DIR/install-binary.sh] [] <nil> <nil> <nil> [] %!s(*syscall.SysProcAttr=<nil>) %!s(*os.Process=<nil>) <nil> <nil> <nil> %!s(bool=false) [] [] [] [] %!s(chan error=<nil>) %!s(chan struct {}=<nil>)}
which: no dpkg in (/home/dan/.local/opt/miniconda/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl)
Sorry only installation via dpkg (aka Debian distros) is currently supported
* Helm-secrets wrapper for helm binary: ln: failed to create symbolic link '/usr/bin/helm-wrapper': Permission denied
Error: plugin install hook for "secrets" exited with error
Furthermore, it shows that it got installed:
NAME VERSION DESCRIPTION
secrets 1.2.8 This plugin provides secrets values encryption for Helm charts secure storing
but I doubt it will be working, since sops
isn't installed. Shouldn't this be rather pre-install hook? And then permission error is at least because of this, which usually resolves to /usr/bin/
, which is terrible to do for custom scripts.
Why not just let everyone to install sops using his package manager?
secrets 1.2.9, sops 3.0.5
Not changing the file should not be a plugin error, but it is:
File has not changed, exiting.
Error: plugin "secrets" exited with error
Please allow for usage of custom text editor, preferably from $EDITOR variable. Seems that sops can do that already, but the condition checking for vim prevents it
if ! type "vim" > /dev/null; then
echo "Command like 'vim' must be installed to edit before re-encrypt"
exit 1
fi
Any recommendations for integration Helmfile with helm-secrets
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.