zendesk / helm-secrets Goto Github PK

View Code? Open in Web Editor NEW

1.2K 50.0 155.0 274 KB

DEPRECATED A helm plugin that help manage secrets with Git workflow and store them anywhere

License: Apache License 2.0

Shell 100.00%

helm helm-plugin kubernetes k8s helm-charts kubernetes-secrets sops pgp kms encryption-tool

helm-secrets's People

Stargazers

Watchers

Forkers

ursuad jrnt30 helgi novas0x2a suman29 40a kivagant mattclegg bobhenkel unguiculus grzegorzlyczba tmak mumoshu lagardere-sports heidsoft snebel29 benlangfeld sstarcher lbogdan freeletics abdul-basith-git stakater nunziox adri ravikrishnagunnam gianrubio bilus damienpuig jacobsvante chainlink maver1ck ckaushik rameshmuthuraj sam123ben hensur mat1010 ryanli-me jakski yozel prageethw d207158 ourobouros roryshively nvanheuverzwijn greendog kincl edroot henb snstanton farrellit nparfait infernalknight jenveigel gillesdemey decisio sshucker ggenot blackjid ayk33 wepoiuopijsdfnxcvl roy-ht nagra-insight jimeh oneconcern preset-io jrottenberg jecafarelli jackge007 chromey just-insane bitrockci skyionblue mgar mat-kainos sohel2020 savar endzyme avaussant asfsdls61tlt6eop3qb7 krotkiewicz qudini fpighi nktks schollii vjove dangvv-teko ilionblaze somaliz fgeorgatos voa2000 turntidetechnologies arineng binlabnet rtnpro atownsend-iotic sampathinturi philomory rahulsoni43 botskill jstewart

helm-secrets's Issues

upgrade doesn't expose underlying helm return code

if, say, I invoke helm improperly ( this case I'm omitting the -f secrets.yaml that pull in the secret values), I get this error, and exit code 1;

$ helm upgrade --install ci-develop --namespace ci -f values.yaml .
Release "ci-develop" does not exist. Installing it now.
Error: render error in "dod/templates/dod_secrets.yml": template: dod/templates/dod_secrets.yml:13:54: executing "dod/templates/dod_secrets.yml" at <b64enc>: invalid value; expected string
$ echo $?
1

As it should be. But when I run with helm secrets, the same error is generated ,but the exit code becomes 0.

$ helm secrets upgrade --install ci-develop --namespace ci -f values.yaml .
Release "ci-develop" does not exist. Installing it now.
echo $?
Error: render error in "dod/templates/dod_secrets.yml": template: dod/templates/dod_secrets.yml:13:54: executing "dod/templates/dod_secrets.yml" at <b64enc>: invalid value; expected string
danfarrell@mac 2018.12.12 16:50:58 develop ~/git/k8s_dev/dod
$ echo $?
0

This completely breaks my CI/CD process, and I think it would break any CI/CD process which needs to fail if helm doesn't work.

I think it's because we exit 0 at the end of the secrets.sh script so I'll throw a PR out to exit with the helm code instead and see what folks think.

Add option to disable install-binary.sh

On many environments install-binary is not working because it needs sudo rights.
Can we add env variable that will disable this installation ?

Pre-requisite for running examples

Hi, thanks a lot for maintaining the great project 👍

I've encountered an error like the following while trying examples according to the README:

$ helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
[PGP]	 WARN[0000] Decryption failed                             fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  4434EA5D05F10F59D0DF7399AF1D073646ED4927: FAILED
    - | could not decrypt data key with PGP key:
      | golang.org/x/crypto/openpgp error: Could not load secring:
      | open /Users/mumoshu/.gnupg/secring.gpg: no such file or
      | directory; GPG binary error: exit status 2

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Error: plugin "secrets" exited with error

Obviously, I had to have ~/.gnupg/secring.gpg and the example private keys imported into it, which can be achieved by running:

gpg --import example/pgp/project{x,y}.asc

Could I add this step to the README? Thanks!

Create a version 2.0.0 tag?

i would like to lock in the version of helm secrets i am using, but version 2 is not tagged. the only way to currently install version 2 is from master which could change at any time.

./test.sh failing

Hey everyone. This may be a local problem on my machine, but I thought I'd report it anyways, since it seems I am on the latest version on everything.

First tried to go through the example and it failed immediately:

helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
[PGP]	 INFO[0000] Decryption succeeded                          fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS]	 INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
➜  helm-secrets git:(master) ✗

And then I tried to run test.sh which also failed.

➜  R git clone [email protected]:futuresimple/helm-secrets.git
Cloning into 'helm-secrets'...
remote: Counting objects: 409, done.
remote: Total 409 (delta 0), reused 0 (delta 0), pack-reused 409
Receiving objects: 100% (409/409), 147.13 KiB | 617.00 KiB/s, done.
Resolving deltas: 100% (202/202), done.
➜  R cd helm-secrets
➜  helm-secrets git:(master) brew install sops
Updating Homebrew...
==> Auto-updated Homebrew!
Updated 3 taps (heroku/brew, homebrew/core, caskroom/cask).
==> New Formulae
jthread                                                                                                                                  wp-cli
==> Updated Formulae
erlang ✔                      nginx ✔                       docker                        frugal                        groovyserv                    libswiften                    meson                         pygobject3                    talloc
git ✔                         arx                           docker-completion             gdcm                          gst-python                    libucl                        openrct2                      pytouhou                      unixodbc
heroku ✔                      aws-sdk-cpp                   exploitdb                     gitlab-runner                 lean-cli                      mackup                        osquery                       sdlpop                        vips
heroku/brew/heroku ✔          czmq                          flow                          gom                           libbi                         mat                           parallel                      spigot                        xdot
heroku/brew/heroku-node ✔     diffoscope                    fribidi                       grip                          librealsense                  mbedtls                       pgroonga                      svgcleaner                    zeromq

==> Downloading https://homebrew.bintray.com/bottles/sops-3.0.2.high_sierra.bottle.tar.gz
Already downloaded: /Users/stoyle/Library/Caches/Homebrew/sops-3.0.2.high_sierra.bottle.tar.gz
==> Pouring sops-3.0.2.high_sierra.bottle.tar.gz
🍺  /usr/local/Cellar/sops/3.0.2: 5 files, 16.8MB
➜  helm-secrets git:(master) ./test.sh
+++ Installing helm-secrets plugin
[OK] helm-ecrets plugin installed

+++ Importing private pgp key for projectx
gpg: key AF1D073646ED4927: "helm-secrets-example-projectx <[email protected]>" not changed
gpg: key AF1D073646ED4927: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

+++ Importing private pgp key for projectx
gpg: key 19F6A67BB1B8DDBE: "helm-secrets-example-projecty <[email protected]>" not changed
gpg: key 19F6A67BB1B8DDBE: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

+++ Show helm_vars tree from example
example/helm_vars/
├── .sops.yaml
├── projectX
│   ├── .sops.yaml
│   ├── production
│   │   └── us-east-1
│   │       └── java-app
│   │           ├── secrets.yaml
│   │           └── value.yaml
│   └── sandbox
│       └── us-east-1
│           └── java-app
│               ├── secrets.yaml
│               └── value.yaml
├── projectY
│   ├── .sops.yaml
│   ├── production
│   │   └── us-east-1
│   │       └── java-app
│   │           ├── secrets.yaml
│   │           └── value.yaml
│   └── sandbox
│       └── us-east-1
│           └── java-app
│               ├── secrets.yaml
│               └── value.yaml
├── secrets.yaml
└── values.yaml

14 directories, 13 files

+++ Testing ./example/helm_vars/secrets.yaml
+++ Encrypt and Test


[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works


[OK] Already Encrypted
+++ View encrypted Test

[PGP]	 INFO[0000] Decryption succeeded                          fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS]	 INFO[0000] Data key recovered successfully

[OK] File decrypted and viewable
+++ Decrypt

[PGP]	 INFO[0000] Decryption succeeded                          fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS]	 INFO[0000] Data key recovered successfully

[OK] File decrypted
+++ Cleanup Test


[OK] Cleanup specified directory


[OK] Cleanup specified .dec file


[OK] Cleanup specified encrypted secret file
+++ Once again Encrypt and Test

[PGP]	 INFO[0000] Encryption succeeded                          fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[PGP]	 INFO[0001] Encryption succeeded                          fingerprint=40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE
[CMD]	 INFO[0001] File written successfully

[OK] File properly encrypted
+++ Testing ./example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test


[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works


[OK] Already Encrypted
+++ View encrypted Test

[PGP]	 INFO[0000] Decryption succeeded                          fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS]	 INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
[OK] File decrypted and viewable
+++ Decrypt

[PGP]	 INFO[0000] Decryption succeeded                          fingerprint=4434EA5D05F10F59D0DF7399AF1D073646ED4927
[SOPS]	 INFO[0000] Data key recovered successfully
Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31
Error: plugin "secrets" exited with error
General error
➜  helm-secrets git:(master) ✗

So, is it my machine, or is this a bug?

Cheers,
Alf

'helm secrets update' does not work with Centos7/bash4

Using centos7 and bash 4 I receive the following error when trying to run helm secrets update

/root/.helm/plugins/helm-secrets/secrets.sh: line 262: local: -n: invalid option
local: usage: local [option] name[=value]

I was able to fix this by changing secrets.sh: line 265 from:

if [[ ${BASH_VERSINFO[0]} -lt 4 ]]

to:

if [[ ${BASH_VERSINFO[0]} -lt 5 ]]

so now the script is using the eval commands per the comment on line 250:

# Name references ("declare -n" and "local -n") are a Bash 4 feature.
# For previous versions, work around using eval.

issue following the example on OSX

I've read the great blog https://lab.getbase.com/helm-secrets-a-missing-piece-in-kubernetes and am trying the example out but I'm running into a problem. It's probably down to me but figured I'd raise an issue to check.

I've run:

helm plugin install https://github.com/futuresimple/helm-secrets

I've also cloned this repo and try to run the first usage example https://github.com/futuresimple/helm-secrets#usage-examples

helm secrets dec example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
Decrypting example/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml
[PGP]	 WARN[0000] Decryption failed                             fingerprint=xx
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  xx: FAILED
    - | could not decrypt data key with PGP key:
      | golang.org/x/crypto/openpgp error: Could not load secring:
      | open /Users/jr/.gnupg/secring.gpg: no such file or
      | directory; GPG binary error: exit status 2

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Error: plugin "secrets" exited with error

I have a new osx machine so I figured I need to create a gpg key (is that right?)

brew install gpg

Now generated a new key:

gpg --gen-key

This created a file ~/.gnupg/pubring.kbx but no ~/.gnupg/secring.gpg which the error message above was looking for. I came across this https://superuser.com/questions/1037401/pubring-gpg-and-secring-gpg-are-missing-after-key-generation which may be related.

I'm wondering if I've fallen down a wrong path or if this is a valid issue.

Any ideas or thoughts?

yaml error on a file that does not exist

I have been working on a file (secrets.yaml) which I had encrypted but it had some issues so I deleted the file, now when I try to run

helm secrets enc secrets.yaml

it gives the following error:
Error unmarshalling file: Error unmarshaling input YAML: yaml: line 6: found unexpected ':'
Error: plugin "secrets" exited with error

The secrets.yaml file is no longer there, is it being cached somewhere?

-- I figured it out, had the template secrets.yaml in a subfolder and it was also drilling into the subfolder.

No passphrase prompt

In version 2.0.0, the passphrase prompt does not make it to the console but instead ends up in the decrypted file:

$ helm secrets dec secrets.yaml
Decrypting secrets.yaml

$ cat secrets.yaml.dec
gpg-agent not found, continuing with manual passphrase input...
Enter PGP key passphrase:
...

helm secrets edit on a path that doesn't exist instead edits secrets.yaml in the cwd if it exists

secrets 1.2.9 with sops 3.0.5.

If you enter something like:

helm secrets edit foo.yaml

and foo.yaml doesn't exist but there is a secrets.yaml in the cwd, it will edit that secrets.yaml instead, instead of giving an error message about the path not existing.

helm secrets install ... deploys encrypted values

I have helm-secrets setup to encrypt secrets with sops. My .sops.yaml looks like this:

creation_rules:
  - path_regex: xyz-secrets.yaml$
    kms: arn:aws:kms:us-east-1:01234:key/abcd-01234-...

  # Catchall to raise an error for unmatched secrets
  - pgp: "nonexistent-key-will-fail-for-unmatched"

I've successfully created and encrypted xyz-secrets.yaml. I'm able to helm secrets [edit|view] it and the contents look as I would expect them to.

When I try to helm secrets install or helm secrets upgrade my chart it completes successfully and the resources in k8s are created. However the values deployed to the cluster have not been decrypted and all begin with ENC[AES256_GCM,data.

In case it helps here are the versions I'm running:

$ helm plugin list
NAME   	VERSION	DESCRIPTION
secrets	2.0.0  	This plugin provides secrets values encryption for Helm charts secure storing
$ sops --version
sops 3.2.0 (latest)

And here's the exact command (under the fish shell) I deployed with:

$ env AWS_PROFILE=myprofile \
         helm secrets install                        \
           --name=my-release-name               \
           --namespace=prod                          \
           -f helm_values/xyz-values.yaml        \
           -f helm_values/xyz-secrets.yaml       \
           del-shared-config

It looks like helm-secrets is failing to detect that xyz-secrets.yaml should be decrypted. Am I using it incorrectly or have I discovered a bug in KMS support?

helm secrets dec not working and deleting secrets file

I have a simple setup just using pgp

.sops.yml

---
creation_rules:
  - pgp: B6EE067A65308CA16B0D39FE27FAE19092947959

I can run enc and view just fine

$ helm secrets enc ./secrets.yml
Encrypting ./secrets.yml
Encrypted secrets.yml

When I try to decrypt I'm getting the following

$ helm secrets dec ./secrets.yml
Decrypting ./secrets.yml
sops metadata not found
Error: plugin "secrets" exited with error
$ ls secrets.yml
ls: secrets.yml: No such file or directory

$ sops -v
sops 3.2.0 (latest)

Apparently spurious error if path omitted from 'helm secrets edit' command

secrets 1.2.9, sops 3.0.5

 rdmurray@conrad:~/projects/live_storagemanager/deploy/test[93cfac3...]>helm secrets edit                    
 Edit encrypted Chart secrets.yaml

 Decrypt encrypted file, edit and then encrypt

 You can use plain sops to edit - https://github.com/mozilla/sops

 Example:
   $ helm secrets edit <SECRET_FILE_PATH>
   or $ sops <SECRET_FILE_PATH>
   $ git add <SECRET_FILE_PATH>
   $ git commit
   $ git push

 Error: Chart package required.
 Error: plugin "secrets" exited with error

The "Error: Chart package required" would appear to be spurious, since it doesn't show up when successfully editing a file.

wrapper does not support template

The new secrets wrapper logic does not support the template command.

helm-wrapper erroneously deleting unrelated .dec files when run concurrently

When using helm-wrapper to decrypt files, we randomly get errors about the decrypted file not being found:

>>>>>> Decrypt
Decrypting /tmp/tmp.BdvUTnv8Ji/config-server/secrets.yaml

Release "config-server" does not exist. Installing it now.
Error: open /tmp/tmp.BdvUTnv8Ji/config-server/secrets.yaml.dec: no such file or directory

The general setup works fine, since there are other charts being deployed the exact same way in parallel where it works fine, and there is also no pattern in where its failing, as far as I can see. Sometimes its this chart, sometimes another and other times none at all... :(

Helm version: v2.9.1
Helm secrets version: 1.3.0
Sops version: 3.0.3

UPDATE: The issue only appears if multiple instances are run in parallel. But those instances are not sharing the same secrets.yaml files, in which case this would be expected.

Any proposals appreciated!

Can't edit a secret file

Symptoms
When I try to edit a secret file, I receive an error:

$ helm secrets edit dp-apache-drill/secrets.yaml
Could not create temporary file: open /var/folders/bl/sr0tdr1s3wzdn0mzwkq846l9fg7039/T/782685853: is a directory
Error: plugin "secrets" exited with error

Plugin Version

$ helm plugin list
NAME   	VERSION	DESCRIPTION
secrets	1.1.2  	This plugin provides secrets values encryption for Helm charts secure storing

Platform
macOS Sierra 10.12.5

More information
Running the script with debug enabled:

$ helm secrets edit dp-apache-drill/secrets.yaml
+ [[ 2 -lt 1 ]]
+ case "${1:-"help"}" in
+ :
+ [[ 2 -lt 2 ]]
+ edit dp-apache-drill/secrets.yaml
+ type vim
+ chart=dp-apache-drill/secrets.yaml
+ vars_load dp-apache-drill/secrets.yaml
+ export templates_dir=dp-apache-drill/secrets.yaml
+ templates_dir=dp-apache-drill/secrets.yaml
+ [[ -f dp-apache-drill/secrets.yaml/templates/secrets.yaml ]]
+ [[ -f dp-apache-drill/secrets.yaml/secrets.yml ]]
+ [[ -f dp-apache-drill/secrets.yaml ]]
+ export yml=dp-apache-drill/secrets.yaml
+ yml=dp-apache-drill/secrets.yaml
+ edit_helper
+ file dp-apache-drill/secrets.yaml
+ sops_config
+ DEC_SUFFIX=.dec
+ SOPS_CONF_FILE=.sops.yaml
++ which dp-apache-drill/secrets.yaml
+ sops ''
Could not create temporary file: open /var/folders/bl/sr0tdr1s3wzdn0mzwkq846l9fg7039/T/296699382: is a directory
Error: plugin "secrets" exited with error

helm secrets commands swallows non-zero exit status from wrapped helm commands

When running helm commands via the helm secrets wrapper, if the underlying helm command has an error that would return a non-zero exit code, the helm secrets plugin seems to swallow it. Here are some examples. (My helm version was 2.11.0 in these examples):

$ helm install fakechart
Error: failed to download "fakechart" (hint: running `helm repo update` may help)
$ echo $?
1
$ helm secrets install fakechart
Error: failed to download "fakechart" (hint: running `helm repo update` may help)
$ echo $?
0

$ helm upgrade --install fakerelease fakechart
Error: failed to download "fakechart" (hint: running `helm repo update` may help)
$ echo $?
1
$ helm secrets upgrade --install fakerelease fakechart
Error: failed to download "fakechart" (hint: running `helm repo update` may help)
$ echo $?
0

This behavior causes scripts to not be able to detect when an error has occurred.

helm secrets view failed for example files

I cloned repo, imported PGP keys:
gpg --import example/pgp/projectx.asc

and then tried to view secret from example:
helm secrets view example/helm_vars/projectX/production/us-east-1/java-app/secrets.yaml

Error decrypting tree: Error walking tree: Could not decrypt value: crypto/aes: invalid key size 31

Error: plugin "secrets" exited with error`

Info:
#sops --version
sops 3.0.5 (latest)
#gpg --version
gpg (GnuPG) 2.2.1
libgcrypt 1.8.1
#helm version
Client: &version.Version{SemVer:"v2.7.2", GitCommit:"8478fb4fc723885b155c924d1c8c410b7a9444e6", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.8.1", GitCommit:"6af75a8fd72e2aa18a2b278cfe5c7a1c5feca7f2", GitTreeState:"clean"}

install-binary.sh will not run due to unbound variable

If you try and install in a docker container (e.g. alpine), you will get this error

docker run -it --rm alpine bash
wget -q  https://raw.githubusercontent.com/futuresimple/helm-secrets/master/install-binary.sh
chmod +x ./install-binary.sh
./install-binary.sh
bash: line 18: HELM_BIN: unbound variable

This is because the script is running with set -u.

How are others automating the installation?

test.sh: Could not load secring

Hello.

The test doesn't work. Maybe I'm doing something wrong?

➔ ./test.sh
+++ Installing helm-secrets plugin
[OK] helm-ecrets plugin installed

+++ Importing private pgp key for projectx
gpg: key AF1D073646ED4927: "helm-secrets-example-projectx <[email protected]>" not changed
gpg: key AF1D073646ED4927: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

+++ Importing private pgp key for projectx
gpg: key 19F6A67BB1B8DDBE: "helm-secrets-example-projecty <[email protected]>" not changed
gpg: key 19F6A67BB1B8DDBE: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

+++ Show helm_vars tree from example
example/helm_vars/
├── .sops.yaml
├── projectX
│   ├── .sops.yaml
│   ├── production
│   │   └── us-east-1
│   │       └── java-app
│   │           ├── secrets.yaml
│   │           ├── secrets.yaml.dec
│   │           └── value.yaml
│   └── sandbox
│       └── us-east-1
│           └── java-app
│               ├── secrets.yaml
│               └── value.yaml
├── projectY
│   ├── .sops.yaml
│   ├── production
│   │   └── us-east-1
│   │       └── java-app
│   │           ├── secrets.yaml
│   │           └── value.yaml
│   └── sandbox
│       └── us-east-1
│           └── java-app
│               ├── secrets.yaml
│               └── value.yaml
├── secrets.yaml
└── values.yaml

14 directories, 14 files

+++ Testing ./example/helm_vars/projectX/production/us-east-1/java-app/secrets.yaml
+++ Encrypt and Test
[OK] File properly encrypted
+++ Test if 'Already Encrypted' feature works
[OK] Already Encrypted
+++ View encrypted Test
Could not decrypt the data key with any of the master keys:
	[GPG]: 4434EA5D05F10F59D0DF7399AF1D073646ED4927:	Could not load secring: open /Users/kivagant/.gnupg/secring.gpg: no such file or directory

Error: plugin "secrets" exited with error
[OK] File decrypted and viewable
+++ Decrypt
Could not decrypt the data key with any of the master keys:
	[GPG]: 4434EA5D05F10F59D0DF7399AF1D073646ED4927:	Could not load secring: open /Users/kivagant/.gnupg/secring.gpg: no such file or directory

Error: plugin "secrets" exited with error
General error

Update:

➔ gpg --version
gpg (GnuPG) 2.1.22
libgcrypt 1.8.0
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/kivagant/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


➔ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2019-07-31
/Users/kivagant/.gnupg/pubring.kbx
----------------------------------
pub   rsa4096 2017-05-04 [SC]
      4434EA5D05F10F59D0DF7399AF1D073646ED4927
uid         [ unknown] helm-secrets-example-projectx <[email protected]>
sub   rsa4096 2017-05-04 [E]

pub   rsa4096 2017-05-04 [SC]
      40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE
uid         [ unknown] helm-secrets-example-projecty <[email protected]>
sub   rsa4096 2017-05-04 [E]

decrypt secrets.yaml in dependent charts

Is there a way of decrypting secrets in dependent projects during install?

Suppose we had chart A who has a dependency on chart B. Chart B has a secrets.yaml file along side it's values.yaml.

Is it possible to do helm-wrapper install in chart A and have it decrypt and use values from Chart B's secrets.yaml file? If so how to do it?

Helm secrets doesn't run install-binary on update

Helm secrets doesn't run install-binary on update.
This patch solves that.
#54

helm secrets requires tiller?

# helm plugin list
NAME   	VERSION 	DESCRIPTION
diff   	2.11.0+2	Preview helm upgrade changes as a diff
secrets	2.0.0   	This plugin provides secrets values encryption for Helm charts secure storing

helm secrets fails for me with:
Error: Get http://localhost:8080/api/v1/namespaces/kube-system/pods?labelSelector=app%3Dhelm%2Cname%3Dtiller: dial tcp 127.0.0.1:8080: connect: connection refused

I do not have tiller connection - but why is it needed for secrets?

re: docs / usage

hello - First: this is great! Thank you.

Reading & learning from your README, i wondered if it could be clearer. Specifically,

helm-wrapper - what exactly is this referring to? Is it part of this repo? Are you referring to wrapper.sh script here? IS it part of helm?
what is the work flow for using helm secrets? ie. how do i install a chart with a sops secret? Does it do it automagically? Do i need to decrypt first and store output? A working example here would be nice.

With guidance, i'd love to submit a PR and improve this project.

alpine install failure

/home/helm/plugins/helm-secrets/install-binary.sh: line 38: lsb_release: command not found
Error: plugin install hook for "secrets" exited with error

`brew install sops` install sops 1.x

Howdy folks, SOPS maintainer here. Just wanted to let you know that brew install sops installs sops 1.x, the old python version, and not the more recent sops 2.x written in Go.
We don't publish MacOS binaries (yet?), so I'd recommend using go get -u go.mozilla.org/sops/cmd/sops to install 2.x on macos.

sops metadata not found

I keep getting Error loading file metadata: sops metadata not found when trying to interact with any secret files using helm-wrapper (see output below). I wonder if it is an issue with sops v3, or using GCP KMS, or if I am missing any config. Any help would be appreciated!

>   sops -v                                                                                          ---
sops 3.0.0 (latest)
------------------------------------------------------------
>   cat .sops.yaml                                                                                   ---
creation_rules:
    - gcp-kms: 'projects/my-gcp-project/locations/global/keyRings/sops/cryptoKeys/my-app'
------------------------------------------------------------
>   cat k8s/my-app/secrets.yaml                                                                                 ---
SECRET_1: ENC[AES256_GCM,data:<data>,iv:<iv>=,tag:<tag>==,type:str]
SECRET_2: ENC[AES256_GCM,data:<data>,iv:<iv>=,tag:<tag>==,type:str]
SECRET_3: ENC[AES256_GCM,data:<data>,iv:<iv>=,tag:<tag>==,type:str]
sops:
    kms: []
    gcp_kms:
    -   resource_id: projects/cz-kms/locations/global/keyRings/sops/cryptoKeys/my-app
        created_at: '2017-10-12T02:50:29Z'
        enc: <enc_data>
    lastmodified: '2017-10-12T02:50:48Z'
    mac: <enc_data>
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.0.0
------------------------------------------------------------
>   sops -d k8s/my-app/secrets.yaml                                                            ---
[GCPKMS]	 WARN[0000] Decryption succeeded                          resourceID=projects/cz-kms/locations/global/keyRings/sops/cryptoKeys/my-app
[SOPS]	 INFO[0000] Data key recovered successfully
SECRET_1: foo
SECRET_2: bar
SECRET_3: baz
------------------------------------------------------------
>   helm-wrapper secrets view k8s/my-app/secrets.yaml                                          ---

Error loading file metadata: sops metadata not found
Error: plugin "secrets" exited with error

------------------------------------------------------------

Rewrite of the plugin

Hi @szibis

I wanted to show you a rewrite I have done of helm-secrets.
https://github.com/mhyllander/helm-secrets/tree/fixes

I find the plugin idea very useful and it would have solved the problems I and my team had when starting to use kubernetes and helm. But I had some problems using it, so I started on a fork and ended up rewriting most of the plugin.

There is some confusion in the current plugin whether it should decrypt template files or not. Documentation and implementation are not in sync. My design decision is that template files should not contain secrets. Secrets should only be stored in value files, by convention named "secrets.yaml" (or "secrets.*.yaml" if you need several). The decrypted files are named "secrets.dec.yaml" or "secrets.*.dec.yaml".
I have included the wrapper inside the plugin, so instead of running "helm-wrapper install ...", you run "helm secrets install ...". Etc. The wrapper function does intelligent parsing of command line options.
The wrapper no longer scans the chart for files to decrypt. It only decrypts value files specified with the -f and --values options on the command line (and removes the on-the-fly decrypted files after the helm command has been run).

I realize my changes are probably too much to be merged back to this repo (and maybe I haven't encountered all use cases), but I wanted to notify you about my fork in case you were interested.

`lsb_release` not available on alpine linux

what

Install fails due to dependency on lsb_release

why

alpine linux does not profile lsb_release package
alpine uses /etc/os-release

Wrong SHA256 on install

Running Ubuntu 16.04 with helm 2.4.2:

$ helm plugin install https://github.com/futuresimple/helm-secrets
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3909k  100 3909k    0     0  4078k      0 --:--:-- --:--:-- --:--:-- 4076k
Wrong SHA256

* Helm-secrets wrapper for helm binary: No /usr/local/bin/helm-wrapper installed
Installed plugin: secrets

The Wrong SHA256 and failure to install helm-wrapper seem to leave me in a broken state.

Feature request: Read secrets from an azure key vault

I'd like to retrieve my secrets from an Azure Key Vault

helm secrets edit yields unbound variable error if the path does not exist and there is no secrets.yaml file in the cwd

secrets 1.2.9, sops 3.0.5

rdmurray@conrad:~/bin>helm secrets edit foo.yaml
/home/rdmurray/.helm/plugins/helm-secrets/secrets.sh: line 276: yml: unbound variable
Error: plugin "secrets" exited with error

MAC mismatch

I get this error after resolving some merge conflicts:

MAC mismatch. File has 11D93911D63273D0303CE8EF2587D418739BBC928B06339768BC747D3DDA2EDF6F6B919A2091F33E5D1BECA7029F5B6F44123446118B3E8A9916F37094BCCE14, computed 24D9784D6514E9E76EBA002E2EF010930E7DAFEB86F1CA4A934519A01FF7194174D1772EE6BA0F5EC36096570D31EA8CF0FB370C0933FF608586F8E77A51303F
Error: plugin "secrets" exited with error

Please help, we cannot deploy because of this.

Quiet mode

Would be nice being able to suppress any exit 0 (non-errors) messages with a --quiet flag.

"no matching creation rules found" for helm-secrets version 2.0.0

I run helm plugin update secrets and got version 2.0.0 earlier today.

This newer version produces this error where version 1.3.1 worked fine:

$ helm secrets enc kubernetes/charts/apps/xxx/values/xxx/secrets.yaml
Encrypting kubernetes/charts/apps/xxx/values/xxx/secrets.yaml
error loading config: no matching creation rules found
Error: plugin "secrets" exited with error

I noticed there is no 2.0.0 release on Github. What's the deal?

Allow installation on Microsoft OS

Running "helm plugin install https://github.com/futuresimple/helm-secrets" on a Microsoft Windows system results in the message:
Error: symlink C:\Users\THIS.USER\.helm\cache\plugins\https-github.com-futuresimple-helm-secrets C:\Users\THIS.USER\.helm\plugins\helm-secrets: A required privilege is not held by the client.

Looking at the install.sh script, it appears to only check for Mac and Linux operating systems.

Can this be added, or will it never be possible?

Helm templates require modifications to work with helm-secrets

Awesome tool! Ran into an issue while implementing it that I thought I'd bring up. I haven't been able to find a related issue (open or closed), but feel free to close this if it's been answered before!

Helm itself allows values to be simple go templates, not enclosed in quotation marks. It actually templates them out in this this way using helm create. Adding helm-secrets to an existing project with this requirement introduces a lot of unnecessary work.

I've have a minimal example to show what I mean:

# templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: example
  labels:    
    app: {{ include "mychart.name" . }}
    chart: {{ include "mychart.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
type: Opaque
data:
  foo: bar

$ helm lint
==> Linting .
[INFO] Chart.yaml: icon is recommended

1 chart(s) linted, no failures
$ helm secrets lint . -f templates/secrets.yaml
Not encrypted: templates/secrets.yaml
Error: failed to parse templates/secrets.yaml: error converting YAML to JSON: yaml: invalid map key: map[interface {}]interface {}{".Release.Name":interface {}(nil)}

Required to work with helm-secrets

# templates/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: example
  labels:
    app: '{{ include "mychart.name" . }}'
    chart: '{{ include "mychart.chart" . }}'
    release: '{{ .Release.Name }}'
    heritage: '{{ .Release.Service }}'
type: Opaque
data:
  foo: bar

$ helm secrets lint . -f templates/secrets.yaml
Not encrypted: templates/secrets.yaml
==> Linting .
[INFO] Chart.yaml: icon is recommended

1 chart(s) linted, no failures

System Specs

# OS
MacOS 10.14.1 (18B75)

# Helm
Client: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.11.0", GitCommit:"2e55dbe1fdb5fdb96b75ff144a339489417b146b", GitTreeState:"clean"}

# Helm Plugins
NAME    VERSION DESCRIPTION
secrets 2.0.0   This plugin provides secrets values encryption for Helm charts secure storing

Helm port forwarding issue caused k8s Secret resources to contain cyphertext

I had this issue while using helm-secrets to upgrade a release today: helm/helm#3480

Immediately I noticed that the the revision was completely broken. All the Secret resources contained the cyphertext inside secrets.yaml and not the decrypted values.

How is this possible? At what point in the steps that call out to helm does this plugin decrypt the secrets file? This seems like a very bad issue to have. It's more than just a false alarm on a CD system; all the secrets for a large umbrella chart were clobbered.

Cleanup upon helm error seems not working

Hi,
I've been playing with the plugin and noticed that the cleanup was not happening upon upgrade error

$ helm-wrapper upgrade my-releasev1 myrepo/mychart --install --namespace myns --values helm_vars/secrets.yaml
>>>>>> Decrypt
Decrypting helm_vars/secrets.yaml
[GCPKMS]	 WARN[0001] Decryption succeeded                          resourceID=projects/myproject/locations/global/keyRings/mykeyring/cryptoKeys/mykey
[SOPS]	 INFO[0001] Data key recovered successfully              

Error: UPGRADE FAILED: render error in "mychart/templates/secrets.yaml": template: mychart/templates/secrets.yaml:12:64: executing "mychart/templates/secrets.yaml" at <b64enc>: wrong type for value; expected string; got float64

$ ll helm_vars/*dec
-rw-rw-r-- 1 snebel snebel 220 Feb  1 17:21 helm_vars/secrets.yaml.dec

Feels to me that somehow the subshell created here
https://github.com/futuresimple/helm-secrets/blob/4b076e032e66356b6cb6258ce3d0c2cec01b7a0a/wrapper.sh#L93

is not acting as you would expect from a subshell but exits and stop the whole execution at that point.

Use secrets from within a remote chart

Native Helm supports installing a remote chart from a charts server. For example:

$ helm repo update              # Make sure we get the latest list of charts
$ helm install stable/mysql
Released smiling-penguin

This is one of the major benefits of using Helm: You can package up your charts as build artifacts, host them on a charts server, and then install them as needed.

However, with helm-secrets, I haven't found a way to remotely install a chart and use the secrets found within that chart. Here's the helm-wrapper example from the helm-secrets documentation:

AWS_PROFILE=sandbox helm-wrapper upgrade \
  helloworld \
  stable/java-app \
  --install \
  --timeout 600 \
  --wait \
  --kube-context=sandbox \
  --namespace=projectx \
  --set global.app_version=bff8fc4 \
  -f helm_vars/projectx/sandbox/us-east-1/java-app/helloworld/secrets.yaml \
  -f helm_vars/projectx/sandbox/us-east-1/java-app/helloworld/values.yaml \
  -f helm_vars/secrets.yaml \
  -f helm_vars/values.yaml

It appears to assume that the source code of the chart is available and unpacked locally. What I would expect to be able to do is perform a helm-wrapper install or upgrade of a remote chart and not specify local helm_vars files to pull secrets from, but rather implicitly or explicitly pull secrets/values from within the chart being installed.

A work-around for this gap is to first helm fetch and unpack the remote chart in question so that the source is available locally. However, this work-around simply doesn't work with multi-chart solutions like helmfile, in which it helm upgrades multiple charts in one go, without the opportunity to intervene with a helm fetch hack.

So, any thoughts on how to support this remote install use case?

"Error no secrets found" when {values,secret}.yaml are passed in comma-separated

Passing in multiple values-files by comma-separating them works just fine in regular helm. Not so much with helm-wrapper:

$ helm-wrapper install \
  -f ./helm_vars/staging/values.yaml,./helm_vars/staging/secrets.yaml \
  ./chart
Error no secrets found. No secret files in chart or secrets files defined

Instead you have to do:

$ helm-wrapper install \
  -f ./helm_vars/staging/values.yaml -f ./helm_vars/staging/secrets.yaml \
  ./chart
>>>>>> Decrypt
Decrypting ./helm_vars/staging/secrets.yaml

NAME:   traefik
...

I'd label this a minor issue, but thought it might be worth reporting.

Support other commands

helm lint for example takes --values now, and so do other plugins. What would be the best way to add those to the wrapper?

Compatibility with skaffold

PR #67

MacOS/BSD xargs doesn't support -r

Hi,

The BSD xargs does not support -r, and as such, when using helm secrets, this issue arises:

>>>>>> Cleanup
/usr/bin/xargs: illegal option -- r
usage: xargs [-0opt] [-E eofstr] [-I replstr [-R replacements]] [-J replstr]
            [-L number] [-n number [-x]] [-P maxprocs] [-s size]
            [utility [argument ...]]
Error: plugin "secrets" exited with error

The usage of xargs is here: https://github.com/futuresimple/helm-secrets/blob/76b7f29c18a7f47885cb4a76392a2ed6b0086ec2/secrets.sh#L342

Decrypt secrets file to stdout

Would be nice to be able to run helm secrets dec ./path/to/secrets.yaml without it cluttering secrets in one's project structure. Actually I'd go as far as to say that this should be the default. Would make it less likely that someone in the organization accidentally commits decrypted secrets.

Suggested API

To stdout:

helm secrets dec ./path/to/secrets.yaml

To file (current behavior):

helm secrets dec --save ./path/to/secrets.yaml
helm secrets dec -s ./path/to/secrets.yaml

"getopt --test" failed in this environment.

ENV:
MacOS 10.14.
Helm 2.11

prepare:

$ helm plugin install https://github.com/futuresimple/helm-secret
$ brew install gnu-getopt
$ brew reinstall gnu-getopt # just for sure

issue:

$ helm secrets help
I’m sorry, "getopt --test" failed in this environment.

You may need to install enhanced getopt, e.g. on OSX using
"brew install gnu-getopt".
Error: plugin "secrets" exited with error
$ getopt --test && echo $?
0

I have no ideas what is going wrong, can you give me any idea?

Thank you!

installation is too distro specific and needs sudo

I tried to install helm-secrets and not sure if this is helm-secrets issue or helm issue... I am running Arch Linux and helm 2.8.0.

First, I had to set up --version because of this.

then I didn't have lsb-release:

$ helm plugin install https://github.com/futuresimple/helm-secrets --version v1.2.8 --debug                                                                                                            
[debug] updating https://github.com/futuresimple/helm-secrets
[debug] setting version to "v1.2.8"
[debug] symlinking /home/dan/.helm/cache/plugins/https-github.com-futuresimple-helm-secrets to /home/dan/.helm/plugins/helm-secrets
[debug] loading plugin from /home/dan/.helm/plugins/helm-secrets
[debug] running install hook: &{/usr/bin/sh [sh -c $HELM_PLUGIN_DIR/install-binary.sh] []  <nil> <nil> <nil> [] %!s(*syscall.SysProcAttr=<nil>) %!s(*os.Process=<nil>) <nil> <nil> <nil> %!s(bool=false) [] [] [] [] %!s(chan error=<nil>) %!s(chan struct {}=<nil>)}
/home/dan/.helm/plugins/helm-secrets/install-binary.sh: line 38: lsb_release: command not found
Error: plugin install hook for "secrets" exited with error

installing lsb-release helped. It should be clearly definied in README that it is a dependency.

Then, I ended up with this issue:

$ helm plugin install https://github.com/futuresimple/helm-secrets --version v1.2.8 --debug                                                                                                 
[debug] updating https://github.com/futuresimple/helm-secrets
[debug] setting version to "v1.2.8"
[debug] symlinking /home/dan/.helm/cache/plugins/https-github.com-futuresimple-helm-secrets to /home/dan/.helm/plugins/helm-secrets
[debug] loading plugin from /home/dan/.helm/plugins/helm-secrets
[debug] running install hook: &{/usr/bin/sh [sh -c $HELM_PLUGIN_DIR/install-binary.sh] []  <nil> <nil> <nil> [] %!s(*syscall.SysProcAttr=<nil>) %!s(*os.Process=<nil>) <nil> <nil> <nil> %!s(bool=false) [] [] [] [] %!s(chan error=<nil>) %!s(chan struct {}=<nil>)}
which: no dpkg in (/home/dan/.local/opt/miniconda/bin:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl)
Sorry only installation via dpkg (aka Debian distros) is currently supported

* Helm-secrets wrapper for helm binary: ln: failed to create symbolic link '/usr/bin/helm-wrapper': Permission denied
Error: plugin install hook for "secrets" exited with error

Furthermore, it shows that it got installed:

NAME   	VERSION	DESCRIPTION                                                                  
secrets	1.2.8  	This plugin provides secrets values encryption for Helm charts secure storing

but I doubt it will be working, since sops isn't installed. Shouldn't this be rather pre-install hook? And then permission error is at least because of this, which usually resolves to /usr/bin/, which is terrible to do for custom scripts.

Why not just let everyone to install sops using his package manager?

helm secrets edit says the plugin has failed if no changes are made to the file

secrets 1.2.9, sops 3.0.5

Not changing the file should not be a plugin error, but it is:

File has not changed, exiting.
Error: plugin "secrets" exited with error

allow for other than vim editor use $EDITOR value

Please allow for usage of custom text editor, preferably from $EDITOR variable. Seems that sops can do that already, but the condition checking for vim prevents it

if ! type "vim" > /dev/null; then
    echo "Command like 'vim' must be installed to edit before re-encrypt"
    exit 1
  fi

Helmfile integration with helm-secrets

Any recommendations for integration Helmfile with helm-secrets

roboll/helmfile#41

zendesk / helm-secrets Goto Github PK

helm-secrets's People

Stargazers

Watchers

Forkers

helm-secrets's Issues

what

why

Suggested API

Recommend Projects

Recommend Topics

Recommend Org