jkroepke / Helm Secrets
Programming Languages
Labels
Projects that are alternatives of or similar to Helm Secrets
helm-secrets
This is a fork of futuresimple/helm-secrets or zendesk/helm-secrets?
Yes. This repository is a fork of zendesk/helm-secrets (base commit edffea3c94c9ed70891f838b3d881d3578f2599f).
This original helm-secrets project gets abandoned and officially deprecated. I used this projects on my customer projects, and I also want to learn how unit tests for a shell language works.
In meanwhile, this project is officially listed on the community projects side at the helm documentation.
Usage
Decrypt secrets via plugin command
Wraps the whole helm command. Slow on multiple value files.
helm secrets upgrade name . -f secrets.yaml
Decrypt secrets via protocol handler
Run decrypted command on specific value files.
helm upgrade name . -f secrets://secrets.yaml
See: USAGE.md for more information
Installation and Dependencies
SOPS
Just install the plugin using helm plugin install https://github.com/jkroepke/helm-secrets and sops will be installed if possible as part of it.
You can always install manually in MacOS as below:
brew install sops
For Linux RPM or DEB, sops is available here: Dist Packages
For Windows, you cloud install sops separate to mange secrets. This plugin doesn't support Windows yet. See: #7
Override version of sops
By override SOPS_VERSION, you could install a custom sops version of sops.
SOPS_VERSION=v3.6.0 SOPS_LINUX_SHA=610fca9687d1326ef2e1a66699a740f5dbd5ac8130190275959da737ec52f096 helm plugin install https://github.com/jkroepke/helm-secrets
Skip sops installation
It's possible to skip the automatic sops installation by defining SKIP_SOPS_INSTALL=true on the helm plugin install command, e.g:
SKIP_SOPS_INSTALL=true helm plugin install https://github.com/jkroepke/helm-secrets
Hashicorp Vault
If you use Vault with helm-secret, the vault CLI is needed.
You can always install it manually in MacOS as below:
brew install vault
Download: https://www.vaultproject.io/downloads
SOPS git diff
Git config part is installed with the plugin, but to be fully functional the following needs to be added to the .gitattributes file in the root directory of a charts repo:
secrets.yaml diff=sopsdiffer
secrets.*.yaml diff=sopsdiffer
More info on sops page
By default, helm plugin install does this for you.
Using Helm plugin manager
# Install a specific version (recommend)
helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0
# Install latest unstable version from main branch
helm plugin install https://github.com/jkroepke/helm-secrets
Find the latest version here: https://github.com/jkroepke/helm-secrets/releases
Manual installation
Latest version
# Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
# MacOS / Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-
Specific version
# Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.5.0/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
# MacOS / Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.5.0/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-
Installation on Helm 2
Helm 2 doesn't support downloader plugins. Since unknown keys in plugin.yaml are fatal, then plugin installation need special handling.
Error on Helm 2 installation:
# helm plugin install https://github.com/jkroepke/helm-secrets
Error: yaml: unmarshal errors:
line 12: field platformCommand not found in type plugin.Metadata
Workaround:
- Install helm-secrets via manual installation, but extract inside helm2 plugin directory e.g.:
$(helm home)/plugins/ - Strip
platformCommandfromplugin.yamllike:sed -i '/platformCommand:/,+2 d' "${HELM_HOME:-"${HOME}/.helm"}/plugins/helm-secrets*/plugin.yaml" - Done
Client here for an example!
Change secret driver
It's possible to use another secret driver then sops, e.g. Hasicorp Vault.
Start by a copy of sops driver and adjust to your own needs.
The custom driver can be load via HELM_SECRETS_DRIVER parameter or -d option (higher preference):
# Example for in-tree drivers via option
helm secrets -d sops view ./tests/assets/helm_vars/secrets.yaml
# Example for in-tree drivers via environment variable
HELM_SECRETS_DRIVER=vault helm secrets view ./tests/assets/helm_vars/secrets.yaml
# Example for out-of-tree drivers
helm secrets -d ./path/to/driver.sh view ./tests/assets/helm_vars/secrets.yaml
Pull Requests are much appreciated.
The driver option is a global one. A file level switch isn't supported yet.
Pass additional arguments to secret driver
helm secrets -a "--verbose" view ./tests/assets/helm_vars/secrets.yaml
results into:
[PGP] INFO[0000] Decryption succeeded fingerprint=D6174A02027050E59C711075B430C4E58E2BBBA3
[SOPS] INFO[0000] Data key recovered successfully
[SOPS] DEBU[0000] Decrypting tree
[helm-secrets] Decrypt: tests/assets/values/sops/secrets.yaml
==> Linting examples/sops
[INFO] Chart.yaml: icon is recommended
1 chart(s) linted, 0 chart(s) failed
[helm-secrets] Removed: tests/assets/values/sops/secrets.yaml.dec
Main features
The current version of this plugin using mozilla/sops by default as backend.
Hashicorp Vault is supported as secret source since v3.2.0, too. In addition, sops support vault since v3.6.0 natively.
What kind of problems this plugin solves:
- Simple replaceable layer integrated with helm command for encrypting, decrypting, view secrets files stored in any place.
- On the fly decryption and cleanup for helm install/upgrade with a helm command wrapper
If you are using sops (used by default) you have some additional features:
- Support for YAML/JSON structures encryption - Helm YAML secrets files
- Encryption per value where visual Diff should work even on encrypted files
- On the fly decryption for git diff
- Multiple key management solutions like PGP, AWS KMS and GCP KMS at same time
- Simple adding/removing keys
- With AWS KMS permissions management for keys
- Secrets files directory tree separation with recursive .sops.yaml files search
- Extracting sub-elements from encrypted file structure
- Encrypt only part of a file if needed. Example encrypted file
An additional documentation, resources and examples can be found here.
ArgoCD support
helm-secrets could detect an ArgoCD environment by the ARGOCD_APP_NAME environment variable. If detected, HELM_SECRETS_QUIET is set to true.
Moving parts of project
-
scripts/install.sh- Script used as the hook to download and install sops and install git diff configuration for helm-secrets files. -
scripts/run.sh- Main helm-secrets plugin code for all helm-secrets plugin actions available inhelm secrets helpafter plugin install -
scripts/drivers- Location of the in-tree secrets drivers -
scripts/commands- Sub Commands ofhelm secretsare defined here. -
scripts/lib- Common functions used byhelm secrets. -
scripts/wrapper- Wrapper scripts for Windows systems. -
tests- Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. Seetests/README.mdfor more informations. -
examples- Some example secrets.yaml
Copyright and license
© 2020-2021 Jan-Otto Kröpke (jkroepke)
© 2017-2020 Zendesk
Licensed under the Apache License, Version 2.0