The current version of this plugin using by default mozilla/sops as backend.
Hashicorp Vault is supported as secret source since v3.2.0, too. In addition, sops support vault since v3.6.0 natively.
What kind of problems this plugin solves:
- Simple replaceable layer integrated with helm command for encrypting, decrypting, view secrets files stored in any place.
- On the fly decryption and cleanup for helm install/upgrade with a helm command wrapper
If you are using sops (used by default) you have some additional features:
- Support for YAML/JSON structures encryption - Helm YAML secrets files
- Encryption per value where visual Diff should work even on encrypted files
- On the fly decryption for git diff
- Multiple key management solutions like PGP, AWS KMS and GCP KMS at same time
- Simple adding/removing keys
- With AWS KMS permissions management for keys
- Secrets files directory tree separation with recursive .sops.yaml files search
- Extracting sub-elements from encrypted file structure
- Encrypt only part of a file if needed. Example encrypted file
An additional documentation, resources and examples can be found here.
Yes. This repository is a fork of zendesk/helm-secrets (base commit edffea3c94c9ed70891f838b3d881d3578f2599f).
This original helm-secrets project gets abandoned. I used this projects on my customer projects, and I also want to learn how unit tests for a shell language works.
In meanwhile, this project is officially listed on the community projects side at the helm documentation.
scripts/install.sh
- Script used as the hook to download and install sops and install git diff configuration for helm-secrets files.scripts/run.sh
- Main helm-secrets plugin code for all helm-secrets plugin actions available inhelm secrets help
after plugin installscripts/drivers
- Location of the in-tree secrets driversscripts/commands
- Sub Commands ofhelm secrets
are defined here.scripts/install.sh
- Script used as the hook to download and install sops and install git diff configuration for helm-secrets files.tests
- Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. Seetests/README.md
for more informations.examples
- Some example secrets.yaml
Just install the plugin using helm plugin install https://github.com/jkroepke/helm-secrets
and sops will be installed if possible as part of it.
You can always install manually in MacOS as below:
brew install sops
For Linux RPM or DEB, sops is available here: Dist Packages
For Windows, you cloud install sops separate to mange secrets. This plugin doesn't support Windows yet. See: #7
By override SOPS_VERSION
, you could install a custom sops version of sops.
SOPS_VERSION=v3.6.0 SOPS_LINUX_SHA=610fca9687d1326ef2e1a66699a740f5dbd5ac8130190275959da737ec52f096 helm plugin install https://github.com/jkroepke/helm-secrets
It's possible to skip the automatic sops installation by define SKIP_SOPS_INSTALL=true
on the helm plugin install
command, e.g:
SKIP_SOPS_INSTALL=true helm plugin install https://github.com/jkroepke/helm-secrets
If you use vault with helm-secret, the vault CLI is needed.
You can always install manually in MacOS as below:
brew install vault
Download: https://www.vaultproject.io/downloads
Git config part is installed with the plugin, but to be fully functional the following needs to be added to the .gitattributes
file in the root directory of a charts repo:
secrets.yaml diff=sopsdiffer
secrets.*.yaml diff=sopsdiffer
More info on sops page
By default, helm plugin install does this for you.
# Install a specific version (recommend)
helm plugin install https://github.com/jkroepke/helm-secrets --version v3.3.0
# Install latest unstable version from master branch
helm plugin install https://github.com/jkroepke/helm-secrets
Find the latest version here: https://github.com/jkroepke/helm-secrets/releases
# Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
# MacOS
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "$HOME/Library/helm/plugins" -xzf-
# Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "$HOME/.local/share/helm/plugins" -xzf-
# Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.3.4/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
# MacOS
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.3.4/helm-secrets.tar.gz | tar -C "$HOME/Library/helm/plugins" -xzf-
# Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.3.4/helm-secrets.tar.gz | tar -C "$HOME/.local/share/helm/plugins" -xzf-
It's possible to use another secret driver then sops, e.g. Hasicorp Vault.
Start by a copy of sops driver and adjust to your own needs.
The custom driver can be load via SECRET_DRIVER
parameter or -d
option (higher preference):
# Example for in-tree drivers via option
helm secrets -d sops view ./tests/assets/helm_vars/secrets.yaml
# Example for in-tree drivers via environment variable
SECRET_DRIVER=vault helm secrets view ./tests/assets/helm_vars/secrets.yaml
# Example for out-of-tree drivers
helm secrets -d ./path/to/driver.sh view ./tests/assets/helm_vars/secrets.yaml
Pull Requests are much appreciated.
The driver option is a global one. A file level switch isn't supported yet.
© 2020 Jan-Otto Kröpke (jkroepke)
© 2017-2020 Zendesk
Licensed under the Apache License, Version 2.0