Skip to content
Store secrets for Helm deployments in Hashicorp Vault
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github
docs
src
tests
.gitignore
.gitlab-ci.yml
CODE_OF_CONDUCT.md
LICENSE
README.md
plugin.yaml
requirements.txt
setup.py

README.md

License Current Release Production Ready GitHub issues GitHub pull requests Total alerts Language grade: Python Build Status

Helm-Vault

Helm-Vault stores private data from YAML files in Hashicorp Vault. Helm-Vault should be used if you want to publicize your YAML configuration files, without worrying about leaking secret information.

Table of Contents

  1. About the Project
  2. Project Status
  3. Getting Started
    1. Dependencies
    2. Installation
    3. Usage and Examples
  4. Release Process
    1. Versioning
  5. How to Get Help
  6. Further Reading
  7. Contributing
  8. License
  9. Authors
  10. Acknowledgements

About the Project

Helm-Vault supports the following features:

  • Encrypt YAML files
  • Decrypt YAML files
  • View decrypted YAML files
  • Edit decrypted YAML files
  • Clean up decrypted YAML files
  • Helm Wrapper, automatically decrypts and cleans up during helm commands
    • Install
    • Upgrade
    • Template
    • Lint
    • Diff

Helm-Vault was created to provide a better way to manage secrets for Helm, with the ability to take existing public Helm Charts, and with minimal modification, provide a way to have production data that is not stored in a public location.

$ helm vault enc values.yaml
Input a value for /mariadb/db/password:
Input a value for /nextcloud/password:

Back to top

Project Status

Build Status:

Build Status

Helm-Vault is in an pre-production state currently. It should work across platforms, and should be able to handle most YAML thrown at it, but it is missing some features.

Back to top

Getting Started

To get started with Helm-Vault, follow these steps:

  1. Clone the repository to your machine

  2. Install the requirements

    pip3 install -r requirements.txt

  3. Test it out! This will test out encrypting an example YAML file

    ./src/vault.py enc ./tests/test.yaml

Dependencies

  • Python 3.7+
  • pip3
  • Working Hashicorp Vault environment
  • Hashicorp Vault token
  • Environment Variables for Vault
    • VAULT_ADDR: The HTTP Address of Vault
    • VAULT_TOKEN: The token for accessing Vault

Getting the Source

This project is hosted on GitHub. You can clone this project directly using this command:

git clone git@github.com:Justin-Tech/helm-vault.git

Running Tests

Helm-Vault has built-in unit tests using pytest, you can run them with the command below:

pip3 install -r ./tests/requirements.txt
python3 -m pytest

Other Tests

Unittesting and integration testing is automatically run on Gitlab per commit.

Additionally, code quality checking is handled by LGTM.com

Both of these checks must pass before PRs will be merged.

Installation

Using Helm plugin manager (> 2.3.x)

pip3 install git+https://github.com/Just-Insane/helm-vault
helm plugin install https://github.com/Just-Insane/helm-vault

Usage and Examples

$ helm vault --help
usage: vault.py [-h] {enc,dec,clean,view,edit} ...

Store secrets from Helm in Vault

Requirements:

Environment Variables:

VAULT_ADDR:     (The HTTP address of Vault, for example, http://localhost:8200)
VAULT_TOKEN:    (The token used to authenticate with Vault)

positional arguments:
  {enc,dec,clean,view,edit}
    enc                 Parse a YAML file and store user entered data in Vault
    dec                 Parse a YAML file and retrieve values from Vault
    clean               Remove decrypted files (in the current directory)
    view                View decrypted YAML file
    edit                Edit decrypted YAML file. DOES NOT CLEAN UP AUTOMATICALLY.

optional arguments:
  -h, --help            show this help message and exit

Any YAML file can be transparently "encrypted" as long as it has a deliminator for secret values.

Decrypted files have the suffix ".yaml.dec" by default

Basic commands:

  enc           Encrypt file
  dec           Decrypt file
  view          Print decrypted file
  edit          Edit file (decrypt before, manual cleanup)
  clean         Delete *.yaml.dec files in directory (recursively)

Each of these commands have their own help, referenced by helm vault {enc,dec,clean,view,edit} --help.

Usage examples

Encrypt

The encrypt operation encrypts a values.yaml file and saves the encrypted values in Vault:

$ helm vault enc values.yaml
Input a value for /nextcloud/password: asdf1
Input a value for /mariadb/db/password: asdf2

Decrypt

The decrypt operation decrypts a values.yaml file and saves the decrypted result in values.yaml.dec:

$ helm vault dec values.yaml

The values.yaml.dec file:

...
nextcloud:
  host: nextcloud.example.com
  username: admin
  password: asdf1
...
mariadb:
parameters
  enabled: true

  db:
    name: nextcloud
    user: nextcloud
    password: asdf2
...

View

The view operation decrypts values.yaml and prints it to stdout:

$ helm vault view values.yaml

Edit

The edit operation will decrypt the values.yaml file and open it in an editor.

$ helm vault edit values.yaml

This will read a value from $EDITOR, or be specified with the -e, --editor option, or will choose a default of vi for Linux/MacOS, and notepad for Windows.

Note: This will save a .dec file that is not automatically cleaned up.

Clean

The operation will delete all decrypted files in a directory:

$ helm vault clean

Wrapper Examples

Install

The operation wraps the default helm install command, automatically decrypting the -f values.yaml file and then cleaning up afterwards.

$ helm vault install stable/nextcloud --name nextcloud --namespace nextcloud -f values.yaml

Specifically, this command will do the following:

  1. Run helm install with the following options:
  2. stable/nextcloud - the chart to install
  3. --name nextcloud - the Helm release name will be nextcloud
  4. --namespace nextcloud - Nextcloud will run in the nextcloud namespace on Kubernetes
  5. -f values.yaml - the (encrypted) values file to use

Template

The operation wraps the default helm template command, automatically decrypting the -f values.yaml file and then cleaning up afterwards.

$ helm vault template ./nextcloud --name nextcloud --namespace nextcloud -f values.yaml
  1. Run helm template with the following options:
  2. ./nextcloud - the chart to template
  3. --name nextcloud - the Helm release name will be nextcloud
  4. --namespace nextcloud - Nextcloud will run in the nextcloud namespace on Kubernetes
  5. -f values.yaml - the (encrypted) values file to use

Upgrade

The operation wraps the default helm upgrade command, automatically decrypting the -f values.yaml file and then cleaning up afterwards.

$ helm vault upgrade nextcloud stable/nextcloud -f values.yaml
  1. Run helm upgrade with the following options:
  2. nextcloud - the Helm release name
  3. stable/nextcloud - the chart path
  4. -f values.yaml - the (encrypted) values file to use

Lint

The operation wraps the default helm lint command, automatically decrypting the -f values.yaml file and then cleaning up afterwards.

$ helm vault lint nextcloud -f values.yaml
  1. Run helm upgrade with the following options:
  2. nextcloud - the Helm release name
  3. -f values.yaml - the (encrypted) values file to use

Diff

The operation wraps the helm diff command (diff is another Helm plugin), automatically decrypting the -f values.yaml file and then cleaning up afterwards.

$ helm vault diff upgrade nextcloud stable/nextcloud -f values.yaml
  1. Run helm diff upgrade with the following options:
  2. nextcloud - the Helm release name
  3. stable/nextcloud - the Helm chart
  4. -f values.yaml - the (encrypted) values file to use

Back to top

Release Process

Releases are made for new features, and bugfixes.

To get a new release, run the following:

helm plugin upgrade vault

Versioning

This project uses Semantic Versioning. For a list of available versions, see the repository tag list.

Back to top

How to Get Help

If you need help or have questions, please open an issue with the question label.

Contributing

We encourage public contributions! Please review CONTRIBUTING.md for details on our code of conduct and development process.

Back to top

Further Reading

Helm Hashicorp Vault

Back to top

License

Copyright (c) 2019 Justin Gauthier

This project is licensed under GPLv3 - see LICENSE.md file for details.

Back to top

Authors

Back to top

Acknowledgments

The idea for this project comes from Helm-Secrets

Special thanks to the Python Discord server.

Back to top

You can’t perform that action at this time.