Yes. This repository is a fork of zendesk/helm-secrets (base commit edffea3c94c9ed70891f838b3d881d3578f2599f).
This original helm-secrets project gets abandoned and officially deprecated. I used this projects on my customer projects, and I also want to learn how unit tests for a shell language works.
In meanwhile, this project is officially listed on the community projects side at the helm documentation.
Wraps the whole helm command. Slow on multiple value files.
helm secrets upgrade name . -f secrets.yaml
Run decrypted command on specific value files.
helm upgrade name . -f secrets://secrets.yaml
See: USAGE.md for more information
Just install the plugin using helm plugin install https://github.com/jkroepke/helm-secrets and sops will be installed if possible as part of it.
You can always install manually in MacOS as below:
brew install sopsFor Linux RPM or DEB, sops is available here: Dist Packages
For Windows, you cloud install sops separate to mange secrets. This plugin doesn't support Windows yet. See: #7
By override SOPS_VERSION, you could install a custom sops version of sops.
SOPS_VERSION=v3.6.0 SOPS_LINUX_SHA=610fca9687d1326ef2e1a66699a740f5dbd5ac8130190275959da737ec52f096 helm plugin install https://github.com/jkroepke/helm-secretsIt's possible to skip the automatic sops installation by defining SKIP_SOPS_INSTALL=true on the helm plugin install command, e.g:
SKIP_SOPS_INSTALL=true helm plugin install https://github.com/jkroepke/helm-secretsIf you use Vault with helm-secret, the vault CLI is needed.
You can always install it manually in MacOS as below:
brew install vaultDownload: https://www.vaultproject.io/downloads
Git config part is installed with the plugin, but to be fully functional the following needs to be added to the .gitattributes file in the root directory of a charts repo:
secrets.yaml diff=sopsdiffer
secrets.*.yaml diff=sopsdiffer
More info on sops page
By default, helm plugin install does this for you.
# Install a specific version (recommend)
helm plugin install https://github.com/jkroepke/helm-secrets --version v3.4.0
# Install latest unstable version from master branch
helm plugin install https://github.com/jkroepke/helm-secretsFind the latest version here: https://github.com/jkroepke/helm-secrets/releases
# Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
# MacOS / Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-# Windows (inside cmd, needs to be verified)
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.4.0/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
# MacOS / Linux
curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.4.0/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-Helm 2 doesn't support downloader plugins. Since unknown keys in plugin.yaml are fatal, then plugin installation need special handling.
Error on Helm 2 installation:
# helm plugin install https://github.com/jkroepke/helm-secrets
Error: yaml: unmarshal errors:
line 12: field platformCommand not found in type plugin.Metadata
Workaround:
- Install helm-secrets via manual installation, but extract inside helm2 plugin directory e.g.:
$(helm home)/plugins/ - Strip
platformCommandfromplugin.yamllike:sed -i '/platformCommand:/,+2 d' "${HELM_HOME:-"${HOME}/.helm"}/plugins/helm-secrets*/plugin.yaml" - Done
Client here for an example!
It's possible to use another secret driver then sops, e.g. Hasicorp Vault.
Start by a copy of sops driver and adjust to your own needs.
The custom driver can be load via SECRET_DRIVER parameter or -d option (higher preference):
# Example for in-tree drivers via option
helm secrets -d sops view ./tests/assets/helm_vars/secrets.yaml
# Example for in-tree drivers via environment variable
SECRET_DRIVER=vault helm secrets view ./tests/assets/helm_vars/secrets.yaml
# Example for out-of-tree drivers
helm secrets -d ./path/to/driver.sh view ./tests/assets/helm_vars/secrets.yamlPull Requests are much appreciated.
The driver option is a global one. A file level switch isn't supported yet.
The current version of this plugin using mozilla/sops by default as backend.
Hashicorp Vault is supported as secret source since v3.2.0, too. In addition, sops support vault since v3.6.0 natively.
What kind of problems this plugin solves:
- Simple replaceable layer integrated with helm command for encrypting, decrypting, view secrets files stored in any place.
- On the fly decryption and cleanup for helm install/upgrade with a helm command wrapper
If you are using sops (used by default) you have some additional features:
- Support for YAML/JSON structures encryption - Helm YAML secrets files
- Encryption per value where visual Diff should work even on encrypted files
- On the fly decryption for git diff
- Multiple key management solutions like PGP, AWS KMS and GCP KMS at same time
- Simple adding/removing keys
- With AWS KMS permissions management for keys
- Secrets files directory tree separation with recursive .sops.yaml files search
- Extracting sub-elements from encrypted file structure
- Encrypt only part of a file if needed. Example encrypted file
An additional documentation, resources and examples can be found here.
scripts/install.sh- Script used as the hook to download and install sops and install git diff configuration for helm-secrets files.scripts/run.sh- Main helm-secrets plugin code for all helm-secrets plugin actions available inhelm secrets helpafter plugin installscripts/drivers- Location of the in-tree secrets driversscripts/commands- Sub Commands ofhelm secretsare defined here.scripts/lib- Common functions used byhelm secrets.scripts/wrapper- Wrapper scripts for Windows systems.tests- Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. Seetests/README.mdfor more informations.examples- Some example secrets.yaml
© 2020-2021 Jan-Otto Kröpke (jkroepke)
© 2017-2020 Zendesk
Licensed under the Apache License, Version 2.0