Skip to content

Secret Backends

GitHub Action edited this page Apr 17, 2023 · 7 revisions

helm-secret support multiple backend. sops and vals. sops is good for on-premise installation. vals can be used to fetch secrets from external systems like AWS Secrets Manager or Azure KeyVault.

Example for in-tree backends via an CLI option

helm secrets -b sops decrypt ./tests/assets/helm_vars/secrets.yaml

Example for in-tree backends via environment variable

HELM_SECRETS_BACKEND=vals helm secrets decrypt ./tests/assets/helm_vars/secrets.yaml

Example for out-of-tree backends

helm secrets -b ./path/to/backend.sh decrypt ./tests/assets/helm_vars/secrets.yaml

The backend option is a global one. A file level switch is supported, too.

helm secrets template . -f 'sops!tests/assets/helm_vars/secrets.yaml'

For more information, read USAGE.md

Implement an own secret backend

Start by a copy of sops backend and adjust to your own needs. The custom backend can be load via HELM_SECRETS_BACKEND parameter or -d option (higher preference).

Pass additional arguments to a secret backend

helm secrets -a "--verbose" decrypt ./tests/assets/helm_vars/secrets.yaml

results into:

[PGP]    INFO[0000] Decryption succeeded                          fingerprint=D6174A02027050E59C711075B430C4E58E2BBBA3
[SOPS]   INFO[0000] Data key recovered successfully
[SOPS]   DEBU[0000] Decrypting tree
[helm-secrets] Decrypt: tests/assets/values/sops/secrets.yaml
==> Linting examples/sops
[INFO] Chart.yaml: icon is recommended

1 chart(s) linted, 0 chart(s) failed

[helm-secrets] Removed: tests/assets/values/sops/secrets.yaml.dec

Explicitly specify a binary path

If e.g. sops is installed at the non-default location or if you have multiple versions of sops on your system, you can use HELM_SECRETS_$BACKEND_PATH to explicitly specify the sops binary to be used.

# Example for in-tree backends via environment variable
HELM_SECRETS_SOPS_PATH=/custom/location/sops helm secrets decrypt ./tests/assets/helm_vars/secrets.yaml
HELM_SECRETS_VALS_PATH=/custom/location/vals helm secrets decrypt ./tests/assets/helm_vars/secrets.yaml

List of implemented secret backends

sops

If you use sops with helm-secrets, the sops CLI tool is needed. sops 3.2.0 is required at a minimum.

Download: https://github.com/mozilla/sops/releases/latest

Before starting using sops with gpg, consider starting to use age.

The sops secret store is enabled by default.

vals

vals is a tool for managing configuration values and secrets form various sources.

To use vals with helm-secrets, the vals CLI binary is needed. vals 0.22.0 or higher is required.

It supports various backends:

All clients are integrated into vals, no additional tools required.

Download: https://github.com/variantdev/vals/releases/latest

The vals secret backend can be enabled by define HELM_SECRETS_BACKEND=vals.

Example file: examples/vals/secrets.yaml

Clone this wiki locally