-
-
Notifications
You must be signed in to change notification settings - Fork 131
Secret Driver
It's possible to use another secret driver then sops, e.g. Hasicorp Vault.
Example for in-tree drivers via option
helm secrets -d sops view ./tests/assets/helm_vars/secrets.yamlExample for in-tree drivers via environment variable
HELM_SECRETS_DRIVER=vault helm secrets view ./tests/assets/helm_vars/secrets.yamlExample for out-of-tree drivers
helm secrets -d ./path/to/driver.sh view ./tests/assets/helm_vars/secrets.yamlThe driver option is a global one. A file level switch isn't supported yet.
Start by a copy of sops driver and adjust to your own needs.
The custom driver can be load via HELM_SECRETS_DRIVER parameter or -d option (higher preference).
helm secrets -a "--verbose" view ./tests/assets/helm_vars/secrets.yamlresults into:
[PGP] INFO[0000] Decryption succeeded fingerprint=D6174A02027050E59C711075B430C4E58E2BBBA3
[SOPS] INFO[0000] Data key recovered successfully
[SOPS] DEBU[0000] Decrypting tree
[helm-secrets] Decrypt: tests/assets/values/sops/secrets.yaml
==> Linting examples/sops
[INFO] Chart.yaml: icon is recommended
1 chart(s) linted, 0 chart(s) failed
[helm-secrets] Removed: tests/assets/values/sops/secrets.yaml.dec
If e.g. sops is installed at the non-default location or if you have multiple versions of sops on your system, you can use HELM_SECRETS_$DRIVER_PATH to explicitly specify the sops binary to be used.
# Example for in-tree drivers via environment variable
HELM_SECRETS_SOPS_PATH=/custom/location/sops helm secrets view ./tests/assets/helm_vars/secrets.yaml
HELM_SECRETS_VALS_PATH=/custom/location/vals helm secrets view ./tests/assets/helm_vars/secrets.yamlIf you use sops with helm-secrets, the sops CLI tool is needed. sops 3.2.0 is required at minimum.
Download: https://github.com/mozilla/sops/releases/latest
Before start to use sops with gpg, consider start to use age.
The sops secret store is enabled by default.
vals is a tool for managing configuration values and secrets form various sources.
It supports various backends including:
- Vault
- AWS SSM Parameter Store
- AWS Secrets Manager
- AWS S3
- GCP Secrets Manager
- Azure Key Vault
- SOPS-encrypted files
- Terraform State
- Plain File
All clients are integrated into vals, no additional tools required.
Download: https://github.com/variantdev/vals/releases/latest
The vals secret driver can be enabled by define HELM_SECRETS_DRIVER=vals.
Example file: examples/vals/secrets.yaml
If you use Vault with helm-secrets, the vault CLI tool is needed.
Download: https://www.vaultproject.io/downloads
The vault secret driver can be enabled by define HELM_SECRETS_DRIVER=vals.
Example file: examples/vault/secrets.yaml
If you have stored you secret inside environment variables, you could use the envsubst driver.
brew install gettextapt-get install gettextIf you use Doppler with helm-secrets, the doppler CLI tool is needed.
Installation: https://docs.doppler.com/docs/enclave-installation
You need to make sure chart folder or parent one is in correct CLI's scope with enough access to project.
Example file: examples/doppler/secrets.yaml
This wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.