{"id":13496155,"url":"https://github.com/jkroepke/helm-secrets","last_synced_at":"2025-05-14T08:05:20.310Z","repository":{"id":37863102,"uuid":"156066420","full_name":"jkroepke/helm-secrets","owner":"jkroepke","description":"A helm plugin that help manage secrets with Git workflow and store them anywhere","archived":false,"fork":false,"pushed_at":"2025-05-08T18:32:22.000Z","size":1453,"stargazers_count":1726,"open_issues_count":4,"forks_count":135,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-05-08T19:39:29.620Z","etag":null,"topics":["argocd","decryption","encryption","encryption-tool","gpg","helm","helm-chart","helm-charts","helm-plugin","helm-plugins","k8s","kms","kubernetes","kubernetes-secrets","secret-management","secrets","secrets-management","secrets-stored","sops","vault"],"latest_commit_sha":null,"homepage":"https://github.com/jkroepke/helm-secrets/wiki","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jkroepke.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/Security in shared environments.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"jkroepke"}},"created_at":"2018-11-04T09:21:26.000Z","updated_at":"2025-05-08T18:32:25.000Z","dependencies_parsed_at":"2023-10-02T17:59:53.041Z","dependency_job_id":"c09ac9ba-a0a8-4d0a-b741-c793ab679410","html_url":"https://github.com/jkroepke/helm-secrets","commit_stats":{"total_commits":842,"total_committers":74,"mean_commits":"11.378378378378379","dds":0.333729216152019,"last_synced_commit":"f475a1d6a53a6f99be69c260066bd2af443631dd"},"previous_names":[],"tags_count":63,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jkroepke%2Fhelm-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jkroepke%2Fhelm-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jkroepke%2Fhelm-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jkroepke%2Fhelm-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jkroepke","download_url":"https://codeload.github.com/jkroepke/helm-secrets/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254101588,"owners_count":22014907,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["argocd","decryption","encryption","encryption-tool","gpg","helm","helm-chart","helm-charts","helm-plugin","helm-plugins","k8s","kms","kubernetes","kubernetes-secrets","secret-management","secrets","secrets-management","secrets-stored","sops","vault"],"created_at":"2024-07-31T19:01:43.114Z","updated_at":"2025-05-14T08:05:20.295Z","avatar_url":"https://github.com/jkroepke.png","language":"Shell","funding_links":["https://github.com/sponsors/jkroepke"],"categories":["Shell","DevSecOps","Building","kubernetes","Secret Management"],"sub_categories":["Service meshes","Workflows"],"readme":"[![CI](https://github.com/jkroepke/helm-secrets/workflows/CI/badge.svg)](https://github.com/jkroepke/helm-secrets/)\n[![License](https://img.shields.io/github/license/jkroepke/helm-secrets.svg)](https://github.com/jkroepke/helm-secrets/blob/main/LICENSE)\n[![Current Release](https://img.shields.io/github/release/jkroepke/helm-secrets.svg?logo=github)](https://github.com/jkroepke/helm-secrets/releases/latest)\n[![GitHub Repo stars](https://img.shields.io/github/stars/jkroepke/helm-secrets?style=flat\u0026logo=github)](https://github.com/jkroepke/helm-secrets/stargazers)\n[![GitHub all releases](https://img.shields.io/github/downloads/jkroepke/helm-secrets/total?logo=github)](https://github.com/jkroepke/helm-secrets/releases/latest)\n[![GitHub issues](https://img.shields.io/github/issues/jkroepke/helm-secrets.svg)](https://github.com/jkroepke/helm-secrets/issues)\n[![GitHub pull requests](https://img.shields.io/github/issues-pr/jkroepke/helm-secrets.svg)](https://github.com/jkroepke/helm-secrets/pulls)\n[![codecov](https://codecov.io/gh/jkroepke/helm-secrets/branch/main/graph/badge.svg?token=4qAukyB2yX)](https://codecov.io/gh/jkroepke/helm-secrets)\n[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/secrets)](https://artifacthub.io/packages/helm-plugin/secrets/secrets)\n\n# helm-secrets\n\n⭐ Don't forget to star this repository! ⭐\n\n## About\n\nhelm-secrets is a Helm plugin to decrypt encrypted Helm **value files** on the fly.\n\n* Use [sops](https://github.com/getsops/sops) to encrypt value files and store them in git.\n* Store your secrets in a cloud native secret manager like AWS SecretManager, Azure KeyVault or HashiCorp Vault and inject them inside value files or templates.\n* Use helm-secret in your favorite deployment tool or GitOps Operator like ArgoCD\n\nWho’s actually using helm-secrets? If you are using helm-secrets in your company or organization, we would like to invite you to create a PR to add your\ninformation to this [file](./USERS.md).\n\n## Installation\n\nSee [Installation](https://github.com/jkroepke/helm-secrets/wiki/Installation) for more information.\n\n## Usage\n\nFor full documentation, read [GitHub wiki](https://github.com/jkroepke/helm-secrets/wiki/Usage).\n\n### Decrypt secrets via protocol handler\n\nRun decrypted command on specific value files. \nThis method is preferred over the plugin command below. \nThis mode is used in [ArgoCD](https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration) environments.\n\n```bash\nhelm upgrade name . -f secrets://secrets.yaml\n```\n\nSee [Usage](https://github.com/jkroepke/helm-secrets/wiki/Usage) for more information\n\n### Decrypt secrets via plugin command\n\nWraps the whole `helm` command. Slow on multiple value files.\n\n```bash\nhelm secrets upgrade name . -f secrets.yaml\n```\n\n\n### Evaluate secret reference inside helm template\n\n*requires helm 3.9+; vals 0.20+*\n\nhelm-secrets supports evaluating [vals](https://github.com/variantdev/vals) expressions inside Helm templates with the flag `--evaluate-templates`.\n\n**secrets.yaml**\n\n```yaml\napiVersion: v1\nkind: Secret\nmetadata:\n  name: secret\ntype: Opaque\nstringData:\n  password: \"ref+awsssm://foo/bar?mode=singleparam#/BAR\"\n```\n\n**Run**\n```bash\nhelm secrets --evaluate-templates upgrade name .\n```\n\n## Cloud support\n\nUse AWS Secrets Manager or Azure KeyVault for storing secrets securely and reference them inside values.yaml\n\n```bash\nhelm secrets --backend vals template bitnami/mysql --name-template mysql \\\n  --set auth.rootPassword=ref+awsssm://foo/bar?mode=singleparam#/BAR\n```\n\nSee [Cloud Integration](https://github.com/jkroepke/helm-secrets/wiki/Cloud-Integration) for more information.\n\n\n## ArgoCD support\n\nFor running helm-secrets with ArgoCD, see [ArgoCD Integration](https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration) for more information.\n\n### Example\n\n```yaml\napiVersion: argoproj.io/v1alpha1\nkind: Application\nmetadata:\n  name: app\nspec:\n  source:\n    helm:\n      valueFiles:\n        - secrets+gpg-import:///helm-secrets-private-keys/key.asc?secrets.yaml\n        - secrets+gpg-import-kubernetes://argocd/helm-secrets-private-keys#key.asc?secrets.yaml\n        - secrets://secrets.yaml\n      # fileParameters (--set-file) are supported, too. \n      fileParameters:\n        - name: config\n          path: secrets://secrets.yaml\n        # directly reference values from Cloud Providers\n        - name: mysql.rootPassword\n          path: secrets+literal://ref+azurekeyvault://my-vault/secret-a\n```\n\n## Terraform support\n\nThe Terraform Helm provider does not [support downloader plugins](https://github.com/hashicorp/terraform-provider-helm).\n\nhelm-secrets can be used together with the [Terraform external data source provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source).\n\n### Example\n\n```hcl\ndata \"external\" \"helm-secrets\" {\n  program = [\"helm\", \"secrets\", \"decrypt\", \"--terraform\", \"../../examples/sops/secrets.yaml\"]\n}\n\nresource \"helm_release\" \"example\" {\n  \n\n  values = [\n    file(\"../../examples/sops/values.yaml\"),\n    base64decode(data.external.helm-secrets.result.content_base64),\n  ]\n}\n```\n\nAn example of how to use helm-secrets with Terraform can be found in [examples/terraform](examples/terraform/helm.tf).\n\n## Secret backends\n\nhelm-secrets support multiple secret backends.\nCurrently, [sops](https://github.com/getsops/sops) and [vals](https://github.com/variantdev/vals/) are supported.\n\nSee [Secret-Backends](https://github.com/jkroepke/helm-secrets/wiki/Secret-Backends) how to use them.\n\n## Documentation\n\nAdditional documentation, resources and examples can be found [here](https://github.com/jkroepke/helm-secrets/wiki/Usage).\n\n## Moving parts of project\n\n- [`scripts/run.sh`](scripts/run.sh) - Main helm-secrets plugin code for all helm-secrets plugin actions available in `helm secrets help` after plugin install\n- [`scripts/backends`](scripts/lib/backends) - Location of the in-tree secrets backends\n- [`scripts/commands`](scripts/commands) - Sub Commands of `helm secrets` are defined here.\n- [`scripts/lib`](scripts/lib) - Common functions used by `helm secrets`.\n- [`scripts/wrapper`](scripts/wrapper) - Wrapper scripts for Windows systems.\n- [`tests`](tests) - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See [`tests/README.md`](tests/README.md) for more information.\n- [`examples`](examples) - Some example secrets.yaml\n\n## Open Source Sponsors\n\nThanks to all sponsors!\n\n* [@hegawa](https://github.com/hegawa) (25$) onetime\n\n## Copyright and license\n\n© 2020-2022 [Jan-Otto Kröpke (jkroepke)](https://github.com/jkroepke/helm-secrets)\n\n© 2017-2020 [Zendesk](https://github.com/zendesk/helm-secrets)\n\nLicensed under the [Apache License, Version 2.0](LICENSE)\n\n## Thanks\n\n- [JetBrains IDEs](https://www.jetbrains.com/?from=jkroepke)\n\n[![JetBrains-Logo (Haupt) logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jb_beam.svg)](https://www.jetbrains.com/?from=jkroepke)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjkroepke%2Fhelm-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjkroepke%2Fhelm-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjkroepke%2Fhelm-secrets/lists"}