Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jkroepke/helm-secrets
A helm plugin that help manage secrets with Git workflow and store them anywhere
https://github.com/jkroepke/helm-secrets
argocd decryption encryption encryption-tool gpg helm helm-chart helm-charts helm-plugin helm-plugins k8s kms kubernetes kubernetes-secrets secret-management secrets secrets-management secrets-stored sops vault
Last synced: 1 day ago
JSON representation
A helm plugin that help manage secrets with Git workflow and store them anywhere
- Host: GitHub
- URL: https://github.com/jkroepke/helm-secrets
- Owner: jkroepke
- License: apache-2.0
- Created: 2018-11-04T09:21:26.000Z (about 6 years ago)
- Default Branch: main
- Last Pushed: 2024-12-04T22:53:56.000Z (8 days ago)
- Last Synced: 2024-12-05T02:04:29.523Z (8 days ago)
- Topics: argocd, decryption, encryption, encryption-tool, gpg, helm, helm-chart, helm-charts, helm-plugin, helm-plugins, k8s, kms, kubernetes, kubernetes-secrets, secret-management, secrets, secrets-management, secrets-stored, sops, vault
- Language: Shell
- Homepage: https://github.com/jkroepke/helm-secrets/wiki
- Size: 1.34 MB
- Stars: 1,548
- Watchers: 12
- Forks: 130
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: docs/Security in shared environments.md
Awesome Lists containing this project
- awesome-cybersecurity-blueteam - helm-secrets - Helm plugin that helps manage secrets with Git workflow and stores them anywhere, backed by SOPS. (DevSecOps / Service meshes)
- awesome-repositories - jkroepke/helm-secrets - A helm plugin that help manage secrets with Git workflow and store them anywhere (Shell)
README
[![CI](https://github.com/jkroepke/helm-secrets/workflows/CI/badge.svg)](https://github.com/jkroepke/helm-secrets/)
[![License](https://img.shields.io/github/license/jkroepke/helm-secrets.svg)](https://github.com/jkroepke/helm-secrets/blob/main/LICENSE)
[![Current Release](https://img.shields.io/github/release/jkroepke/helm-secrets.svg?logo=github)](https://github.com/jkroepke/helm-secrets/releases/latest)
[![GitHub Repo stars](https://img.shields.io/github/stars/jkroepke/helm-secrets?style=flat&logo=github)](https://github.com/jkroepke/helm-secrets/stargazers)
[![GitHub all releases](https://img.shields.io/github/downloads/jkroepke/helm-secrets/total?logo=github)](https://github.com/jkroepke/helm-secrets/releases/latest)
[![GitHub issues](https://img.shields.io/github/issues/jkroepke/helm-secrets.svg)](https://github.com/jkroepke/helm-secrets/issues)
[![GitHub pull requests](https://img.shields.io/github/issues-pr/jkroepke/helm-secrets.svg)](https://github.com/jkroepke/helm-secrets/pulls)
[![codecov](https://codecov.io/gh/jkroepke/helm-secrets/branch/main/graph/badge.svg?token=4qAukyB2yX)](https://codecov.io/gh/jkroepke/helm-secrets)
[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/secrets)](https://artifacthub.io/packages/helm-plugin/secrets/secrets)# helm-secrets
⭐ Don't forget to star this repository! ⭐
## About
helm-secrets is a Helm plugin to decrypt encrypted Helm **value files** on the fly.
* Use [sops](https://github.com/getsops/sops) to encrypt value files and store them in git.
* Store your secrets in a cloud native secret manager like AWS SecretManager, Azure KeyVault or HashiCorp Vault and inject them inside value files or templates.
* Use helm-secret in your favorite deployment tool or GitOps Operator like ArgoCDWho’s actually using helm-secrets? If you are using helm-secrets in your company or organization, we would like to invite you to create a PR to add your
information to this [file](./USERS.md).## Installation
See [Installation](https://github.com/jkroepke/helm-secrets/wiki/Installation) for more information.
## Usage
For full documentation, read [GitHub wiki](https://github.com/jkroepke/helm-secrets/wiki/Usage).
### Decrypt secrets via protocol handler
Run decrypted command on specific value files.
This method is preferred over the plugin command below.
This mode is used in [ArgoCD](https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration) environments.```bash
helm upgrade name . -f secrets://secrets.yaml
```See [Usage](https://github.com/jkroepke/helm-secrets/wiki/Usage) for more information
### Decrypt secrets via plugin command
Wraps the whole `helm` command. Slow on multiple value files.
```bash
helm secrets upgrade name . -f secrets.yaml
```### Evaluate secret reference inside helm template
*requires helm 3.9+; vals 0.20+*
helm-secrets supports evaluating [vals](https://github.com/variantdev/vals) expressions inside Helm templates with the flag `--evaluate-templates`.
**secrets.yaml**
```yaml
apiVersion: v1
kind: Secret
metadata:
name: secret
type: Opaque
stringData:
password: "ref+awsssm://foo/bar?mode=singleparam#/BAR"
```**Run**
```bash
helm secrets --evaluate-templates upgrade name .
```## Cloud support
Use AWS Secrets Manager or Azure KeyVault for storing secrets securely and reference them inside values.yaml
```bash
helm secrets --backend vals template bitnami/mysql --name-template mysql \
--set auth.rootPassword=ref+awsssm://foo/bar?mode=singleparam#/BAR
```See [Cloud Integration](https://github.com/jkroepke/helm-secrets/wiki/Cloud-Integration) for more information.
## ArgoCD support
For running helm-secrets with ArgoCD, see [ArgoCD Integration](https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration) for more information.
### Example
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app
spec:
source:
helm:
valueFiles:
- secrets+gpg-import:///helm-secrets-private-keys/key.asc?secrets.yaml
- secrets+gpg-import-kubernetes://argocd/helm-secrets-private-keys#key.asc?secrets.yaml
- secrets://secrets.yaml
# fileParameters (--set-file) are supported, too.
fileParameters:
- name: config
path: secrets://secrets.yaml
# directly reference values from Cloud Providers
- name: mysql.rootPassword
path: secrets+literal://ref+azurekeyvault://my-vault/secret-a
```## Terraform support
The Terraform Helm provider does not [support downloader plugins](https://github.com/hashicorp/terraform-provider-helm).
helm-secrets can be used together with the [Terraform external data source provider](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/data_source).
### Example
```hcl
data "external" "helm-secrets" {
program = ["helm", "secrets", "decrypt", "--terraform", "../../examples/sops/secrets.yaml"]
}resource "helm_release" "example" {
values = [
file("../../examples/sops/values.yaml"),
base64decode(data.external.helm-secrets.result.content_base64),
]
}
```An example of how to use helm-secrets with Terraform can be found in [examples/terraform](examples/terraform/helm.tf).
## Secret backends
helm-secrets support multiple secret backends.
Currently, [sops](https://github.com/getsops/sops) and [vals](https://github.com/variantdev/vals/) are supported.See [Secret-Backends](https://github.com/jkroepke/helm-secrets/wiki/Secret-Backends) how to use them.
## Documentation
Additional documentation, resources and examples can be found [here](https://github.com/jkroepke/helm-secrets/wiki/Usage).
## Moving parts of project
- [`scripts/run.sh`](scripts/run.sh) - Main helm-secrets plugin code for all helm-secrets plugin actions available in `helm secrets help` after plugin install
- [`scripts/backends`](scripts/lib/backends) - Location of the in-tree secrets backends
- [`scripts/commands`](scripts/commands) - Sub Commands of `helm secrets` are defined here.
- [`scripts/lib`](scripts/lib) - Common functions used by `helm secrets`.
- [`scripts/wrapper`](scripts/wrapper) - Wrapper scripts for Windows systems.
- [`tests`](tests) - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See [`tests/README.md`](tests/README.md) for more information.
- [`examples`](examples) - Some example secrets.yaml## Open Source Sponsors
Thanks to all sponsors!
* [@hegawa](https://github.com/hegawa) (25$) onetime
## Copyright and license
© 2020-2022 [Jan-Otto Kröpke (jkroepke)](https://github.com/jkroepke/helm-secrets)
© 2017-2020 [Zendesk](https://github.com/zendesk/helm-secrets)
Licensed under the [Apache License, Version 2.0](LICENSE)
## Thanks
- [JetBrains IDEs](https://www.jetbrains.com/?from=jkroepke)
[![JetBrains-Logo (Haupt) logo](https://resources.jetbrains.com/storage/products/company/brand/logos/jb_beam.svg)](https://www.jetbrains.com/?from=jkroepke)