See Installation for more information.

Run decrypted command on specific value files. This is method is preferred over the plugin command below. On Windows, the command helm secrets patch windows needs to be run first.

helm upgrade name . -f secrets://secrets.yaml

See Usage for more information

Wraps the whole helm command. Slow on multiple value files.

helm secrets upgrade name . -f secrets.yaml

For running helm-secrets with ArgoCD, see ArgoCD Integration for more information.

The Terraform helm provider does not support downloader plugins.

helm secrets can be used together with the terraform external data source provider.

data "external" "helm-secrets" {
  program = ["helm", "secrets", "terraform", "../../examples/sops/secrets.yaml"]
}

resource "helm_release" "example" {
  ...

  values = [
    file("../../examples/sops/values.yaml"),
    base64decode(data.external.helm-secrets.result.content_base64),
  ]
}

An example how to use helm-secrets with terraform could be found in examples/terraform.

helm-secrets supports multiplie secret drivers like sops, Hashicorp Vault, vals and more.

See Secret-Driver how to use them.

The current version of this plugin using mozilla/sops by default as backend.

Hashicorp Vault is supported as secret source since v3.2.0, too. In addition, sops support vault since v3.6.0 natively.

What kind of problems this plugin solves:

• Simple replaceable layer integrated with helm command for encrypting, decrypting, view secrets files stored in any place.
• On the fly decryption and cleanup for helm install/upgrade with a helm command wrapper

If you are using sops (used by default) you have some additional features:

• Support for YAML/JSON structures encryption - Helm YAML secrets files
• Encryption per value where visual Diff should work even on encrypted files
• On the fly decryption for git diff
• Multiple key management solutions like PGP, AWS KMS and GCP KMS at same time
• Simple adding/removing keys
• With AWS KMS permissions management for keys
• Secrets files directory tree separation with recursive .sops.yaml files search
• Extracting sub-elements from encrypted file structure
• Encrypt only part of a file if needed. Example encrypted file

An additional documentation, resources and examples can be found here.

• scripts/run.sh - Main helm-secrets plugin code for all helm-secrets plugin actions available in helm secrets help after plugin install
• scripts/drivers - Location of the in-tree secrets drivers
• scripts/commands - Sub Commands of helm secrets are defined here.
• scripts/lib - Common functions used by helm secrets.
• scripts/wrapper - Wrapper scripts for Windows systems.
• tests - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See tests/README.md for more informations.
• examples - Some example secrets.yaml

© 2020-2021 Jan-Otto Kröpke (jkroepke)

© 2017-2020 Zendesk

Licensed under the Apache License, Version 2.0