Helm is a Kubernetes package manager, Helm helps developer deploy their application to Kubernetes.
Helm also provide chart as dependencies for your application at https://hub.helm.sh/
The problem with Helm is the secret variables (saved in
values.yaml file) and will be passing to templates (e.g: deployment.yaml, service.yaml). And in the production environment, there are variables that you don’t want to expose, you want to encrypt these variables.
I did some research and come up with Helm Secret - A plugin for Secret management in Helm.
Basically Helm Secret will integrate with SOPS to encrypt/decrypt variables file. The encryption key is created and managed either by AWS KMS, GCP KWS, Azure Key Vault or PGP.
Helm Secrets provide a wrapper in the shell that runs Helm within but wrapping secret decryption and cleaning on-the-fly, before and after Helm run.
In this example, I’ll use AWS KMS to create the encryption key.
- Assume I have the encryption key created from AWS KMS. The KMS ARN looks like:
And it will be saved to
- Init the
secrets.yamlfile, this file will contain all secrets variables that we want to encrypt.
- Now, encrypt time! Run the following command:
╰─$ helm secrets enc secrets.yaml
- Look the
secrets.yamlfile, all variables are encrypted, and now you can commit this file
- Helm Secrets provides list of commands to decrypt, view, or edit the secret file
For example, to view decrypted variables, the command will be:
╰─$ helm secrets view secrets.yaml
helm secrets as wrapper command when you want to deploy the application to Kubernetes
helm secrets upgrade "app_name" chart/path/ -f deployment/example/values.yaml -f deployment/example/secrets.yaml
In this command, I loaded normal variables in
values.yaml file and encrypted variables in encrypted
helm secrets upgrade means will init/update the chart
Helm Secrets is really a good approach for people want to manage secret variables in Kubernetes environment. If you guys have any feedback, feel free to contact me.