Using secrets like a boss — Helm Secrets
Helm usage according to latest Kubernetes surveyHelm is incredible to package your Kubernetes Deployments. The only downside is the fact that you can’t effectively manage your secrets but that’s an issue from the past with Helm Secrets. This a plugin you can install on top of Helm to allow the encryption and decryption of secret values.
The repository can be found on the following page:
The installation is quite simple (from > 2.3.x). Just run the following command:
helm plugin install https://github.com/futuresimple/helm-secretsHelm Secrets in its turn makes use of Secrets OPerationS (SOPS)
SOPS is an editor of encrypted files that supports YAML, JSON and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault and PGP. Helm Secrets only hooks into this functionality which makes it great because it doesn’t try to reinvent the wheel. The fact that it uses SOPS underneath also allows us to benefit from git SOPS diff. For this to work you need to add a .gitattributes file with the following content:
*.yaml diff=sopsdifferNext up we need to link this to a certain converter:
git config diff.sopsdiffer.textconv "sops -d"Now if you do a git diff, you will see the plain text instead of the encryption.
The usage for helm secrets is pretty straightforward. It includes a helm wrapper which does everything on the fly. However, it also has some nifty utility commands:
enc Encrypt chart secrets file
dec Decrypt chart secrets file
dec-deps Decrypt chart's dependencies' secrets files
view Print chart secrets decrypted
edit Edit chart secrets and encrypt at the endSo with SOPS and Helm secrets, you don’t have any excuse not to encrypt your credentials in a proper manner. You got all the right tools at your fingertips.
