-
-
Notifications
You must be signed in to change notification settings - Fork 129
Values
helm-secrets natively support all values that are support by helm, including downloader plugins.
When curl or wget is available, helm-secrets is able to fetch value files from various remote locations.
helm template -f secrets://https://raw.githubusercontent.com/jkroepke/helm-secrets/main/examples/sops/secrets.yamlWhile helm does not support any authentication mechanism, helm-secret does support at least basic auth.
helm template -f secrets://https://user:password@raw.githubusercontent.com/jkroepke/helm-secrets/main/examples/sops/secrets.yamlAdditionally, the authentication details can be provided by environment variables or from a file system using the .netrc standard this is useful inside CD systems.
Note: is feature is turned off by default and requires the environment variables HELM_SECRETS_URL_VARIABLE_EXPANSION=true.
# can be also defined via kubernetes PodSpec or CI secrets
export HELM_SECRETS_URL_VARIABLE_EXPANSION=true
export GH_TOKEN=ghp_xxxxxx
helm template -f secrets://https://${GH_TOKEN}@raw.githubusercontent.com/jkroepke/helm-secrets/main/examples/sops/secrets.yamlTo enable this feature, an environment NETRC needs to defined which holds the path to the .netrc file. This is required
even the standard location ~/.netrc is used. The .netrc file can hold multiple credentials for different hostnames.
The wget command on alpine linux does not support .netrc and curl is required and automatically preferred over wget.
Example .netrc file:
# cat .netrc
machine raw.githubusercontent.com
login ghp_xxxxxx
password
Then run
export NETRC="${PWD}/.netrc" # needs to be defined
helm template -f secrets://https://raw.githubusercontent.com/jkroepke/helm-secrets/main/examples/sops/secrets.yamlhelm-secrets support helm-git. With this combination, you can fetch secret from other git repositories.
helm template -f secrets://git+https://<provider.com>/<path/to/repo>[@path/to/charts][?[ref=git-ref][&sparse=0][&depupdate=0][&package=0]]Other plugins like helm-s3, helm-gcs are supported as well.
helm-secrets support pass secrets' trough --set or --set-file.
Examples
helm secrets -b vals template bitnami/mysql --name-template mysql \
--set auth.rootPassword=ref+vault://secret/mysql#/rootPasswordhelm secrets template bitnami/mysql --name-template mysql \
--set-file auth.rootPassword=secret.yamlor through downloader syntax (--set-file only);
helm template bitnami/mysql --name-template mysql \
--set-file auth.rootPassword=secrets://secret.yamlIf HELM_SECRETS_IGNORE_MISSING_VALUES=true is set, helm-secrets ignore all not found errors. This mimics ArgoCD's ignoreMissingValueFile setting.
Alternatively, if a value file beginnings with a question mark, all not found errors related to that values file only are ignored.
Example:
helm upgrade -i release . -f secrets://?dev/file-not-found.yamlThis wiki is synced with the docs folder from the code repository! To improve the wiki, create a pull request against the code repository with the suggested changes.