Installing Helm Secrets

Some things are secret, and storing them as plain text in your helm chart is a bad idea. This is where helm secrets comes in handy. It is a helm plugin that uses the Mozilla Sops tool to manages secrets.

Install

Presuming helm is installed already, installing is simple with helm plugin.

helm plugin install https://github.com/jkroepke/helm-secrets --version v4.4.2

Generate

Helm secrets supports many encryption methods, here I am using PGP.

First I generated a key pair:

gpg --gen-key

The generated keys could be checked by using

gpg --list-keys

Create a .sops.yaml file and insert the public key fingerprint:

creation_rules:
	- pgp: '<your-key-fingerprint>'

now you can encrypt by using:

helm secrets enc <filename>

Other useful commands are:

edit:

helm secrets edit <filename>

view:

helm secrets veiw <filename>

decrypt:

helm secrets dec <filename>

Troubleshooting

GPG timeout

When using gpg --gen-key:

gpg: agent_genkey failed: Timeout
Key generation failed: Timeout

It may be due to the system not having enough entropy. You could try moving the cursor, typing on the keyboard or making lots of hard drive IO

helm secrets edit error

When using helm secrets edit:

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Error: plugin "secrets" exited with error

Try resetting the terminal and make the gpg-agent ask for the password again:

reset
GPG_TTY=$(tty)
export GPG_TTY

ref: https://github.com/zendesk/helm-secrets/issues/21

Reference

• https://developer.epages.com/blog/tech-stories/kubernetes-deployments-with-helm-secrets/
• https://gist.github.com/twolfson/01d515258eef8bdbda4f