Some things are secret, and storing them as plain text in your helm chart is a bad idea. This is where helm secrets comes in handy. It is a helm plugin that uses the Mozilla Sops tool to manages secrets.
Install
Presuming helm is installed already, installing is simple with helm plugin.
helm plugin install https://github.com/jkroepke/helm-secrets --version v4.4.2
Generate
Helm secrets supports many encryption methods, here I am using PGP.
First I generated a key pair:
gpg --gen-key
The generated keys could be checked by using
gpg --list-keys
Create a .sops.yaml
file and insert the public key fingerprint:
creation_rules:
- pgp: '<your-key-fingerprint>'
now you can encrypt by using:
helm secrets enc <filename>
Other useful commands are:
edit:
helm secrets edit <filename>
view:
helm secrets veiw <filename>
decrypt:
helm secrets dec <filename>
Troubleshooting
GPG timeout
When using gpg --gen-key
:
gpg: agent_genkey failed: Timeout
Key generation failed: Timeout
It may be due to the system not having enough entropy. You could try moving the cursor, typing on the keyboard or making lots of hard drive IO
helm secrets edit error
When using helm secrets edit
:
Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
Error: plugin "secrets" exited with error
Try resetting the terminal and make the gpg-agent ask for the password again:
reset
GPG_TTY=$(tty)
export GPG_TTY
ref: https://github.com/zendesk/helm-secrets/issues/21