Helm-Vault stores private data from YAML files in Hashicorp Vault. Helm-Vault should be used if you want to publicize your YAML configuration files, without worrying about leaking secret information.
- Helm-Vault
- About the Project
- Project Status
- Getting Started
- Release Process
- How to Get Help
- Contributing
- Further Reading
- License
- Authors
- Acknowledgments
Helm-Vault supports the following features:
- Encrypt YAML files
- Decrypt YAML files
- View decrypted YAML files
- Edit decrypted YAML files
- Clean up decrypted YAML files
- Helm Wrapper, automatically decrypts and cleans up during helm commands
- Install
- Upgrade
- Template
- Lint
- Diff
Helm-Vault was created to provide a better way to manage secrets for Helm, with the ability to take existing public Helm Charts, and with minimal modification, provide a way to have production data that is not stored in a public location.
$ helm vault enc values.yaml
Input a value for /mariadb/db/password:
Input a value for /nextcloud/password:
Build Status:
Helm-Vault is in a production state. It should work across platforms, and should be able to handle most YAML thrown at it.
To get started with Helm-Vault, follow these steps:
-
Clone the repository to your machine
-
Install the requirements
pip3 install -r requirements.txt -
Test it out! This will test out encrypting an example YAML file
./src/vault.py enc ./tests/test.yaml
- Python 3.7+
- pip3
- Working Hashicorp Vault environment
- Hashicorp Vault token
- Environment Variables for Vault
- VAULT_ADDR: The HTTP Address of Vault
- VAULT_TOKEN: The token for accessing Vault
This project is hosted on GitHub. You can clone this project directly using this command:
git clone git@github.com:Justin-Tech/helm-vault.git
Helm-Vault has built-in unit tests using pytest, you can run them with the command below:
pip3 install -r ./tests/requirements.txt
python3 -m pytest
Unittesting and integration testing is automatically run on Gitlab per commit.
Additionally, code quality checking is handled by LGTM.com
Both of these checks must pass before PRs will be merged.
pip3 install git+https://github.com/Just-Insane/helm-vault
helm plugin install https://github.com/Just-Insane/helm-vault
$ helm vault --help
usage: vault.py [-h] {enc,dec,clean,view,edit} ...
Store secrets from Helm in Vault
Requirements:
Environment Variables:
VAULT_ADDR: (The HTTP address of Vault, for example, http://localhost:8200)
VAULT_TOKEN: (The token used to authenticate with Vault)
positional arguments:
{enc,dec,clean,view,edit}
enc Parse a YAML file and store user entered data in Vault
dec Parse a YAML file and retrieve values from Vault
clean Remove decrypted files (in the current directory)
view View decrypted YAML file
edit Edit decrypted YAML file. DOES NOT CLEAN UP AUTOMATICALLY.
optional arguments:
-h, --help show this help message and exit
Any YAML file can be transparently "encrypted" as long as it has a deliminator for secret values.
Decrypted files have the suffix ".yaml.dec" by default
enc Encrypt file
dec Decrypt file
view Print decrypted file
edit Edit file (decrypt before, manual cleanup)
clean Delete *.yaml.dec files in directory (recursively)
Each of these commands have their own help, referenced by helm vault {enc,dec,clean,view,edit} --help.
The encrypt operation encrypts a values.yaml file and saves the encrypted values in Vault:
$ helm vault enc values.yaml
Input a value for /nextcloud/password: asdf1
Input a value for /mariadb/db/password: asdf2
If you don't want to enter the secrets manually on stdin, you can pass a file containing the secrets. Copy values.yaml to values.yaml.dec and edit the file, replacing "changeme" (the deliminator) with the secret value. Then you can save the secret to vault by running:
$ helm vault enc values.yaml -s values.yaml.dec
By default the name of the secret file has to end in .yaml.dec so you can add this extension to gitignore to prevent committing a secret to your git repo.
The decrypt operation decrypts a values.yaml file and saves the decrypted result in values.yaml.dec:
$ helm vault dec values.yaml
The values.yaml.dec file:
...
nextcloud:
host: nextcloud.example.com
username: admin
password: asdf1
...
mariadb:
parameters
enabled: true
db:
name: nextcloud
user: nextcloud
password: asdf2
...
The view operation decrypts values.yaml and prints it to stdout:
$ helm vault view values.yaml
The edit operation will decrypt the values.yaml file and open it in an editor.
$ helm vault edit values.yaml
This will read a value from $EDITOR, or be specified with the -e, --editor option, or will choose a default of vi for Linux/MacOS, and notepad for Windows.
Note: This will save a .dec file that is not automatically cleaned up.
The operation will delete all decrypted files in a directory:
$ helm vault clean
The operation wraps the default helm install command, automatically decrypting the -f values.yaml file and then cleaning up afterwards.
$ helm vault install stable/nextcloud --name nextcloud --namespace nextcloud -f values.yaml
Specifically, this command will do the following:
- Run
helm installwith the following options: stable/nextcloud- the chart to install--name nextcloud- the Helm release name will benextcloud--namespace nextcloud- Nextcloud will run in the nextcloud namespace on Kubernetes-f values.yaml- the (encrypted) values file to use
The operation wraps the default helm template command, automatically decrypting the -f values.yaml file and then cleaning up afterwards.
$ helm vault template ./nextcloud --name nextcloud --namespace nextcloud -f values.yaml
- Run
helm templatewith the following options: ./nextcloud- the chart to template--name nextcloud- the Helm release name will benextcloud--namespace nextcloud- Nextcloud will run in the nextcloud namespace on Kubernetes-f values.yaml- the (encrypted) values file to use
The operation wraps the default helm upgrade command, automatically decrypting the -f values.yaml file and then cleaning up afterwards.
$ helm vault upgrade nextcloud stable/nextcloud -f values.yaml
- Run
helm upgradewith the following options: nextcloud- the Helm release namestable/nextcloud- the chart path-f values.yaml- the (encrypted) values file to use
The operation wraps the default helm lint command, automatically decrypting the -f values.yaml file and then cleaning up afterwards.
$ helm vault lint nextcloud -f values.yaml
- Run
helm upgradewith the following options: nextcloud- the Helm release name-f values.yaml- the (encrypted) values file to use
The operation wraps the helm diff command (diff is another Helm plugin), automatically decrypting the -f values.yaml file and then cleaning up afterwards.
$ helm vault diff upgrade nextcloud stable/nextcloud -f values.yaml
- Run
helm diff upgradewith the following options: nextcloud- the Helm release namestable/nextcloud- the Helm chart-f values.yaml- the (encrypted) values file to use
Releases are made for new features, and bugfixes.
To get a new release, run the following:
helm plugin upgrade vault
This project uses Semantic Versioning. For a list of available versions, see the repository tag list.
If you need help or have questions, please open an issue with the question label.
We encourage public contributions! Please review CONTRIBUTING.md for details on our code of conduct and development process.
Copyright (c) 2019 Justin Gauthier
This project is licensed under GPLv3 - see LICENSE.md file for details.
The idea for this project comes from Helm-Secrets
Special thanks to the Python Discord server.