mumoshu
commented
4 years ago @cdunford I think the only possible way would be to split the secrets file into two, one with the key that only admins have access to, and another with the key everyone has access to.
Not sure if this works with helm-secrets, but I remember that sops - the tool used by helm-secrets under the hood to enc/dec secrets - had the ability to use a dedicated key for each encrypted secrets file. So hopefully it just work.
Another way would be to enhance vals. It's the secrets manager embedded in Helmfile to turn any yaml values formatted like ref+<provider name>://id/of/the/secret/you/want/to/load into actual secrets values.
This way, you don't need to re-encrypt the secrets file to add/remove a single secret.
It doesn't support Azure KeyVault or a kind of secrets manager in Azure yet https://github.com/variantdev/vals#suported-backends so hopefully you could submit a pull request OR help me to implement/test the Azure provider for vals to support your usecase.
cdunford
I have a use case where it would be ideal if there was some way to add new secrets to an existing secrets file that is encrypted. I know this is possible by decrypting the file then adding and then re-encrypting, but I am using Azure Keyvault and many folks who may need to have access to add new secret values will not have access to use the key in the vault to decrypt, so they cannot decrypt and re-encrypt all of the secrets.
Is this somehow possible today?