zendesk / helm-secrets

DEPRECATED A helm plugin that help manage secrets with Git workflow and store them anywhere
Apache License 2.0
1.16k stars 155 forks source link

Add support for HashiCorp Vault #110

Open Just-Insane opened 5 years ago

Just-Insane commented 5 years ago

I am working on adding support for HashiCorp Vault into helm-secrets.

Main issues I have right now are that i have had to re-write the yaml parsing logic from SOPS in bash, as well as extend the encrypt/decrypt/edit options, since I am not using SOPS.

So far I have the encryption option mostly working and I can upload user inputed variables to Vault, and I am working on the decryption option.

Current issues include issues with sanitizing user input for special characters, and some hard coded values used to parse the given values.yaml file for what to store in Vault.

I plan on uploading some work in progress code later tonight.

Just-Insane commented 5 years ago

Preamble

I have added basic support for HashiCorp Vault with this commit https://github.com/Just-Insane/helm-secrets/commit/bbd02c1403bed8c4d5426e09a938b232ab2d2c14.

Features

Implemented Features

Unimplemented Features

Untested Features

Unplanned Features

Documentation

Prerequisites

Workflow

  1. Modify your values.yaml files to change your secret values to 'changeme'
  2. Run helm secrets enc values.yaml
    1. You will be prompted to enter secret values for each 'changeme' found
    2. The entered secret values will be written to Vault
    3. You will be presented with the path where the secrets are stored
  3. Run helm secrets dec values.yaml
    1. You will be presented with the found secret values from Vault
    2. These secret values will automatically be substituted into values.yaml and stored at values.yaml.dec
  4. Run 'helm secrets install --name [name] -f values.yaml.dec stable/[chart]`
    1. Helm will install your chart with the secrets stored in values.yaml.dec
  5. Clean up by running rm values.yaml.dec

Misc.

Support/Questions

If you have any questions or run into issues, open an issue at Just-Insane/helm-secrets or futuresimple/helm-secrets and @Just-Insane

Feature Requests

If you would like to suggest a new feature, open an issue at Just-Insane/helm-secrets or futuresimple/helm-secrets and @Just-Insane

Just-Insane commented 5 years ago

I ran into some issues with the function that pulls the values from Vault and puts them back into the "decrypted" file.

It is possible I could go through each key as it's found and perform the enc/dec operations per instance (see dict_walker() in Helm-Vault).

If anyone has a better thought on how to get the values from Vault into the decrypted file, I am all ears.

Due to this issue, I have been working on Helm-Vault, which has been re-written in Python with a proper YAML parser. So far this project has matched all of the features except those that use the Helm Wrapper function (install, upgrade, lint, diff), however this is in progress.