Helm Secrets: Securing Kubernetes Secrets at GitHub Level
Helm secrets provide a way to store encrypted secrets within Helm charts. This guide will walk you through the process of setting up and using Helm secrets effectively.
Helm Secrets not only provide encryption for secrets within Helm charts but also ensure that Kubernetes secrets are encrypted at the GitHub level. This adds an extra layer of security to your deployment pipelines, safeguarding sensitive information stored in your source code repository.
Prerequisites
Before getting started, ensure you have the following prerequisites installed:
- Helm — The package manager for Kubernetes.
- SOPS — SOPS (Secrets OPerationS) is used for encryption and decryption of secrets. You can install it via Homebrew on macOS or using package managers on other operating systems.
Installing SOPS
brew install sops
For non-macOS users, please refer to the official GitHub repository of SOPS for installation instructions.
Configuring SOPS
After installing SOPS, configure it to use PGP keys for encryption. First, you’ll need to install GnuPG:
brew install gnupg
For Linux users, you can use your distribution’s package manager, such as apt-get:
sudo apt-get install gnupg
Generating a GPG Key
Generate a GPG key by executing the following commands:
export KEY_NAME="Demo"
export KEY_COMMENT="Test key for Helm secrets testing"
gpg --batch --full-generate-key <<EOF
%no-protection
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Expire-Date: 0
Name-Comment: ${KEY_COMMENT}
Name-Real: ${KEY_NAME}
EOF
List the generated GPG keys to get the key ID:
gpg --list-keys
[keyboxd]
---------
pub rsa4096 2024-03-05 [SCEAR]
C7299E0D6937E316A348B966D154F6DE302E1AE8
uid [ultimate] Demo (Test key for Helm secrets testing)
sub rsa4096 2024-03-05 [SEA]
Note down the key ID (e.g., C7299E0D6937E316A348B966D154F6DE302E1AE8
), as it will be used in the SOPS configuration.
Adding the Key to .sops.yaml
Create a file sops.yaml
and add the below data to that file.
Add the generated key to the .sops.yaml
file as follows:
creation_rules:
- pgp: >-
C7299E0D6937E316A348B966D154F6DE302E1AE8
Encrypting Secrets
To encrypt a secret file (creds.yaml.dec
in this example) using Helm secrets,
Test content on file: creds.yaml.dec
name: demo
id: demo_id
password: password123
Run the following command to encrypt
helm secrets encrypt creds.yaml.dec > creds.yaml
If you open the generated creds.yaml
file, you will see that its content is encrypted by SOPS.
Testing Helm Secrets
Let’s test Helm secrets with a demo Helm chart:
- Create a new Helm chart named ‘demo’:
helm create demo
- Create a test secrets values file:
helm secrets edit demo/secrets-values.yaml
- Add the following data:
nameOverride: mydemo
- Using the
nameOverride
we are overriding values generated by default. - Run a dry run to validate the Helm secret results:
helm secrets template demo . -f values.yaml -f demo/secrets-values.yaml
This way, you can encrypt sensitive data deployed to Kubernetes using Helm secrets.