Open in app

Sign in

Write

Sign in

Helm Secrets: Securing Kubernetes Secrets at GitHub Level

MouliVeera
2 min readMar 5, 2024

Helm secrets provide a way to store encrypted secrets within Helm charts. This guide will walk you through the process of setting up and using Helm secrets effectively.

Helm Secrets not only provide encryption for secrets within Helm charts but also ensure that Kubernetes secrets are encrypted at the GitHub level. This adds an extra layer of security to your deployment pipelines, safeguarding sensitive information stored in your source code repository.

Keep your Kubernetes secrets secure in Git

Prerequisites

Before getting started, ensure you have the following prerequisites installed:

  • Helm — The package manager for Kubernetes.
  • SOPS — SOPS (Secrets OPerationS) is used for encryption and decryption of secrets. You can install it via Homebrew on macOS or using package managers on other operating systems.

Installing SOPS

brew install sops

For non-macOS users, please refer to the official GitHub repository of SOPS for installation instructions.

Configuring SOPS

After installing SOPS, configure it to use PGP keys for encryption. First, you’ll need to install GnuPG:

brew install gnupg

For Linux users, you can use your distribution’s package manager, such as apt-get:

sudo apt-get install gnupg

Generating a GPG Key

Generate a GPG key by executing the following commands:

export KEY_NAME="Demo"
export KEY_COMMENT="Test key for Helm secrets testing"
gpg --batch --full-generate-key <<EOF
%no-protection
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Expire-Date: 0
Name-Comment: ${KEY_COMMENT}
Name-Real: ${KEY_NAME}
EOF

List the generated GPG keys to get the key ID:

gpg --list-keys

[keyboxd]
---------
pub   rsa4096 2024-03-05 [SCEAR]
      C7299E0D6937E316A348B966D154F6DE302E1AE8
uid           [ultimate] Demo (Test key for Helm secrets testing)
sub   rsa4096 2024-03-05 [SEA]

Note down the key ID (e.g., C7299E0D6937E316A348B966D154F6DE302E1AE8), as it will be used in the SOPS configuration.

Adding the Key to .sops.yaml

Create a file sops.yaml and add the below data to that file.

Add the generated key to the .sops.yaml file as follows:

creation_rules:
    - pgp: >-
        C7299E0D6937E316A348B966D154F6DE302E1AE8

Encrypting Secrets

To encrypt a secret file (creds.yaml.dec in this example) using Helm secrets,
Test content on file: creds.yaml.dec

name: demo
id: demo_id
password: password123

Run the following command to encrypt

helm secrets encrypt creds.yaml.dec > creds.yaml

If you open the generated creds.yaml file, you will see that its content is encrypted by SOPS.

Testing Helm Secrets

Let’s test Helm secrets with a demo Helm chart:

  • Create a new Helm chart named ‘demo’:
helm create demo
  • Create a test secrets values file:
helm secrets edit demo/secrets-values.yaml
  • Add the following data:
nameOverride: mydemo
  • Using the nameOverride we are overriding values generated by default.
  • Run a dry run to validate the Helm secret results:
helm secrets template demo . -f values.yaml -f demo/secrets-values.yaml

This way, you can encrypt sensitive data deployed to Kubernetes using Helm secrets.

Helm
Kubernetes
Security
Secrets
Helm Chart

--

--

MouliVeera

Written by MouliVeera

27 Followers

Mouli is a seasoned DevOps Engineer with expertise in designing and optimising CI/CD pipelines, containerisation with Docker and Kubernetes.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams