helm-secrets icon indicating copy to clipboard operation
helm-secrets copied to clipboard

Published 20 hours ago verified publisher icon jkroepke

helm secrets not decrypting chart/files/config-enc.json

Open diepes opened this issue 2 years ago • 1 comments

Current Behavior

When i setup my .sops.yaml to encrypt file config-dev-sensitive.json, i can verify it using sops config-dev-sensitive.json to view the encrypted fields.

This file is imported into k8s/Secret with .Files.get, when viewed in k8s, the fields are still sops encrypted.

Expected Behavior

I was expecting that running helm secrets chart should decrypt the files/config-enc.json ad this should then be imported into the k8s/Secret and deployed to

Steps To Reproduce

1. helm secrets deployment of json file with sops encrypted fields.
chart/files/config/config-dev-sensitive.json

2. With template/secret.yaml

apiVersion: v1
kind: Secret
metadata:
  name: {{ .Release.Name }}-secret
data:
  config_sensitive.json: |-
{{- $fn := printf "%s-%s-%s" "files/config/config" .Values.env "sensitive.json" -}}
{{- tpl (.Files.Get $fn ) . | b64enc | required "Missing file {{ $fn }}" | nindent 4}}
  1. In k8s the secret {{ .Release.Name }}-secret is still sops encrypted.


### Environment

- Helm Version:
helm version
version.BuildInfo{Version:"v3.9.2", GitCommit:"1addefbfe665c350f4daf868a9adc5600cc064fd", GitTreeState:"clean", GoVersion:"go1.18.4"}

- Helm Secrets Version:
helm plugin list
NAME    VERSION DESCRIPTION                                                                  
secrets 3.12.0  This plugin provides secrets values encryption for Helm charts secure storing

- OS:
mac

- Shell:
zsh

### Anything else?

_No response_

diepes avatar Aug 10 '22 03:08 diepes

This is expected. Currently only value files are supported.

Move the content from config-dev-sensitive.json into a values file.

jkroepke avatar Aug 10 '22 06:08 jkroepke

Hi @diepes,

Before get deeper into #250, I would like to ask you, if --set-file is also an option here.

For example, change the secret.yaml to

apiVersion: v1
kind: Secret
metadata:
  name: {{ .Release.Name }}-secret
data:
  config_sensitive.json: |-
{{- tpl (.Files.Get $Values.config ) . | b64enc | required "Missing config" | nindent 4}}

And running helm install release . --set-file=config=files/config/config-dev-sensitive.json.

Helm secrets current not support --set-file, but since this is a native helm feature, I cloud think about to integrate it.

jkroepke avatar Aug 11 '22 11:08 jkroepke

Hi @jkroepke , I'm not sure to understand your example, helm documentation (https://helm.sh/docs/helm/helm_install/) says:

You can use '--set-file' to set individual values from a file when the value itself is too long for the command line or is dynamically generated.

So the assigned variable in you case config, will be populated with the content of the file pointed by the --set-file arguments, right?

So you wouldn't .Files.Get $Values.config because $Values.config is the content of the file not its name or am I missing something?

In any case electing arguments of --set-file as well as -f to be processed by helm-secrets seems a very good option.

TheErk avatar Aug 11 '22 13:08 TheErk

Fully correct. Copy Paste issue..

Here is the correct example:

apiVersion: v1
kind: Secret
metadata:
  name: {{ .Release.Name }}-secret
data:
  config_sensitive.json: |-
    {{- tpl $Values.config . | b64enc | required "Missing config" | nindent 4}}

So I would prefer to support --set-file option here over a helm-secret specific solution.

I hope @diepes problem could solve it this way.

jkroepke avatar Aug 11 '22 14:08 jkroepke

Yes thanks, i think that will work great will give it a try. --set-file

diepes avatar Sep 06 '22 06:09 diepes

Hello. This feature would be indeed very useful. One requirement would be to be compatible with the --helm-set-file of argocd (see https://github.com/argoproj/argo-cd/pull/2752). Another option would be to allow inline usage of the decryption within a values file by the same usage as in the app resource. Example:

config:
  credentials_json_path: secrets+gpg-import:///helm-secrets-private-keys/key.asc?credentials.json

so that it could be used in a secret where you would have

apiVersion: v1
kind: Secret
metadata:
  name: {{ include "app.fullname" . }}-secret
  namespace: {{ .Release.Namespace }}
  labels:
    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    release: {{ .Release.Name }}
data:
  credentials.json: {{ required "A valid .Values.config.credentials_json_path entry required!" (tpl (.Files.Get (.Values.config.credentials_json_path) | default "files/credentials.default.json") . | quote) }}

emmanuelmathot avatar Nov 15 '22 07:11 emmanuelmathot

@emmanuelmathot Check https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app
spec:
  source:
    helm:
      # fileParameters (--set-file) are supported, too. 
      fileParameters:
        - name: config.credentials_json_path
          path: secrets+gpg-import:///helm-secrets-private-keys/key.asc?credentials.json

jkroepke avatar Nov 15 '22 08:11 jkroepke