pantsbuild
Add support for helm-secrets helm plugin
Is your feature request related to a problem? Please describe. Helm deployments (introduced in #15882) often need secrets. Those secrets should not be stored unencrypted in scm systems like git.
Describe the solution you'd like I use helm-secrets (https://github.com/jkroepke/helm-secrets) helm plugin to manage this for me.
Important implementation notes:
- pass values files with secrets://path to trigger it
- secrets get pulled from vault
- make sure the pants cache won't inadvertently reveal the secrets from vault
I use the vault backend for this, but it looks like that is about to be deprecated in favor of vals: https://github.com/jkroepke/helm-secrets/pull/246. I'll have to look into what that means later.
Describe alternatives you've considered I guess some people might use a post processor of some kind. But helm-secrets is the defacto standard.
Additional context @alonsodomin asked me to file this based on my comment: https://github.com/pantsbuild/pants/pull/15882#pullrequestreview-1062356484 https://github.com/pantsbuild/pants/pull/15882#issuecomment-1206775764
