Helm Sops is a Helm wrapper which decrypts Sops encrypted value files before invoking Helm. It does so by using named pipes to pass cleartext value files to Helm in order to avoid secrets being written to disk in clear.
Helm is needed for Helm Sops to work. Follow the instructions here to install it.
Helm Sops released binaries can be downloaded from GitHub.
Helm Sops can be built using the go build
command.
Deploy Helm Sops executable (helm-sops
) in a directory present in the PATH. When invoking Helm Sops, it will look for a Helm executable named helm
in the PATH.
Alternatively, Helm Sops executable can be renamed helm
before deploying it. When invoked as helm
, Helm Sops will look for a Helm executable named _helm
in the PATH.
Create encrypted value files using Sops
To pass these encrypted value files to Helm, just invoke Helm Sops with the same arguments which would be used for the Helm invocation (for example
helm-sops template . --values secrets.yaml --values secrets-production.yaml
or
helm template . --values secrets.yaml --values secrets-production.yaml
depending on how Helm Sops was deployed).
An example application as well as an example Argo CD setup to deploy it can be found here.
The following script (sops-git-diff-helper
) can be placed in the PATH to be used as a Git diff helper for Sops encrypted value files:
#! /bin/sh
if [ $# -ne 1 ]
then
exit 1
fi
if [ -n "${SOPS_ENCRYPTED_DIFF}" ]
then
cat "$1"
else
sops -d "$1" 2>&1 || cat "$1"
fi
To enable it, run git config --global diff.sops.textconv sops-git-diff-helper
and add the following lines to the .gitattributes
file in your Git repository:
*.yaml diff=sops
In order to run test, the dev sops pgp key should be imported first, as explained here.