All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
4.4.1 - 2023-03-06
- Exclamation mark in --set argument result into to backend not found error
HELM_SECRETS_LOAD_GPG_KEYS
uses home dir instead tmp dir which results into errors on argocd-repo-server
4.4.0 - 2023-02-18
- Migrations for ArgoCD multi source application limitations
- Error
curl: option --netrc-file=/custom-tools/.netrc: is unknown
, if NETRC environment variable is defined
4.3.0 - 2023-02-18
- Support for evaluating secret references (
--evaluate-templates
;vals
backend) in helm templates (requires helm 3.9.0; vals 0.20+) - Override secret backend per value file
- Restrict secret backend, using
HELM_SECRETS_ALLOWED_BACKENDS
environment variable
- Performance issues with large value files (
vals
backend) - Remote value file download fails when URL contains query strings
4.2.2 - 2022-11-20
- Performance issues with large value files
4.2.1 - 2022-11-14
- fixes detection of SOPS YAML files with Windows line-endings (CR LF)
4.2.0 - 2022-11-08
--ignore-missing-values
(HELM_SECRETS_IGNORE_MISSING_VALUES
). This option allows ignoring errors related to file not found.- if paths or value files beginning with a
?
in beginning, all file not found errors related to that specific value file are ignored. - Support for shell installed via scoop
- Multiple values in a single --set option not correctly passed to helm
cat: can't open '/dev/stdin': No such file or directory
on Windows
4.1.1 - 2022-09-21
- Fix handing of special character
\
from literalvals
values - Remove escape character
\
from literalvals
values, if value contains quotes.
4.1.0 - 2022-09-20
- Support for literal
vals
values like--set
,--set-string
and--set-json
, e.g.--set auth.rootPassword=ref+vault://secret/mysql#/rootPassword
- Support for literal
vals
values through downloader syntaxsecrets+literal://
, e.g.--set-file secrets+literal://ref+vault://secret/mysql#/rootPassword
4.0.0 - 2022-09-11
- Support for decrypting files defined via
--set-file
- Breaking: Rename
helm secrets dec
tohelm secrets decrypt
- Breaking: Rename
helm secrets enc
tohelm secrets encrypt
- Breaking: The
decrypt
andencrypt
command write the results to stdout now. Both commands support-i
flag to en/decrypt file in-line. - Breaking: Secret drivers are renamed to secret backends
- This is breaking custom integrations. All shell functions contains the name
driver
are renamed tobackend
, e.g.:driver_encrypt_file
->backend_encrypt_file
- The CLI Arguments
--driver
,-d
and--driver-args
has been renamed to--backend
,-b
and--backend-args
- The environment variables
HELM_SECRETS_DRIVER
andHELM_SECRETS_DRIVER_ARGS
has been renamed toHELM_SECRETS_BACKEND
andHELM_SECRETS_BACKEND_ARGS
- This is breaking custom integrations. All shell functions contains the name
HELM_SECRETS_DRIVER
environment variable.HELM_SECRETS_BACKEND
is a drop-in replacement.helm secret clean
command.helm secret terraform
command. Thehelm secret decrypt --terraform
command is a drop-in replacement.helm secret view
command. Thehelm secret decrypt
command is a drop-in replacement.vault
driver. Thevals
driver supports vault as backend, too.envsubst
driver. Thevals
driver supports envsubst as backend, too.droppler
driver.sops://
protocol handlersecret://
protocol handler- Parameter
--output-decrypt-file-path
(HELM_SECRETS_OUTPUT_DECRYPTED_FILE_PATH
) that outputs the path of decrypted files only.
3.15.0 - 2022-08-08
- Prefer bash from
Git for Windows
overWSL
shell to avoid WSL interop incompatibilities - Deprecate
vault
driver. Thevals
driver supports vault as backend, too. - Deprecate
envsubst
driver. Thevals
driver supports envsubst as backend, too. - Deprecate
droppler
driver.
- Error with --set arguments, if WSL backend is used.
3.14.1 - 2022-07-27
- Handing of /tmp file in Windows environments. Fixes performance issues in native WSL environments
- Win32 Console error, if gpg.exe does not exists
- Debug output, if
helm --debug
is set.
3.14.0 - 2022-06-06
- Added error handling in case
curl
orwget
is not installed. - Added vals support on Windows
- Enable protocol handling on Windows. Requires the command
helm secrets patch windows
once.
- Check detection of a sops encrypted files
- Prefer gpg4win, if available. Use
SOPS_GPG_EXEC=gpg
as environment variable to restore the old behavior.
- Error, if HELM_SECRETS_WINDOWS_SHELL contains spaces
3.13.0 - 2022-04-12
- Support for WSL on Windows
- Strip newlines on helm secrets terraform command
3.12.0 - 2022-02-03
- Terraform Integration. Can be used together with external data source provider
- Enable parsing of .netrc for http based values. The location of the .netrc can be overridden by
NETRC
environment variable. - Environment variable
HELM_SECRETS_VALUES_ALLOW_SYMLINKS
to allow or deny follow symlinks. - Environment variable
HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
to allow or deny absolute value file paths. - Environment variable
HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
to allow or denydot-dot-slash
values file paths.
3.11.0 - 2021-11-25
- Add environment variable expansion for value files like
secrets://https://${GITHUB_TOKEN}@raw.githubusercontent.com/org/repo/ref/pathtofile.yml
. This feature is disabled by default and can be enabled by set the env varHELM_SECRETS_URL_VARIABLE_EXPANSION=true
- Add more strict behavior around the downloader syntax to avoid infinite loops
3.10.0 - 2021-11-05
- Add age support for downloader plugin syntax.
- Improvements to the ArgoCD integration documentation.
3.9.1 - 2021-10-09
- Wrong format on CHANGELOG.md
3.9.0 - 2021-10-09
- A better ArgoCD Integration. helm-secrets can load now gpg keys for you by using the uri
secrets+gpg-import://path/key.asc?path/secrets.yaml
as value file. As alternative, you can usesecrets+gpg-import-kubernetes://
to import a gpg key from an existing kubernetes secret, but it requires the kubectl command. Checkout the [docs/ARGOCD.md](docs/ArgoCD Integration.md) for more information. - vals driver. vals supporting Vault, AWS SSM, GCP, sops, terraform states or other files.
3.8.3 - 2021-08-06
- Allow dot, asterisk and underscore for the vault path
3.8.2 - 2021-07-14
- Decrypt partially encrypted sops files correctly
3.8.1 - 2021-06-12
- OUTPUT_DECRYPTED_FILE_PATH: parameter not set
3.8.0 - 2021-06-12
- New parameter
--output-decrypt-file-path
(HELM_SECRETS_OUTPUT_DECRYPTED_FILE_PATH
) that outputs the path of decrypted files only. HELM_SECRETS_DEC_PREFIX
variable in addition toHELM_SECRETS_DEC_SUFFIX
- New parameter
--version
- cygwin compatibility
HELM_SECRETS_DEC_SUFFIX
has been changed from.yaml.dec
to.dec
. Additionally, while append the suffix, the file extension.yaml
is not stripped anymore.- The detection of encrypted sops files has been changed. Instead, looking for
sops:
andversion:
, the stringunencrypted_suffix
is used now.
3.7.0 - 2021-05-22
- envsubst driver
- Output errors on stderr
3.6.1 - 2021-03-30
mktemp: too few X's in template
error on macOS if gnu coreutils preferred over builtin bsd tools.
3.6.0 - 2021-03-29
- Detect ArgoCD environment by
ARGOCD_APP_NAME
environment variable and setHELM_SECRETS_QUIET=true
by default. (#83)
- The default sops installation is removed, since helm-secrets could be used with hashicorp vault which does not require sops.
- Cleanup all temporary files.
3.5.0 - 2021-02-20
- Added
--driver-args
to pass additional argument to underlying commands (#82)
- "grep: Invalid range end" if locale is not C (#81)
3.4.2 - 2021-02-19
- Dev: Rename
master
branch tomain
- "grep: Invalid range end" if locale is not C (#79)
3.4.1 - 2021-01-23
- Handling
--
inside command line arguments - Fix handling errors with remote files
- Strip yaml doc separator if the vault driver is used (#70)
- Incompatibilities if sed links to gnu sed on MacOS (#72)
3.4.0 - 2020-12-26
From this version, the installation on Helm 2 requires additional steps. Check https://github.com/jkroepke/helm-secrets/wiki/Installation#helm-2
- Implement alternate syntax (#52)
- Remote values support (supporting http:// and helm downloader plugins) (#54)
- Let downloader plugin support remote files and all secrets drivers (#55)
- Externalize custom vault driver logic. (#63)
- Dev: Implement code coverage
- Dev: Test zsh compatibility
- Vault driver: If vault command failed, the script execution was not terminated. (#61)
3.3.5 - 2020-10-16
- Better lookup for unix shells on Windows (#42)
3.3.4 - 2020-09-09
- Allow overriding SOPS version on installation (#40)
- Add separat download artefact on GitHub release
3.3.0 - 2020-08-28
- Don't check if file exists on edit (#31)
- Better Windows support (#28)
- Support parameters like --values=secrets.yaml (#34)
- Added CentOS 7 as supported OS system (#35)
3.2.0 - 2020-05-08
- Add Vault support (#22)
- Secret driver to gain secrets from other sources then sops. (#16)
- Remove name restriction (#23)
- Run unit tests on bash, dash and ash (busybox), too.
3.1.0 - 2020-04-27
- completion.yaml for helm shell auto-completion
- Tests for all
helm secrets
commands - Added quiet flag for helm secrets (#8)
- Escape special chars in paths correctly (#9)
3.0.0 - 2020-04-26
Started a fork of https://github.com/zendesk/helm-secrets
- POSIX compatibility (#1)
- Optionally decrypt helm secrets in a temporary directory (#5)
- Added CI tests (#2)
- Changed secrets.yaml prefix just to
secrets
. All files likesecrets*
are now decrypted - Remove dependency against gnu-getops
- Remove run as root dependency on helm plugin install
- Verbose output is now on stderr
- Support all helm sub commands and plugins