-
Notifications
You must be signed in to change notification settings - Fork 564
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add function to decrypt via the sops tool #929
Comments
@smeierhofer Hey! Thanks for the request. I've read this twice and, honestly saying, I'm still unsure why you'd need this. First of all, shouldn't your chart If you can change your chart as such, I believe you're all set. Helmfile already have an out-of-box support for passing any value extracted from a SOPS-encrypted file. See #906, and for usage with SOPS specifically please read https://github.com/variantdev/vals#sops. |
I have a P12 keystore which is a binary format. I need to encrypt the keystore file and check it in to git. I need helmfile to read this keystore and pass it to the helm chart, which puts it into a Kubernetes Secret. But because the keystore file needs to be encrypted, I need the helmfile gotmpl to read and decrypt the file and then base64 encode it, and passes the encoded data to the helm chart via a chart value. The helm chart includes the encoded data in a Kubernetes Secret, which requires the data be base64 encoded, which it already is. I do not know of any other way to pass the binary keystore to the helm chart other than to base-64 encode it. In another case I have plain text Java properties file that need to be and passed to the helm chart. I put all these files into a folder named "config" and I use the following code in the helmfile gotmpl to read all the config files and provide them to the helm chart. app:
config:
{{- range $file := ( exec "sh" (list "-c" "echo config/*")) | trim | splitList " " }}
{{- $contents := readFile $file }}
{{- $config := printf "%s: |\n%s" (base $file) (indent 2 $contents) }}
{{- $config | nindent 4 }}
{{- end }} But some of these configuration files contain sensitive data and so they need to be encrypted on disk and so I'd like to use code such as this |
@smeierhofer Thanks! This makes sense, but...
So do you, in the end, get the decrypted(cleartext) .properties files, which you want pass to the chart? For that case I can still suggest you generating helmfile.yaml like this:
|
In case you do encrypt a binary file(other than .properties) with sops, I think we can enhance the
|
Yes, in the end I do get the cleartext .properties file, which I pass to the chart. I will try out the suggestions. I did not know that I could simply list references to files in the values section of the helmfile.yaml. Also, I like the suggested way to handle base64 encoding the results. |
@smeierhofer It's the latest major new feature to Helmfile so we lack doc :) Sorry about that. Please feel free to ask anything about it.
Great! But to be clear, you won't need it for now if #929 (comment) works so that you can just defer b64enc to the chart template? |
What happens if I use |
@smeierhofer It decrypts |
I would like to read a file that has been encrypted via sops, decrypt it, and base64 encode it so that it is in the format needed by the Helm Secrets template.
The reason to do this is that my application has several application configuration files and some of the configuration settings are sensitive and should be encrypted when saved on disk. Also, I have a PKCS 12 keystore that is a binary format and would also like encrypted on disk. So then I could use code such as
{{- readFile "keystore.p12.enc" | decrypt | b64enc | nindent 4 }}
.Sops works well to decrypt as it integrates into Azure Key Vaults (and similar tech from other vendors) where the encryption keys are stored in the Azure key vault and only accessible to those who have been granted access.
I am not sure of the options to the sops command that would need to be exposed to the a "decrypt" function in helmfile.
See also...
Issue in Helm for more context of the problem: helm/helm#6859
Issue in Sprig that asks for the function: Masterminds/sprig#210
The text was updated successfully, but these errors were encountered: