Giters

bitnami-labs / sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets

Home Page:https://sealed-secrets.netlify.app/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Sealed Secrets plugin for Helm

juan131 opened this issue · comments

commented

Which component:

N/A

Is your feature request related to a problem? Please describe.

When I use Helm charts to deploy (or rendering the templates for later deploying) certain apps, I need to perform complementary steps to manage the secrets shipped on these charts with Sealed Secrets.

Describe the solution you'd like

I'd like the Sealed Secrets team to develop some plugin for Helm that extends the helm install, helm template & helm upgrade commands with new flags for configuring how to encrypt secrets shipped on a chart with Sealed Secrets (--sealed-secrets-controller-name, --sealed-secrets-controller-namespace, sealed-secrets-cert, etc.).

This plugin should allow helm to automatically encrypt secrets using Kubeseal libraries & introducing the steps below in the mentioned Helm commands workflows:

  • Detect available K8s secrets within the K8s manifests after rendering templates.
  • (optional) download cert / public key to use for encryption.
  • Encrypt K8s secrets as Sealed Secrets and replace K8s secrets with them from the list of rendered manifests.

Describe alternatives you've considered

There are two main approaches to deal with this without the requested plugin:

  • Render manifests (helm template ...) -> Manually encrypt resulting secrets with Kubeseal -> Manually deploy manifests replacing secrets manifests with corresponding sealed-secrets ones.
  • Manually create required secrets -> Manually encrypt them with Kubeseal and create them with Kubectl - > Deploy chart configuring it to use the previously created secrets (only possible if charts support "existingSecret" or equivalent parameters)

Additional context

N/A

commented

I've gone through the helm docs for plugins and the Helm source code as well, I don't see any way for plugins to manipulate templates generated by helm install or helm upgrade, helm plugins seem to be addons that have nothing to do with Helm itself.

The only way for this to work using Helm plugins would be to have the plugin itself call helm template and then modify the returned values and then apply them manually, but that would interfere with the way Helm manages releases and such and would practically remove the point of it.

My current work around is the same as your second alternative, but until Helm implements the ability for a plugin to edit manifests during install and upgrade that's all we can do.