Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Sealed Secrets plugin for Helm #1413

Open
juan131 opened this issue Dec 22, 2023 · 1 comment
Open

Sealed Secrets plugin for Helm #1413

juan131 opened this issue Dec 22, 2023 · 1 comment
Labels
backlog Issues/PRs that will be included in the project roadmap enhancement

Comments

@juan131
Copy link
Collaborator

juan131 commented Dec 22, 2023

Which component:

N/A

Is your feature request related to a problem? Please describe.

When I use Helm charts to deploy (or rendering the templates for later deploying) certain apps, I need to perform complementary steps to manage the secrets shipped on these charts with Sealed Secrets.

Describe the solution you'd like

I'd like the Sealed Secrets team to develop some plugin for Helm that extends the helm install, helm template & helm upgrade commands with new flags for configuring how to encrypt secrets shipped on a chart with Sealed Secrets (--sealed-secrets-controller-name, --sealed-secrets-controller-namespace, sealed-secrets-cert, etc.).

This plugin should allow helm to automatically encrypt secrets using Kubeseal libraries & introducing the steps below in the mentioned Helm commands workflows:

  • Detect available K8s secrets within the K8s manifests after rendering templates.
  • (optional) download cert / public key to use for encryption.
  • Encrypt K8s secrets as Sealed Secrets and replace K8s secrets with them from the list of rendered manifests.

Describe alternatives you've considered

There are two main approaches to deal with this without the requested plugin:

  • Render manifests (helm template ...) -> Manually encrypt resulting secrets with Kubeseal -> Manually deploy manifests replacing secrets manifests with corresponding sealed-secrets ones.
  • Manually create required secrets -> Manually encrypt them with Kubeseal and create them with Kubectl - > Deploy chart configuring it to use the previously created secrets (only possible if charts support "existingSecret" or equivalent parameters)

Additional context

N/A

@juan131 juan131 added triage Issues/PRs that need to be reviewed enhancement backlog Issues/PRs that will be included in the project roadmap and removed triage Issues/PRs that need to be reviewed labels Dec 22, 2023
@mohamed-essam
Copy link
Contributor

mohamed-essam commented Jan 18, 2024

I've gone through the helm docs for plugins and the Helm source code as well, I don't see any way for plugins to manipulate templates generated by helm install or helm upgrade, helm plugins seem to be addons that have nothing to do with Helm itself.

The only way for this to work using Helm plugins would be to have the plugin itself call helm template and then modify the returned values and then apply them manually, but that would interfere with the way Helm manages releases and such and would practically remove the point of it.

My current work around is the same as your second alternative, but until Helm implements the ability for a plugin to edit manifests during install and upgrade that's all we can do.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
backlog Issues/PRs that will be included in the project roadmap enhancement
Projects
None yet
Development

No branches or pull requests

2 participants