When managing applications deployed on Kubernetes, keeping secrets safe while still making them accessible to Helm charts is a challenge. Storing secrets in plaintext is a security risk π¨ β and thatβs where SOPS (Secrets OPerationS) and the Helm Secrets plugin come in!
In this guide, weβll cover:
- β How to use SOPS with age and GPG
- β
How to configure SOPS with
sops.yamlfor better management - β How to use Helm Secrets Plugin to manage encrypted secrets directly in your Helm charts
- β A GitHub Actions workflow to securely deploy Helm charts using encrypted secrets
π Why Use SOPS with Helm?
SOPS is an open-source tool from Mozilla that lets you encrypt and decrypt secrets with ease. When combined with the Helm Secrets plugin, you can safely store your sensitive data in Git repositories and automatically decrypt them during Helm deployments. Hereβs why itβs awesome:
- β Keeps secrets encrypted in your repos
- β Works with YAML, JSON, and ENV files
- β Integrates seamlessly with Helm via the Helm Secrets plugin
- β Fits perfectly into CI/CD pipelines like GitHub Actions for secure deployments
π Using SOPS with age
Age is a modern, simple, and secure encryption tool. If youβre new to encryption, age is a great alternative to GPG.
β¨ Step 1: Install age and sops
Install age and sops:
sudo apt install age # Ubuntu/Debian β¨ Step 2: Generate an age Key
Run:
age-keygen -o ~/.config/sops/age/keys.txt This will generate a key similar to:
# public key: age1xxxxxxx AGE-SECRET-KEY-1XXXXXXYYYYYYYYZZZZZZ Copy the public key (age1xxxxxxx)βthis will be used for encryption.
β¨ Step 3: Encrypt a YAML File with SOPS
Create a file called secrets.yaml:
db_user: "admin" db_password: "supersecret" Now, encrypt it using SOPS:
sops --encrypt --age age1xxxxxxx -i secrets.yaml When you open secrets.yaml, youβll see itβs fully encrypted! π‘οΈ
To decrypt:
sops --decrypt secrets.yaml π§ Configuring sops.yaml for Better Management
Instead of specifying the encryption method manually every time, SOPS supports a configuration file (.sops.yaml). This makes it easier to manage secrets across your team.
Create .sops.yaml in your repository:
creation_rules: - path_regex: secrets/.*\.yaml$ age: - age1xxxxxxx # Replace with your public key - path_regex: secrets/.*\.json$ pgp: - ABC12345 # Replace with your GPG key ID Now, when encrypting secrets inside the secrets/ folder, SOPS will automatically use the right encryption method! π
Encrypt a new secret:
sops --encrypt -i secrets/app.yaml π οΈ Using Helm with the Helm Secrets Plugin
The Helm Secrets plugin allows you to work with encrypted secrets directly in your Helm chartsβno need to expose sensitive data!
β¨ Step 1: Install the Helm Secrets Plugin
Install the plugin with:
helm plugin install https://github.com/jkroepke/helm-secrets This plugin leverages SOPS to decrypt your secret files during Helm chart deployments.
β¨ Step 2: Encrypt Your Secrets File
Create a file named secrets.yaml (if you havenβt already):
apiVersion: v1 kind: Secret metadata: name: my-secret type: Opaque data: username: YWRtaW4= # base64 encoded password: c3VwZXJzZWNyZXQ= # base64 encoded Encrypt it using SOPS:
sops --encrypt -i secrets.yaml β¨ Step 3: Deploy with Helm Using Encrypted Secrets
Deploy your Helm chart using the encrypted secrets file:
helm secrets upgrade --install my-release ./my-chart The Helm Secrets plugin will automatically decrypt secrets.yaml during the deployment process. π
π€ Using SOPS and Helm in GitHub Actions
Integrate your secure secrets management into your CI/CD pipeline with GitHub Actions. Hereβs an example workflow that deploys your Helm chart with encrypted secrets:
β¨ Step 1: Store the age Private Key in GitHub Secrets
In your GitHub repository, navigate to Settings β Secrets and variables β Actions, and add:
-
SOPS_AGE_KEY: The private key from~/.config/sops/age/keys.txt
β¨ Step 2: Create the GitHub Actions Workflow
Create .github/workflows/deploy.yml:
name: Deploy with Helm & SOPS on: push: branches: - main jobs: deploy: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v4 - name: Install dependencies run: | sudo apt-get update sudo apt-get install -y sops age curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash helm plugin install https://github.com/jkroepke/helm-secrets - name: Set up SOPS run: | mkdir -p ~/.config/sops/age/ echo "${{ secrets.SOPS_AGE_KEY }}" > ~/.config/sops/age/keys.txt chmod 600 ~/.config/sops/age/keys.txt - name: Deploy with Helm run: | helm secrets upgrade --install my-release ./my-chart π₯ What Happens in This Workflow?
- Checks out the code β
- Installs SOPS, age, Helm, and the Helm Secrets plugin β
- Loads the age private key from GitHub Secrets β
- Deploys the Helm chart with decrypted secrets on the fly β
Security Tip:
Make sure that any decrypted files are never committed to your repository! Always keep them out of version control. π
π― Wrapping Up
SOPS and the Helm Secrets plugin offer a powerful and secure way to manage secrets in your Kubernetes deployments. With age encryption, a handy .sops.yaml configuration, and seamless integration via Helm, managing secrets has never been easier! πͺ
By integrating these tools into your workflow, you get:
- β Encrypted secrets safely stored in Git repositories
- β Automatic decryption during Helm deployments
- β Secure usage of secrets in CI/CD pipelines
Want to take it a step further? Try exploring AWS KMS, GCP KMS, or Azure Key Vault for even tighter security! ππ
Have questions or suggestions? Drop them in the comments! π¬
Happy clustering and stay safe! ππ
Top comments (0)