1.5 KiB
1.5 KiB
Secrets
helmfile can handle secrets using helm-secrets plugin or using remote secrets storage
(everything that package vals can handle vault, AWS SSM etc)
This section will describe the second use case.
Remote secrets
This paragraph will describe how to use remote secrets storage (vault, SSM etc) in helmfile
Fetching single key
To fetch single key from remote secret storage you can use fetchSecretValue template function example below
# helmfile.yaml
repositories:
- name: stable
url: https://kubernetes-charts.storage.googleapis.com
environments:
default:
values:
- service:
password: ref+vault://svc/#pass
login: ref+vault://svc/#login
releases:
- name: service
namespace: default
labels:
cluster: services
secrets: vault
chart: stable/svc
version: 0.1.0
values:
- service:
login: {{ .Values.service.login | fetchSecretValue }} # this will resolve ref+vault://svc/#pass and fetch secret from vault
password: {{ .Values.service.password | fetchSecretValue | quote }}
# - values/service.yaml.gotmpl # alternatively
Fetching multiple keys
Alternatively you can use expandSecretRefs to fetch a map of secrets
# values/service.yaml.gotmpl
service:
{{ .Values.service | expandSecretRefs | toYaml | nindent 2 }}
This will produce
# values/service.yaml
service:
login: svc-login # fetched from vault
password: pass