Helm secrets is a tool that may be used to store secrets in Git repository in ecrypted form. sops is a tool that Helm secrets uses for encryption/decryption operations.

Currently all secrets are stored in secrets directory, where you can find all encrypted files and .sops.yaml file that defines that all new secrets should be encrypted with AWS KMS key.

To work with secret, you need to have your AWS credentials set with administrator role in wifi account, then you would be able to make operations with files (for example to edit secret use helm secrets edit $SECRET_FILE).

If you need to encrypt new file, you simply need to write it in plaintext, then run helm secrets enc $PLAINTEXT_SECRET_FILE - helm secrets will automatically use encryption key defined in .sops.yaml

You can use secrets in Helmfile the same way as values:

Add secrets in environment
Use {{ .Environment.Values... }} where you need it in releases definition

For example, if we have secret secrets/example.yaml

example:
  secretKey: "topSecret"

usage of it will look like this:

environments:
  example:
    secrets:
      - secrets/example.yaml

releases:
- name: example
  values:
  - secretKey: {{ .Environment.Values.example.secretKey }}

Usage

Set credentials that are required to connect to Kubernetes cluster
(optional) If you are going to use environment with secrets, make sure that you also have credentials required for access to AWS KMS key
Run helmfile --environment $ENVIRONMENT diff to see changes that would be applied
If everything is correct, run helmfile --environment $ENVIRONMENT apply to see changes that would be applied

If you would like to limit releasae that you would like to affect, you may use labels. For example, if you want to see changes that would be done only to influxdb release in amazon-cicd environment, you may run helmfile --environment amazon-cicd --selector app=influxdb diff