Secrets¶

helmfile can handle secrets using helm-secrets plugin or using remote secrets storage
(everything that package vals can handle vault, AWS SSM etc)
This section will describe the second use case.

Remote secrets¶

This paragraph will describe how to use remote secrets storage (vault, SSM etc) in helmfile

Fetching single key¶

To fetch single key from remote secret storage you can use fetchSecretValue template function example below

# helmfile.yaml

repositories:
  - name: stable
    url: https://kubernetes-charts.storage.googleapis.com

environments:
  default:
    values:
      - service:
          password: ref+vault://svc/#pass
          login: ref+vault://svc/#login
releases:
  - name: service
    namespace: default
    labels:
      cluster: services
      secrets: vault
    chart: stable/svc
    version: 0.1.0
    values:
      - service:
          login: {{ .Values.service.login | fetchSecretValue }} # this will resolve ref+vault://svc/#pass and fetch secret from vault
          password: {{ .Values.service.password | fetchSecretValue | quote }}
      # - values/service.yaml.gotmpl   # alternatively

Fetching multiple keys¶

Alternatively you can use expandSecretRefs to fetch a map of secrets

# values/service.yaml.gotmpl
service:
{{ .Values.service | expandSecretRefs | toYaml | nindent 2 }}

This will produce

# values/service.yaml
service:
  login: svc-login # fetched from vault
  password: pass