helm secrets install ... deploys encrypted values

[alexmbird]

I have helm-secrets setup to encrypt secrets with sops. My .sops.yaml looks like this:

creation_rules:
  - path_regex: xyz-secrets.yaml$
    kms: arn:aws:kms:us-east-1:01234:key/abcd-01234-...

  # Catchall to raise an error for unmatched secrets
  - pgp: "nonexistent-key-will-fail-for-unmatched"

I've successfully created and encrypted xyz-secrets.yaml. I'm able to helm secrets [edit|view] it and the contents look as I would expect them to.

When I try to helm secrets install or helm secrets upgrade my chart it completes successfully and the resources in k8s are created. However the values deployed to the cluster have not been decrypted and all begin with ENC[AES256_GCM,data.

In case it helps here are the versions I'm running:

$ helm plugin list
NAME   	VERSION	DESCRIPTION
secrets	2.0.0  	This plugin provides secrets values encryption for Helm charts secure storing
$ sops --version
sops 3.2.0 (latest)

And here's the exact command (under the fish shell) I deployed with:

$ env AWS_PROFILE=myprofile \
         helm secrets install                        \
           --name=my-release-name               \
           --namespace=prod                          \
           -f helm_values/xyz-values.yaml        \
           -f helm_values/xyz-secrets.yaml       \
           del-shared-config

It looks like helm-secrets is failing to detect that xyz-secrets.yaml should be decrypted. Am I using it incorrectly or have I discovered a bug in KMS support?

[alexmbird]

I've gotten to the bottom of this. In case anyone else encounters the same - the problem was that I named my secrets file xyz-secrets.yaml and by convention helm-secrets only treats files named precisely secrets[.something].yaml as containing secrets. Values from others, even those containing a valid sops: section, will be deployed verbatim. Confusingly sops will happily encrypt/decrypt these files, so the problem only becomes apparent at chart deploy time.

[schollii]

Yes this is a real annoyance. I created ticket #128 for this. Seems like the fix should be really easy to allow additionally secrets-something which is more intuitive for describing the secrets file.