Question 1

How to integrate helm-secrets with ArgoCD?

Accepted Answer

Use protocol handlers like secrets:// in ArgoCD's helm.valueFiles or fileParameters, as shown in the README example. Ensure ArgoCD has access to decryption keys or cloud credentials via sidecars or init containers.

Question 2

helm-secrets vs sealed secrets: which should I use?

Accepted Answer

helm-secrets integrates directly into Helm workflows and supports cloud secret managers, while sealed secrets is Kubernetes-native and encrypts secrets into CRDs. Choose based on whether you prefer Helm-centric automation or a pure Kubernetes approach.

Question 3

Can I use helm-secrets without installing sops?

Accepted Answer

Yes, you can use the vals backend to reference secrets from cloud providers like AWS or Azure without sops, as noted in the Secret Backends wiki. This allows cloud-native secret management without file encryption.

Question 4

How to decrypt secrets in a CI/CD pipeline with helm-secrets?

Accepted Answer

In CI/CD, use the protocol handler method (e.g., -f secrets://secrets.yaml) for better performance, or wrap commands with helm secrets. Ensure the pipeline environment has the necessary keys or IAM roles for decryption.

Question 5

What encryption methods does helm-secrets support with sops?

Accepted Answer

It supports sops with various key services like PGP, AWS KMS, Azure Key Vault, and GCP KMS, as implied by the sops integration. The README references sops for encrypting value files, but specific methods depend on sops configuration.

Question 6

How to handle key rotation with helm-secrets?

Accepted Answer

Key rotation is managed by the backend (sops or vals). For sops, you must manually re-encrypt files with new keys. The README doesn't provide automated rotation, so it requires careful planning and manual updates in Git.

helm-secrets

What is helm-secrets?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions