Secure Helm Secrets Management in Kubernetes
Managing Helm secrets effectively is critical for secure and reliable Kubernetes deployments. Helm simplifies app deployments, but handling sensitive information like passwords, API keys, and credentials can be challenging. In this guide, we explore practical strategies, tools, and best practices to manage Helm secrets safely and efficiently.
Why Managing Helm Secrets Matters
Kubernetes (K8s) is the standard for running containerized workloads, offering scalability and resilience. However, deploying applications often involves multiple YAML manifests, including Deployment, Service, ConfigMap, Secret, and Ingress files.
This complexity can cause operational overhead and human errors. Helm charts help streamline this process by packaging all necessary manifests and configurations into reusable templates. However, Helm secrets need careful handling due to:
- Security concerns: Secrets contain sensitive data that must be encrypted and access-controlled.
- Collaboration challenges: Shared charts can expose secrets to unauthorized team members.
Companies like ZippyOPS provide consulting and managed services in DevOps, DevSecOps, DataOps, Cloud, Automated Ops, Microservices, Infrastructure, and Security, helping teams implement best practices for secure Helm secrets management.
Understanding Helm Charts and Helm Secrets
Helm charts encapsulate Kubernetes manifests and dependencies into a single package. Configurations and secrets are passed as environment variables using ConfigMaps or Secrets, following the Twelve-Factor App methodology.
Two Approaches to Manage Helm Secrets
- Encrypt secrets in Helm charts – Sensitive data is stored encrypted in the
values.yamlfile and decrypted during deployment. - Store secrets externally – Secrets are kept in a secure secrets manager and injected into Kubernetes at runtime.
Both methods have pros and cons depending on your workflow and compliance requirements.
Using the Helm-Secrets Plugin
The helm-secrets plugin simplifies secrets management by integrating with encryption tools like SOPS. It supports:
- Encrypted Helm charts: Encrypt values in the Helm chart and decrypt on the fly.
- External secret managers: Inject secrets at deployment time without storing them in charts.
Step 1: Encrypting Helm Secrets with SOPS
SOPS (Secrets OPerationS) automatically encrypts files using PGP, AWS KMS, or other keys. Helm-secrets delegates encryption tasks to SOPS, ensuring sensitive values are secure before committing them to version control.
Example installation:
brew install sops gnupg
helm plugin install https://github.com/jkroepke/helm-secrets --version v4.5.1
Once configured, create an encrypted credentials file:
helm secrets encrypt credentials.yaml.dec > credentials.yaml
Then reference it in your Helm chart template for Secrets:
apiVersion: v1
kind: Secret
metadata:
name: helloworld
type: Opaque
data:
password: {{ .Values.password | b64enc | quote }}
Deploy using:
helm secrets install release-name -f values.yaml -f credentials.yaml your-chart
For team access, SOPS allows adding multiple public keys to manage decryption. AWS KMS integration also simplifies access control.
Step 2: Integrating Cloud Secrets Managers
Helm-secrets supports tools like AWS Secrets Manager or HashiCorp Vault through the vals backend:
export HELM_SECRETS_BACKEND=vals
helm secrets install release-name -f values.yaml your-chart
This injects secrets directly from cloud managers without storing them in Helm charts.
External Secrets Operator
The External Secrets Operator automates fetching secrets from cloud providers and synchronizing them with Kubernetes Secrets. Unlike helm-secrets, it avoids storing any secrets in Helm templates, improving security and simplifying CI/CD workflows.
How It Works
- SecretStore configuration: Connects Kubernetes to external secret providers.
- ExternalSecret resource: Maps external secrets to Kubernetes Secrets.
- Automatic sync: Continuously updates secrets based on a refresh interval.
Example:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: example
spec:
refreshInterval: 1h
secretStoreRef:
name: secretstore-sample
target:
name: helloworld
data:
- secretKey: password
remoteRef:
key: MyTestSecret1
property: password
This approach ensures secrets are always up to date without including sensitive information in Helm charts.
Vault Secrets Operator
For teams already using HashiCorp Vault, the Vault Secrets Operator can manage secrets dynamically, directly writing secret values to Kubernetes Secrets. This method is similar to External Secrets Operator but tailored for Vault features like dynamic secrets.
Automatically Restarting Pods on Secret Updates
Keeping pods up to date when secrets change is crucial. Tools like Reloader automate this process by detecting changes in Secrets or ConfigMaps and performing rolling updates:
metadata:
annotations:
reloader.stakater.com/auto: "true"
Combined with External Secrets Operator, this setup eliminates the need for manual workarounds like checksum annotations.
Best Practices for Helm Secrets Management
- Prefer External Secrets Operator for seamless CI/CD integration.
- Use encrypted values for internal-only charts if cloud managers are not feasible.
- Automate pod restarts with Reloader to maintain updated configurations.
- Consider ZippyOPS services for expert guidance in DevOps, Security, and Cloud infrastructure: Services, Solutions, Products.
For tutorials and videos, check the ZippyOPS YouTube channel.
Conclusion
Managing Helm secrets can be complex, but modern tools make it secure and efficient. The helm-secrets plugin works well for encrypted local values, while the External Secrets Operator offers cloud-ready automation compatible with major CI/CD tools.
By integrating these solutions with tools like Reloader, teams can maintain secure, dynamic, and reliable Kubernetes deployments. For enterprise-grade implementation, consulting, or managed services, contact ZippyOPS at sales@zippyops.com.
