How to hide passwords in the helm values.yaml file

Question

We are working with the helm charts for our product and we need to find out how to hide the passwords or secrets in helm charts. Can anyone help us with this?

Answer 1

I think what you need to do is to create a secret outside Helm command, like:

kubectl create secret generic my-secret --from-literal=password=Y4nys7f11

And then use this secret name in values.yaml and pass it into templates/*. I think there is no better integrated Helm way.

You can see an example here.

Answer 2

Kubernetes secret is anyway just a base64 secret even if you create it using generic tag, they show as opaque but for production they are still a liability.

Where is your kubernetes cluster hosted? Is it managed or a baremetal cluster? Do you want a cloud agnostic solution, because kubernetes is cloud agnostic. If not you can go with key-vault provided by various cloud vendors. But again if that key is lost you are risking all the flow to get hampered.

What you can do is as you are already using helm, you can install the helm-vault plugin for helm. You can refer a descriptive blog and a readme that I will paste right below. A Blog for better understanding and the Github Project Readme for implementation.

However you will be need a vault cluster as a prerequisite. Also if you can back it by a consul instance that would be pretty great. But that's what will ensure a production requirement.

And if you are just trying out, creating a secret at runtime and loading in to your helm deployment is a job of few minutes. Speaking of which you can also use kubernetes cron jobs to refresh your secrets.

Update: Because you are on EKS an easier way to do it without vault/consul is via AWS Key Vault service but again it would have its own pros/cons. This can be implemented by another helm plugin developed at Zendesk, Helm Secrets.