Add support for HashiCorp Vault

[Just-Insane]

I am working on adding support for HashiCorp Vault into helm-secrets.

Main issues I have right now are that i have had to re-write the yaml parsing logic from SOPS in bash, as well as extend the encrypt/decrypt/edit options, since I am not using SOPS.

So far I have the encryption option mostly working and I can upload user inputed variables to Vault, and I am working on the decryption option.

Current issues include issues with sanitizing user input for special characters, and some hard coded values used to parse the given values.yaml file for what to store in Vault.

I plan on uploading some work in progress code later tonight.

[Just-Insane]

Preamble

I have added basic support for HashiCorp Vault with this commit Just-Insane@bbd02c1.

Features

Implemented Features

• secret value storage in vault
• secret value retrieval from vault (there is a pretty big bug, in that sed replaces first to last, which may not be how the vault values are returned).

Unimplemented Features

• working with helm-wrapper
  • on-the-fly decryption for use with install/upgrade/diff/lint
• ability to change plaintext secret deliminator (currently hard-coded as "changeme")
• ability to change the path that secrets are stored to in Vault
• hide secret data on input/do not show on output
• helm secrets clean appears to be broken, though it is unmodified
• view support
• edit support

Untested Features

• multi-line secret values

Unplanned Features

• non-K/V secrets
• non-text secrets

Documentation

Prerequisites

• Working Vault server
• Vault agent setup on local machine
  • $VAULT_ADDR
  • $VAULT_TOKEN (or other auth configuration)

Workflow

1. Modify your values.yaml files to change your secret values to 'changeme'
2. Run helm secrets enc values.yaml
   1. You will be prompted to enter secret values for each 'changeme' found
   2. The entered secret values will be written to Vault
   3. You will be presented with the path where the secrets are stored
3. Run helm secrets dec values.yaml
   1. You will be presented with the found secret values from Vault
   2. These secret values will automatically be substituted into values.yaml and stored at values.yaml.dec
4. Run 'helm secrets install --name [name] -f values.yaml.dec stable/[chart]`
   1. Helm will install your chart with the secrets stored in values.yaml.dec
5. Clean up by running rm values.yaml.dec

Misc.

Support/Questions

If you have any questions or run into issues, open an issue at Just-Insane/helm-secrets or futuresimple/helm-secrets and @Just-Insane

Feature Requests

If you would like to suggest a new feature, open an issue at Just-Insane/helm-secrets or futuresimple/helm-secrets and @Just-Insane

[Just-Insane]

I ran into some issues with the function that pulls the values from Vault and puts them back into the "decrypted" file.

It is possible I could go through each key as it's found and perform the enc/dec operations per instance (see dict_walker() in Helm-Vault).

If anyone has a better thought on how to get the values from Vault into the decrypted file, I am all ears.

Due to this issue, I have been working on Helm-Vault, which has been re-written in Python with a proper YAML parser. So far this project has matched all of the features except those that use the Helm Wrapper function (install, upgrade, lint, diff), however this is in progress.