Add function to decrypt via the sops tool

[smeierhofer]

I would like to read a file that has been encrypted via sops, decrypt it, and base64 encode it so that it is in the format needed by the Helm Secrets template.

The reason to do this is that my application has several application configuration files and some of the configuration settings are sensitive and should be encrypted when saved on disk. Also, I have a PKCS 12 keystore that is a binary format and would also like encrypted on disk. So then I could use code such as {{- readFile "keystore.p12.enc" | decrypt | b64enc | nindent 4 }}.

Sops works well to decrypt as it integrates into Azure Key Vaults (and similar tech from other vendors) where the encryption keys are stored in the Azure key vault and only accessible to those who have been granted access.

I am not sure of the options to the sops command that would need to be exposed to the a "decrypt" function in helmfile.

See also...
Issue in Helm for more context of the problem: helm/helm#6859
Issue in Sprig that asks for the function: Masterminds/sprig#210

[mumoshu]

@smeierhofer Hey! Thanks for the request.

I've read this twice and, honestly saying, I'm still unsure why you'd need this.

First of all, shouldn't your chart b64enc it rather than you do it in Helmfile? I believe that's the pattern seen in many charts.

If you can change your chart as such, I believe you're all set. Helmfile already have an out-of-box support for passing any value extracted from a SOPS-encrypted file. See #906, and for usage with SOPS specifically please read https://github.com/variantdev/vals#sops.

[smeierhofer]

I have a P12 keystore which is a binary format. I need to encrypt the keystore file and check it in to git. I need helmfile to read this keystore and pass it to the helm chart, which puts it into a Kubernetes Secret. But because the keystore file needs to be encrypted, I need the helmfile gotmpl to read and decrypt the file and then base64 encode it, and passes the encoded data to the helm chart via a chart value. The helm chart includes the encoded data in a Kubernetes Secret, which requires the data be base64 encoded, which it already is. I do not know of any other way to pass the binary keystore to the helm chart other than to base-64 encode it.

In another case I have plain text Java properties file that need to be and passed to the helm chart. I put all these files into a folder named "config" and I use the following code in the helmfile gotmpl to read all the config files and provide them to the helm chart.

app:
  config:
    {{- range $file := ( exec "sh" (list "-c" "echo config/*")) | trim | splitList " " }}
      {{- $contents := readFile $file }}
      {{- $config := printf "%s: |\n%s" (base $file) (indent 2 $contents) }}
          {{- $config | nindent 4 }}
    {{- end }}

But some of these configuration files contain sensitive data and so they need to be encrypted on disk and so I'd like to use code such as this {{- $contents := readFile $file | decrypt }} in the above code to read the encrypted configuration file, decrypt it using sops, and include the results in the values passed to the helm chart. In lieu of a "decrypt" function, I wonder if something like this would work for my purposes, but I haven't tried it: {{- $contents := (exec "sops" list ( "--decrypt" $file ) ) }}.

[mumoshu]

the helmfile values gotmpl reads and decrypts the binary file, then b64 encodes it and passes the base-64 encoded data to the helm chart via a chart value. The helm chart includes the encoded data in a Kubernetes Secret, which requires the data be base64 encoded, which it already is.

@smeierhofer Thanks! This makes sense, but...

But some of these configuration files contain sensitive data and so they need to be encrypted on disk and so I'd like to use code such as this {{- $contents := readFile $file | decrypt }} in the above code to read the encrypted configuration file, decrypt it using sops, and include the results in the values passed to the helm chart

So do you, in the end, get the decrypted(cleartext) .properties files, which you want pass to the chart? For that case I can still suggest you generating helmfile.yaml like this:

  values:
  - app:
      config:
        file1: ref+sops://path/to/file1.enc
        file2: ref+sops://path/to/file2.enc
        # ...

[mumoshu]

In case you do encrypt a binary file(other than .properties) with sops, I think we can enhance the ref+ syntax to support returning b64-encoded result:

  values:
  - app:
      config:
        binaryfile1: ref+sops://path/to/binaryfile1.enc?encode=base64
        file2: ref+sops://path/to/file2.enc
        # ...

[smeierhofer]

Yes, in the end I do get the cleartext .properties file, which I pass to the chart. I will try out the suggestions. I did not know that I could simply list references to files in the values section of the helmfile.yaml. Also, I like the suggested way to handle base64 encoding the results.

[mumoshu]

I did not know that I could simply list references to files in the values section of the helmfile.yaml

@smeierhofer It's the latest major new feature to Helmfile so we lack doc :) Sorry about that. Please feel free to ask anything about it.

Also, I like the suggested way to handle base64 encoding the results.

Great! But to be clear, you won't need it for now if #929 (comment) works so that you can just defer b64enc to the chart template?

[smeierhofer]

What happens if I use file: ref+sops://path/to/binaryfile1.enc to reference a binary file? I wouldn't expect Helm to allow binary data in a helm chart value. But I have never tried it.

[mumoshu]

@smeierhofer It decrypts path/to/binaryfile1.enc with sops. If the original file was a .properties file, it's basically the same as file: <the content of the original .properties file, which is a text file containing key=value pairs>.