From 3cbb6b0188e9be0cc09d77483d64228820624708 Mon Sep 17 00:00:00 2001 From: Vineet Aggarwal Date: Thu, 13 Feb 2025 00:56:52 +0530 Subject: [PATCH] HIP: Helm Vault Integration for Secure Value Retrieval --- hips/hip-0020.md | 171 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 hips/hip-0020.md diff --git a/hips/hip-0020.md b/hips/hip-0020.md new file mode 100644 index 000000000..8a2fde2ab --- /dev/null +++ b/hips/hip-0020.md @@ -0,0 +1,171 @@ +--- +hip: 0020 +title: "Vault Integration for Helm" +authors: [ "@Vineet0197 Vineet Aggarwal " ] +created: "2025-02-13" +type: "feature" +status: "draft" +--- + +## Abstract + +This proposal aims to integrate HashiCorp Vault into Helm, allowing users to fetch values.yaml and application-specific properties directly from Vault without requiring an external CLI (vault-cli). This integration will improve security, streamline Helm deployments, and eliminate unnecessary dependencies. + +## Motivation + +Currently, Helm users rely on external tools like vault-cli to fetch secrets before passing them to Helm as values. This introduces several challenges: + +1. Security Risk – Secrets may be exposed as plain text during intermediate processing. +2. Additional Dependencies – Users must install and configure vault-cli separately. +3. Complex Workflows – Users must manually fetch secrets and pass them via subprocess calls. + +By integrating Vault directly into Helm, we can: + +1. Provide secure access to Vault secrets. +2. Remove the need for external dependencies. +3. Simplify deployments for organizations using Vault. + +## Rationale + +Helm already supports multiple getters (http, oci), making it logical to extend this to Vault. This proposal follows Helm’s existing design principles by: + +1. Implementing Vault as a getter.Provider, similar to HTTP/OCI. +2. Keeping the integration optional by using feature flags (--vault-address, --token). +3. Maintaining security best practices by fetching secrets directly into memory. + +## Specification + +### **CLI Usage** +Users can fetch Vault secrets directly using Helm: + +```sh + helm install my-release my-chart \ + --values vault://secret/data/myapp/values \ + --vault-address https://vault.example.com \ + --token ${VAULT_TOKEN} +``` + +```go + + func All(settings *cli.EnvSettings) Providers { + result := Providers{httpProvider, ociProvider} + + // Add Vault Provider if settings contain Vault details + if settings.VaultAddress != "" && settings.VaultToken != "" { + vaultProvider, _ := NewVaultGetter(settings.VaultAddress, settings.VaultToken) + result = append(result, vaultProvider) + } + + return result + } +``` + +## Backwards compatibility + +- This feature is optional and does not break existing functionality. +- If Vault credentials are not provided, Helm operates as usual. + +## Security implications + +- **Authentication**: Vault token authentication will be required. +- **Secret Handling**: Secrets are not stored on disk, only in memory. + +## How to teach this + +Once this feature is integrated into Helm, users can securely fetch values directly from **HashiCorp Vault** while installing or upgrading a Helm release. + +### **Using the Vault Integration in Helm CLI** + +Users can provide a Vault secret as a values source using the `vault://` scheme. The required Vault connection details (`vault-address` and `vault-token`) must be specified as CLI flags or environment variables. + +#### **Example Usage** + +```sh +helm install my-release my-chart \ + --values vault://secret/data/myapp/values \ + --vault-address https://vault.example.com \ + --token ${VAULT_TOKEN} +``` + +- vault://secret/data/myapp/values → Fetches the values.yaml directly from Vault. +- --vault-address → Specifies the Vault server address. +- --token → Provides authentication to access secrets securely. + +## Reference implementation + +[Pull Request for Helm](https://github.com/helm/helm/pull/13492) - most upvoted open PR + + +## Rejected ideas +N/A + +## Open issues +N/A + +## References + +[Troubleshoot.sh](https://troubleshoot.sh/) - the tool that is the motivation for this HIP. + +[safe-install plugin](https://github.com/z4ce/helm-safe-install) - Plugin that provides a similiar experience to what I hope this HIP will provide natively. + +## Reference - Examples Usage + +This section provides concrete examples of how users can leverage Helm’s Vault integration to securely fetch values from HashiCorp Vault while installing or upgrading Helm releases. + +### **1. Installing a Helm Chart with Values from Vault** + +Users can install a Helm chart by fetching values directly from **HashiCorp Vault** using the `vault://` scheme: + +```sh +helm install my-release my-chart \ + --values vault://secret/data/myapp/values \ + --vault-address https://vault.example.com \ + --token ${VAULT_TOKEN} +``` + +### **2. Using Environment Variables for Vault Authentication** + +To avoid passing credentials directly in CLI commands, users can set environment variables: + +```sh +export VAULT_ADDR="https://vault.example.com" +export VAULT_TOKEN="your-vault-token" + +helm install my-release my-chart --values vault://secret/data/myapp/values +``` + +### **3. Upgrading a Helm Release with Multiple Values Files from Vault** + +If users need to pass multiple values.yaml files stored in Vault, they can do so like this: + +```sh +helm upgrade my-release my-chart \ + --values vault://secret/data/common-values \ + --values vault://secret/data/env-specific-values +``` + +### **4. Fetching Application-Specific Properties from Vault** + +For applications that use .properties files instead of YAML, the integration will also support retrieving such files from Vault: + +```sh +helm install my-app my-chart \ + --property-file vault://secret/data/myapp/config.properties +``` + +### **5. Debugging and Verifying Vault-Integrated Helm Installations** + +Users can inspect the merged values before applying the chart: + +```sh +helm template my-release my-chart \ + --values vault://secret/data/myapp/values +``` + +To troubleshoot issues while retrieving values from Vault, users can enable verbose logging: + +```sh +helm install my-release my-chart \ + --values vault://secret/data/myapp/values \ + --debug --dry-run +```