In my recent article “How to encrypt Kubernetes secrets with Mozilla SOPS”, I demonstrated how to encrypt regular Kubernetes secret manifests (yaml) using SOPS CLI in conjunction with Azure Key Vault as the backend for the encryption-key.

This post will take it one step further; it guides you through the process of creating a custom Helm chart that will reference encrypted secrets. In the end, you will be able to add your encrypted secrets to source control without leaking sensitive information.

We will again deploy a simple Web API to expose all environment variables via HTTP for demonstration purposes.


This article assumes that you’ve installed Helm CLI and access to an instance of Azure Key Vault as described in the “How to encrypt Kubernetes secrets with Mozilla SOPS” article.

Install the helm-secrets plugin

To use encrypted, sensitive data in Helm, we have to install the helm-secrets plugin locally.

helm plugin install

# alternatively you can install a specific version
# see releases at
helm plugin install \
    --version v3.8.3

Generate a secrets file

You can create new encrypted secrets using sops CLI. At this point, we will use an encryption key stored in Azure Key Vault.

sops --azure-kv $ENCRYPTION_KEY_ID secrets.yml

This will open your default editor; for demonstration purposes, let’s create two sensitive values:

username: thns
password: secret_value

Save the file and close the editor again. Take a look at the new secrets.yml file (cat secrets.yml); it contains the encrypted representation of your configuration data. If you want to get the decrypted secrets, you can use the helm secrets view command like this:

# decrypt & print all secrets 
helm secrets view secrets.yml

# username: thns
# password: secret_value

The secrets plugin also allows editing previously created and already encrypted secrets using helm secrets edit secrets.yml. Use helm secerts to get a list of all available sub-commands.

Create a custom Helm chart

You can create new Helm charts by using the helm create <chart_name> command. Ensure that the chart is generated as a sibling to secrets.yml.

# total 1
# -rw-r--r--  1 thorsten  staff     1.3K Aug 11 11:24 secrets.yml

# create a new Helm chart called app
# helm CLI will place the chart in ./app
helm create app

At this point, Helm CLI will generate an example chart, which we will use as the starting point and apply some simple modifications before deploying it to Kubernetes.

Reference encrypted secrets

Now that the Helm chart has been created, add a new template to the app/templates folder with the name secret.yaml and provide the following content:

apiVersion: v1
kind: Secret
  name: samplesecret
type: Opaque
  username: {{ .Values.username | b64enc | quote }}
  password: {{ .Values.password | b64enc | quote }}

You can reference encrypted secrets like any other value in Go template language using the {{ .Values.NAME }} expression. Remember, references are case-sensitive. Next, update the app/templates/deployment.yaml and populate environment variables by adding a envFrom.secretRef to the sample deployment:

# omitted
  - name: {{ .Chart.Name }}
    image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
    imagePullPolicy: {{ .Values.image.pullPolicy }}
      - secretRef:
          name: samplesecret
# omitted

Also in app/templates/deployment.yaml update ports.containerPort from 80 to 5000

# omitted
  - name: http
    containerPort: 5000
    protocol: TCP
# omitted

Last, you have set the desired container image and tag in app/values.yaml look for the image block and update it to match the following:

  repository: thorstenhans/env-via-http
  pullPolicy: IfNotPresent
  tag: "0.0.1"

Deploy the application to Kubernetes

To deploy the Helm chart to Kubernetes, I have provisioned an Azure Kubernetes Service (AKS) instance. To isolate this sample from other applications running in the cluster, create a new Kubernetes namespace using kubectl:

# create a new Kubernetes namespace
kubectl create ns encrypted-secrets
# namespace/encrypted-secrets created

The previously installed plugin helm-secrets provides required commands to install a Helm chart that relies on encrypted secrets. Use helm secrets install and provide the desired Kubernetes namespace and the encrypted secrets file besides the reference to the chart itself as shown below:

helm secrets install ./app -n encrypted-secrets -f secrets.yml

Test the deployment

To test the deployment, create a port forwarding with kubectl and curl the root route as shown here:

# get all pods in desired namespace
kubectl get po -n encrypted-secrets

# NAME                   READY   STATUS    RESTARTS   AGE
# app-74cf6fdcbf-zbxx5   1/1     Running   0          99s

# create port-forwarding
kubectl port-forwarding -n encrypted-secrets \
    app-74cf6fdcbf-zbxx5 8080:5000

# Forwarding from -> 5000
# Forwarding from [::1]:8080 -> 5000

Open an additional terminal session and curl the root URL. The sample below pipes the standard output to jq to increase readability:

curl | jq

  "hostName": "app-74cf6fdcbf-zbxx5",
  "envVars": [
    // omitted
    // omitted


Distributing containerized applications with Helm has become the default since the release of Helm 3. Using the Helm secrets plugin, you can also use encrypted secrets in your custom Helm charts. Storing the encrypted representation of your secrets in source control is no longer an issue, and you are not in danger of leaking sensitive information. Again, Mozilla SOPS builds the flexible yet robust foundation for all of this.