HIP: Helm Vault Integration for Secure Value Retrieval #387
Conversation
There was a problem hiding this comment.
Thank you for the HIP. The idea generally makes sense. Because Helm cannot prioritize any one vendor over others, there needs to be some changes to the design. Helm cannot prioritize any one vendor because it is part of the CNCF. We need this to be accessible to all vendors. For the Helm teams maintaining, we would want this to be an extensible mechanism so we do not need to merge and maintain code for all vendors.
With that in mind, what about the location being an extension point like we have with downloader plugins? (see https://helm.sh/docs/topics/plugins/#downloader-plugins)
vault:// has a / in it which is invalid for paths on the operating systems that Helm supports. So, we can do a lookup for a plugin to handle this. Things like --vault-address can be part of the environment which is then passed to the plugin.
What do you think of that?
This HIP proposes integrating HashiCorp Vault with Helm to allow secure retrieval of sensitive values directly from Vault during Helm deployments. Currently, Helm users manually fetch secrets using external tools like the Vault CLI before passing them to Helm via --values. This approach introduces security risks and operational overhead.
By adding native Vault support in Helm, users can directly reference Vault secrets in their Helm commands, improving security, automation, and user experience.