// the find
jkroepke/helm-secrets
A helm plugin that help manage secrets with Git workflow and store them anywhere
helm-secrets is a Helm plugin that decrypts encrypted value files on the fly before passing them to Helm, with sops as the primary backend and vals for pulling secrets directly from cloud providers like AWS Secrets Manager or Azure KeyVault. It solves a real problem: how do you store secrets alongside your Helm charts in Git without exposing them. Aimed at teams doing GitOps with ArgoCD or similar.
The protocol handler approach (`secrets://secrets.yaml`) is cleaner than the older command-wrapper mode — ArgoCD can reference encrypted files natively without shelling out to a wrapper. Support for both sops (encrypt-in-git) and vals (reference-from-vault) means you can mix strategies per secret without changing your workflow. The ArgoCD integration is well-documented with real examples including GPG key injection via Kubernetes secrets, which is the hard part most docs skip. Test suite uses bats against real PGP-encrypted files rather than mocked decryption, so the tests actually catch real breakage.
It's a Shell plugin in 2026 — the entire codebase is bash scripts with no type safety, and debugging a failure mid-`helm upgrade` means reading shell traces. The vals `--evaluate-templates` flag requires helm 3.9+ and vals 0.20+, but there's no version gate in the plugin itself; you'll get a cryptic error if you're below that. Terraform support is a workaround through the external data source provider and the maintainer explicitly calls out that the Terraform Helm provider doesn't support downloader plugins — this is a dead end, not a feature. Windows support is wrapper scripts that clearly feel like an afterthought relative to the Linux-first design.