Regenerate secret files with new secret key.

Old key should be specified in the $WERF_OLD_SECRET_KEY. New key should reside either in the $WERF_SECRET_KEY or .werf_secret_key file.

Command will extract data with the old key, generate new secret data and rewrite files:

  • standard raw secret files in the .helm/secret folder;
  • standard secret values yaml file .helm/secret-values.yaml;
  • additional secret values yaml files specified with EXTRA_SECRET_VALUES_FILE_PATH params

Syntax

werf helm secret rotate-secret-key [EXTRA_SECRET_VALUES_FILE_PATH...] [options]

Environments

  $WERF_SECRET_KEY      Use specified secret key to extract secrets for the deploy. Recommended way 
                        to set secret key in CI-system. 
                        
                        Secret key also can be defined in files:
                        * ~/.werf/global_secret_key (globally),
                        * .werf_secret_key (per project)
  $WERF_OLD_SECRET_KEY  Use specified old secret key to rotate secrets

Options

      --dir=''
            Use custom working directory (default $WERF_DIR or current directory)
      --helm-chart-dir=''
            Use custom helm chart dir (default $WERF_HELM_CHART_DIR or .helm in working directory)
      --home-dir=''
            Use specified dir to store werf cache files and dirs (default $WERF_HOME or ~/.werf)
      --tmp-dir=''
            Use specified dir to store tmp files and dirs (default $WERF_TMP_DIR or system tmp dir)

Options inherited from parent commands

      --hooks-status-progress-period=5
            Hooks status progress period in seconds. Set 0 to stop showing hooks status progress.   
            Defaults to $WERF_HOOKS_STATUS_PROGRESS_PERIOD_SECONDS or status progress period value
      --kube-config=''
            Kubernetes config file path (default $WERF_KUBE_CONFIG or $WERF_KUBECONFIG or           
            $KUBECONFIG)
      --kube-config-base64=''
            Kubernetes config data as base64 string (default $WERF_KUBE_CONFIG_BASE64 or            
            $WERF_KUBECONFIG_BASE64 or $KUBECONFIG_BASE64)
      --kube-context=''
            Kubernetes config context (default $WERF_KUBE_CONTEXT)
      --log-color-mode='auto'
            Set log color mode.
            Supported on, off and auto (based on the stdout’s file descriptor referring to a        
            terminal) modes.
            Default $WERF_LOG_COLOR_MODE or auto mode.
      --log-debug=false
            Enable debug (default $WERF_LOG_DEBUG).
      --log-pretty=true
            Enable emojis, auto line wrapping and log process border (default $WERF_LOG_PRETTY or   
            true).
      --log-quiet=false
            Disable explanatory output (default $WERF_LOG_QUIET).
      --log-terminal-width=-1
            Set log terminal width.
            Defaults to:
            * $WERF_LOG_TERMINAL_WIDTH
            * interactive terminal width or 140
      --log-verbose=false
            Enable verbose output (default $WERF_LOG_VERBOSE).
  -n, --namespace=''
            namespace scope for this request
      --status-progress-period=5
            Status progress period in seconds. Set -1 to stop showing status progress. Defaults to  
            $WERF_STATUS_PROGRESS_PERIOD_SECONDS or 5 seconds