Skip to content

Instantly share code, notes, and snippets.

Last active June 12, 2024 18:01
Show Gist options
  • Save DzeryCZ/c4adf39d4a1a99ae6e594a183628eaee to your computer and use it in GitHub Desktop.
Save DzeryCZ/c4adf39d4a1a99ae6e594a183628eaee to your computer and use it in GitHub Desktop.
Decoding Helm3 resources in secrets

Helm 3 is storing description of it's releases in secrets. You can simply find them via

$ kubectl get secrets
NAME                                                TYPE                                  DATA   AGE
sh.helm.release.v1.wordpress.v1                               1      1h

If you want to get more info about the secret, you can try to describe the secret

$ kubectl describe secret sh.helm.release.v1.wordpress.v1
Name:         sh.helm.release.v1.wordpress.v1
Namespace:    default
Labels:       createdAt=1578561400
Annotations:  <none>


release:  34976 bytes

Now you can see, that the secret is holding one file release which has ~35kB. In order to read that, you need to know, that kubernetes secrets are base64 encoded by default. But after decoding, you still don't get the data because Helm3 is encoding those data further.

So in order to decode the data, you have to:

  • base64 decode - Kubernetes secrets encoding
  • base64 decode (again) - Helm encoding
  • gzip decompress - Helm zipping

The final command to get the Helm's release data can look like this:

kubectl get secrets sh.helm.release.v1.wordpress.v1 -o json | jq .data.release | tr -d '"' | base64 -d | base64 -d | gzip -d 

Voilà, now you have JSON data of Helm resources. It stores every Chart's file and further encode it via base64.

Copy link

thzinc commented Mar 30, 2020

This was super helpful! Thanks.

One minor improvement is to use jsonpath instead of jq | tr (though I love jq):

kubectl get secrets sh.helm.release.v1.wordpress.v1 -o jsonpath='{.data.release}' | base64 -D | base64 -D | gzip -d

Copy link

wooos commented May 22, 2020


Copy link

you can also do this:

helm get manifest wordpress


helm get values wordpress

Copy link

This is awesome. I was not able to decode helm release data. I tried doing base64 decode twice, but did not realise that gzip would be needed.

Copy link

skuethe commented Sep 25, 2020

Cool stuff, thanks for this. I went ahead and created a function for .bash_aliases just to make everyday life a bit easier.

helmsecret() {
    local fetchSecretJson
    local doesSecretExist
    if [[ -z "${1}" ]]; then
        echo "Missing secret name. Terminating"
        exit 1
        if [[ "${1}" == *"sh.helm.release"* ]]; then
            fetchSecretJson=$(kubectl get secret --ignore-not-found --all-namespaces --output json --field-selector "${1}")
            doesSecretExist=$(echo "${fetchSecretJson}" | jq --raw-output 'if (.items | length) > 0 then "true" else empty end')
            if [[ "${doesSecretExist}" == "true" ]]; then
                echo "${fetchSecretJson}" | jq --raw-output '.items[0].data.release' | base64 -d | base64 -d | gzip -d
                echo "There is no such helm secret on this cluster"
            echo "This is not a helm secret :("

Just put it in your ~/.bash_aliases, load it and use it:

. ~/.bash_aliases
helmsecret sh.helm.release.v1.SOMERELEASE.v2 | less

Btw. another easy way to avoid piping jq output into tr is to just use raw output option in jq.
So jq --raw-output '.' or just jq -r '.'

Copy link

FYI: now you can use base64decode with go-template - thanks to kubernetes/kubernetes#60755

kubectl get secret sh.helm.release.v1.myapp.v4 -o go-template='{{.data.release | base64decode | base64decode}}' | gzip -d | jq

Copy link


Copy link

wind57 commented Oct 26, 2021

marvelous! I come to this page like once a month for that command. kudos

Copy link

Just wanted to also add the command needed in case a secret requires to be edited like in situations where the deployment is stuck with status pending-upgrade and can't be rolled back.

Considering that myapp.v1.edited.json has the decoded and edited content of .data.release from the commands above:

gzip -c myapp.v1.edited.json | base64 | base64 -w 0

goes here

    "data": {
        "release": " <<output goes here>> "

Copy link

Thanks, this was really helpful!

Copy link

okay, but how is this different to helm get all %release_name%?

Copy link

From secrets you can get previous releases stuff. "get all" shows only current installed.

Anyway there are more user friendly ways to get it. I can advise helm dashboard plugin.

Copy link


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment