Regenerate secret files with new secret key.

Old key should be specified in the $WERF_OLD_SECRET_KEY. New key should reside either in the $WERF_SECRET_KEY or .werf_secret_key file.

Command will extract data with the old key, generate new secret data and rewrite files:

  • standard raw secret files in the .helm/secret folder;
  • standard secret values yaml file .helm/secret-values.yaml;
  • additional secret values yaml files specified with EXTRA_SECRET_VALUES_FILE_PATH params


werf helm secret rotate-secret-key [EXTRA_SECRET_VALUES_FILE_PATH...] [options]


  $WERF_SECRET_KEY      Use specified secret key to extract secrets for the deploy. Recommended way 
                        to set secret key in CI-system. 
                        Secret key also can be defined in files:
                        * ~/.werf/global_secret_key (globally),
                        * .werf_secret_key (per project)
  $WERF_OLD_SECRET_KEY  Use specified old secret key to rotate secrets


            Use custom working directory (default $WERF_DIR or current directory)
            Use custom helm chart dir (default $WERF_HELM_CHART_DIR or .helm in working directory)
  -h, --help=false
            help for rotate-secret-key
            Use specified dir to store werf cache files and dirs (default $WERF_HOME or ~/.werf)
            Set log color mode.
            Supported on, off and auto (based on the stdout’s file descriptor referring to a        
            terminal) modes.
            Default $WERF_LOG_COLOR_MODE or auto mode.
            Enable debug (default $WERF_LOG_DEBUG).
            Enable emojis, auto line wrapping and log process border (default $WERF_LOG_PRETTY or   
            Disable explanatory output (default $WERF_LOG_QUIET).
            Set log terminal width.
            Defaults to:
            * interactive terminal width or 140
            Enable verbose output (default $WERF_LOG_VERBOSE).
            Use specified dir to store tmp files and dirs (default $WERF_TMP_DIR or system tmp dir)