1 files changed, 44 insertions, 0 deletions

diff --git a/nixpkgs/pkgs/applications/networking/cluster/helm/plugins/helm-secrets.nix b/nixpkgs/pkgs/applications/networking/cluster/helm/plugins/helm-secrets.nix
new file mode 100644
index 000000000000..bef5d230ece3
--- /dev/null
+++ b/nixpkgs/pkgs/applications/networking/cluster/helm/plugins/helm-secrets.nix
@@ -0,0 +1,44 @@
+{ lib, stdenv, fetchFromGitHub, makeWrapper, coreutils, findutils, getopt, gnugrep, gnused, sops, vault }:
+
+stdenv.mkDerivation rec {
+  pname = "helm-secrets";
+  version = "3.5.0";
+
+  src = fetchFromGitHub {
+    owner = "jkroepke";
+    repo = pname;
+    rev = "v${version}";
+    hash = "sha256-EXCr0QjupsBBKTm6Opw5bcNwAD4FGGyOiqaa8L91/OI=";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+  buildInputs = [ getopt sops ];
+
+  # NOTE: helm-secrets is comprised of shell scripts.
+  dontBuild = true;
+
+  # NOTE: Remove the install and upgrade hooks.
+  postPatch = ''
+    sed -i '/^hooks:/,+2 d' plugin.yaml
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    install -dm755 $out/${pname} $out/${pname}/scripts
+    install -m644 -Dt $out/${pname} plugin.yaml
+    cp -r scripts/* $out/${pname}/scripts
+    wrapProgram $out/${pname}/scripts/run.sh \
+        --prefix PATH : ${lib.makeBinPath [ coreutils findutils getopt gnugrep gnused sops vault ]}
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "A Helm plugin that helps manage secrets";
+    inherit (src.meta) homepage;
+    license = licenses.apsl20;
+    maintainers = with maintainers; [ yurrriq ];
+    platforms = platforms.all;
+  };
+}