Create secret driver engine

jkroepke · Apr 27, 2020 · 00fa306 · 00fa306
1 parent 41a64e0
commit 00fa306
Show file tree

Hide file tree

Showing 27 changed files with 562 additions and 339 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+* Secret driver to gain secrets from other sources then sops. (https://github.com/jkroepke/helm-secrets/pull/16)
 
 ### Changed
 

diff --git a/scripts/commands/clean.sh b/scripts/commands/clean.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env sh
+
+set -eu
+
+clean_usage() {
+    cat <<EOF
+helm secrets clean <dir with secrets>
+
+Clean all decrypted files if any exist
+
+It removes all decrypted ${DEC_SUFFIX} files in the specified directory
+(recursively) if they exist.
+
+EOF
+}
+
+clean() {
+    if is_help "$1"; then
+        clean_usage
+        return
+    fi
+
+    basedir="$1"
+
+    if [ ! -d "${basedir}" ]; then
+        printf 'Directory does not exist: %s\n' "${basedir}"
+        exit 1
+    fi
+
+    find "$basedir" -type f -name "secrets*${DEC_SUFFIX}" -exec rm -v {} \;
+}
diff --git a/scripts/commands/dec.sh b/scripts/commands/dec.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env sh
+
+set -eu
+
+dec_usage() {
+    cat <<EOF
+helm secrets dec [ --driver <driver> | -d <driver> ] <path to file>
+
+Decrypt secrets
+
+It uses your gpg credentials to decrypt previously encrypted .yaml file.
+Produces ${DEC_SUFFIX} file.
+
+You can use plain sops to decrypt specific files - https://github.com/mozilla/sops
+
+Typical usage:
+  $ helm secrets dec secrets/myproject/secrets.yaml
+  $ vim secrets/myproject/secrets.yaml.dec
+
+EOF
+}
+
+decrypt_helper() {
+    file="${1}"
+
+    if [ ! -f "$file" ]; then
+        printf 'File does not exist: %s\n' "${file}"
+        exit 1
+    fi
+
+    if ! driver_is_file_encrypted "${file}"; then
+        return 1
+    fi
+
+    file_dec="$(file_dec_name "${file}")"
+
+    if ! driver_decrypt_file "yaml" "${file}" "${file_dec}"; then
+        printf 'Error while decrypting file: %s\n' "${file}"
+        exit 1
+    fi
+
+    return 0
+}
+
+dec() {
+    if is_help "$1"; then
+        dec_usage
+        return
+    fi
+
+    file="$1"
+
+    if [ ! -f "${file}" ]; then
+        printf 'File does not exist: %s\n' "${file}"
+        exit 1
+    else
+        printf 'Decrypting %s\n' "${file}"
+        decrypt_helper "${file}"
+    fi
+}
diff --git a/scripts/commands/edit.sh b/scripts/commands/edit.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env sh
+
+set -eu
+
+edit_usage() {
+    cat <<EOF
+helm secrets edit [ --driver <driver> | -d <driver> ] <path to file>
+
+Edit encrypted secrets
+
+Decrypt encrypted file, edit and then encrypt
+
+You can use plain sops to edit - https://github.com/mozilla/sops
+
+Example:
+  $ helm secrets edit <SECRET_FILE_PATH>
+  or $ sops <SECRET_FILE_PATH>
+  $ git add <SECRET_FILE_PATH>
+  $ git commit
+  $ git push
+
+EOF
+}
+
+edit_helper() {
+    file="$1"
+
+    if [ ! -e "${file}" ]; then
+        printf 'File does not exist: %s\n' "${file}"
+        exit 1
+    fi
+
+    driver_edit_file "yaml" "${file}"
+}
+
+edit() {
+    file="$1"
+    edit_helper "${file}"
+}
diff --git a/scripts/commands/enc.sh b/scripts/commands/enc.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env sh
+
+set -eu
+
+enc_usage() {
+    cat <<EOF
+helm secrets enc [ --driver <driver> | -d <driver> ] <path to file>
+
+Encrypt secrets
+
+It uses your gpg credentials to encrypt .yaml file. If the file is already
+encrypted, look for a decrypted ${DEC_SUFFIX} file and encrypt that to .yaml.
+This allows you to first decrypt the file, edit it, then encrypt it again.
+
+You can use plain sops to encrypt - https://github.com/mozilla/sops
+
+Example:
+  $ helm secrets enc <SECRET_FILE_PATH>
+  $ git add <SECRET_FILE_PATH>
+  $ git commit
+  $ git push
+
+EOF
+}
+
+encrypt_helper() {
+    dir=$(dirname "$1")
+    file=$(basename "$1")
+
+    cd "$dir"
+
+    if [ ! -f "${file}" ]; then
+        printf 'File does not exist: %s\n' "${dir}/${file}"
+        exit 1
+    fi
+
+    file_dec="$(file_dec_name "${file}")"
+
+    if [ ! -f "${file_dec}" ]; then
+        file_dec="${file}"
+    fi
+
+    if is_file_encrypted "${file_dec}"; then
+        printf "Already encrypted: %s\n" "${file_dec}"
+        exit 1
+    fi
+
+    driver_encrypt_file "yaml" "${file_dec}" "${file}"
+
+    if [ "${file}" = "${file_dec}" ]; then
+        printf 'Encrypted %s\n' "${file}"
+    else
+        printf 'Encrypted %s to %s\n' "${file_dec}" "${file}"
+    fi
+}
+
+enc() {
+    if is_help "$1"; then
+        enc_usage
+        return
+    fi
+
+    file="$1"
+
+    if [ ! -f "${file}" ]; then
+        printf 'File does not exist: %s\n' "${file}"
+        exit 1
+    else
+        printf 'Encrypting %s\n' "${file}"
+        encrypt_helper "${file}"
+    fi
+}
diff --git a/scripts/commands/helm.sh b/scripts/commands/helm.sh
@@ -0,0 +1,125 @@
+#!/usr/bin/env sh
+
+set -eu
+
+# shellcheck disable=SC1090
+. "${SCRIPT_DIR}/commands/dec.sh"
+
+helm_command_usage() {
+    cat <<EOF
+helm secrets $1 [ --driver <driver> | -d <driver> ] [ --quiet | -q ]
+
+This is a wrapper for "helm [command]". It will detect -f and
+--values options, and decrypt any secrets*.yaml files before running "helm
+[command]".
+
+Example:
+  $ helm secrets upgrade <HELM UPGRADE OPTIONS>
+  $ helm secrets lint <HELM LINT OPTIONS>
+
+Typical usage:
+  $ helm secrets upgrade i1 stable/nginx-ingress -f values.test.yaml -f secrets.test.yaml
+  $ helm secrets lint ./my-chart -f values.test.yaml -f secrets.test.yaml
+
+EOF
+}
+
+helm_wrapper_cleanup() {
+    if [ -s "${decrypted_files}" ]; then
+        if [ "${QUIET}" = "false" ]; then
+            echo >/dev/stderr
+            # shellcheck disable=SC2016
+            xargs -0 -n1 sh -c 'rm "$1" && printf "[helm-secrets] Removed: %s\n" "$1"' sh >/dev/stderr <"${decrypted_files}"
+        else
+            xargs -0 rm >/dev/stderr <"${decrypted_files}"
+        fi
+    fi
+
+    rm "${decrypted_files}"
+}
+
+helm_wrapper() {
+    decrypted_files=$(mktemp)
+    QUIET=false
+    HELM_CMD_SET=false
+
+    argc=$#
+    j=0
+
+    #cleanup on-the-fly decrypted files
+    trap helm_wrapper_cleanup EXIT
+
+    while [ $j -lt $argc ]; do
+        case "$1" in
+        --)
+            # skip --, and what remains are the cmd args
+            set -- "$1"
+            shift
+            break
+            ;;
+        -f | --values)
+            set -- "$@" "$1"
+
+            file="${2}"
+            file_dec="$(file_dec_name "${file}")"
+            if [ -f "${file_dec}" ]; then
+                set -- "$@" "$file_dec"
+
+                if [ "${QUIET}" = "false" ]; then
+                    printf '[helm-secrets] Decrypt skipped: %s' "${file}" >/dev/stderr
+                fi
+            else
+                if decrypt_helper "${file}"; then
+                    set -- "$@" "$file_dec"
+                    printf '%s\0' "${file_dec}" >>"${decrypted_files}"
+
+                    if [ "${QUIET}" = "false" ]; then
+                        printf '[helm-secrets] Decrypt: %s' "${file}" >/dev/stderr
+                    fi
+                else
+                    set -- "$@" "$file"
+                fi
+            fi
+
+            shift
+            j=$((j + 1))
+            ;;
+        -*)
+            if [ "${HELM_CMD_SET}" = "false" ]; then
+                case "$1" in
+                -q | --quiet)
+                    QUIET=true
+                    ;;
+                *)
+                    set -- "$@" "$1"
+                    ;;
+                esac
+            else
+                set -- "$@" "$1"
+            fi
+            ;;
+        *)
+            HELM_CMD_SET=true
+            set -- "$@" "$1"
+            ;;
+        esac
+
+        shift
+        j=$((j + 1))
+    done
+
+    if [ "${QUIET}" = "false" ]; then
+        echo >/dev/stderr
+    fi
+
+    "${HELM_BIN}" ${TILLER_HOST:+--host "$TILLER_HOST"} "$@"
+}
+
+helm_command() {
+    if [ $# -lt 2 ] || is_help "$2"; then
+        helm_command_usage "${1:-"[helm command]"}"
+        return
+    fi
+
+    helm_wrapper "$@"
+}
diff --git a/scripts/commands/view.sh b/scripts/commands/view.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env sh
+
+set -eu
+
+view_usage() {
+    cat <<EOF
+helm secrets view [ --driver <driver> | -d <driver> ] <path to file>
+
+View specified secrets[.*].yaml file
+
+Typical usage:
+  $ helm secrets view secrets/myproject/nginx/secrets.yaml | grep basic_auth
+
+EOF
+}
+
+view_helper() {
+    file="$1"
+
+    if [ ! -f "${file}" ]; then
+        printf 'File does not exist: %s\n' "${file}"
+        exit 1
+    fi
+
+    driver_decrypt_file "yaml" "${file}"
+}
+
+view() {
+    if is_help "$1"; then
+        view_usage
+        return
+    fi
+
+    view_helper "$1"
+}