Add remote files

jkroepke · Nov 1, 2020 · 74c9639 · 74c9639
1 parent f36b90a
commit 74c9639
Show file tree

Hide file tree

Showing 26 changed files with 331 additions and 122 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -22,6 +22,7 @@ jobs:
         uses: luizm/[email protected]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SHELLCHECK_OPTS: -x
         with:
           sh_checker_comment: true
           sh_checker_exclude: "tests"

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,8 +8,12 @@ Allow override sops version on installation
 
 ## [Unreleased]
 
+From this version, the installation on Helm 2 requires additional steps.
+Check [README.md](README.md#installation-on-helm-2) 
+
 ### Added
 - Implement alternate syntax (https://github.com/jkroepke/helm-secrets/pull/52)
+- Remote values support (supporting http:// and helm downloader plugins) (https://github.com/jkroepke/helm-secrets/pull/54)
 
 ## [3.3.5] - 2020-10-16
 

diff --git a/README.md b/README.md
@@ -128,6 +128,27 @@ curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.3.4/hel
 curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.3.4/helm-secrets.tar.gz | tar -C "$HOME/.local/share/helm/plugins" -xzf-
 ```
 
+### Installation on Helm 2
+Helm 2 doesn't support downloader plugins. Since unknown keys in `plugin.yaml` are fatal, then plugin installation need special handling.
+
+Error on Helm 2 installation:
+```
+# helm plugin install https://github.com/jkroepke/helm-secrets
+Error: yaml: unmarshal errors:
+  line 12: field platformCommand not found in type plugin.Metadata
+```
+
+Workaround:
+
+1. Install helm-secrets via [manual installation](README.md#manual-installation)
+2. Strip `platformCommand` from `plugin.yaml`:
+   ```
+   sed -i '/platformCommand:/,+2 d' "${HELM_HOME:-"${HOME}/.helm"}/plugins/helm-secrets*/plugin.yaml"
+   ```
+3. Done
+
+Client [here](https://github.com/adorsys-containers/ci-helm/blob/f9a8a5bf8953ab876266ca39ccbdb49228e9f117/images/2.17/Dockerfile#L91) for an example!
+
 ## Change secret driver
 
 It's possible to use another secret driver then sops, e.g. Hasicorp Vault.

diff --git a/scripts/commands/dec.sh b/scripts/commands/dec.sh
@@ -21,21 +21,21 @@ EOF
 }
 
 decrypt_helper() {
-    file="${1}"
+    encrypted_file="${1}"
 
-    if [ ! -f "$file" ]; then
-        printf 'File does not exist: %s\n' "${file}"
+    if ! encrypted_file_path=$(_file_get "${encrypted_file}"); then
+        printf '[helm-secrets] File does not exist: %s\n' "${encrypted_file}"
         exit 1
     fi
 
-    if ! driver_is_file_encrypted "${file}"; then
+    if ! driver_is_file_encrypted "${encrypted_file_path}"; then
         return 1
     fi
 
-    file_dec="$(file_dec_name "${file}")"
+    encrypted_file_dec="$(_file_dec_name "${encrypted_file_path}")"
 
-    if ! driver_decrypt_file "yaml" "${file}" "${file_dec}"; then
-        printf 'Error while decrypting file: %s\n' "${file}"
+    if ! driver_decrypt_file "yaml" "${encrypted_file_path}" "${encrypted_file_dec}"; then
+        printf '[helm-secrets] Error while decrypting file: %s\n' "${file}"
         exit 1
     fi
 
@@ -50,11 +50,6 @@ dec() {
 
     file="$1"
 
-    if [ ! -f "${file}" ]; then
-        printf 'File does not exist: %s\n' "${file}"
-        exit 1
-    else
-        printf 'Decrypting %s\n' "${file}"
-        decrypt_helper "${file}"
-    fi
+    printf '[helm-secrets] Decrypting %s\n' "${file}"
+    decrypt_helper "${file}"
 }
diff --git a/scripts/commands/enc.sh b/scripts/commands/enc.sh
@@ -33,7 +33,7 @@ encrypt_helper() {
         printf 'File does not exist: %s\n' "${dir}/${file}"
         exit 1
     fi
-    file_dec="$(file_dec_name "${file}")"
+    file_dec="$(_file_dec_name "${file}")"
 
     if [ ! -f "${file_dec}" ]; then
         file_dec="${file}"

diff --git a/scripts/commands/helm.sh b/scripts/commands/helm.sh
@@ -24,29 +24,26 @@ Typical usage:
 EOF
 }
 
-helm_wrapper_cleanup() {
+decrypted_files=$(mktemp)
+
+_trap_hook() {
     if [ -s "${decrypted_files}" ]; then
         if [ "${QUIET}" = "false" ]; then
             echo >&2
             # shellcheck disable=SC2016
-            xargs -0 -n1 sh -c 'rm "$1" && printf "[helm-secrets] Removed: %s\n" "$1"' sh >&2 <"${decrypted_files}"
+            xargs -r -0 -n1 sh -c 'rm "$1" && printf "[helm-secrets] Removed: %s\n" "$1"' sh >&2 <"${decrypted_files}"
         else
-            xargs -0 rm >&2 <"${decrypted_files}"
+            xargs -r -0 rm >&2 <"${decrypted_files}"
         fi
-    fi
 
-    rm "${decrypted_files}"
+        rm "${decrypted_files}"
+    fi
 }
 
 helm_wrapper() {
-    decrypted_files=$(mktemp)
-
     argc=$#
     j=0
 
-    #cleanup on-the-fly decrypted files
-    trap helm_wrapper_cleanup EXIT
-
     while [ $j -lt $argc ]; do
         case "$1" in
         --)
@@ -71,15 +68,20 @@ helm_wrapper() {
                 ;;
             esac
 
-            file_dec="$(file_dec_name "${file}")"
+            if ! real_file=$(_file_get "${file}"); then
+                printf '[helm-secrets] File does not exist: %s\n' "${file}"
+                exit 1
+            fi
+
+            file_dec="$(_file_dec_name "${real_file}")"
             if [ -f "${file_dec}" ]; then
                 set -- "$@" "$file_dec"
 
                 if [ "${QUIET}" = "false" ]; then
                     printf '[helm-secrets] Decrypt skipped: %s' "${file}" >&2
                 fi
             else
-                if decrypt_helper "${file}"; then
+                if decrypt_helper "${real_file}"; then
                     set -- "$@" "$file_dec"
                     printf '%s\0' "${file_dec}" >>"${decrypted_files}"
 

diff --git a/scripts/commands/view.sh b/scripts/commands/view.sh
@@ -17,12 +17,14 @@ EOF
 view_helper() {
     file="$1"
 
-    if [ ! -f "${file}" ]; then
+    if ! _file_exists "$file"; then
         printf 'File does not exist: %s\n' "${file}"
         exit 1
     fi
 
-    driver_decrypt_file "yaml" "${file}"
+    real_file=$(_file_get "${file}")
+
+    driver_decrypt_file "yaml" "${real_file}"
 }
 
 view() {

diff --git a/scripts/install.sh b/scripts/install.sh
@@ -2,6 +2,12 @@
 
 set -eu
 
+# Path to current directory
+SCRIPT_DIR="$(dirname "$0")"
+
+# shellcheck source=scripts/lib/http.sh
+. "${SCRIPT_DIR}/lib/http.sh"
+
 SOPS_DEFAULT_VERSION="v3.6.1"
 SOPS_VERSION="${SOPS_VERSION:-$SOPS_DEFAULT_VERSION}"
 SOPS_LINUX_URL="${SOPS_LINUX_URL:-"https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux"}"
@@ -13,16 +19,6 @@ RED='\033[0;31m'
 #YELLOW='\033[1;33m'
 NOC='\033[0m'
 
-download() {
-    if command -v curl >/dev/null; then
-        curl -sSfL "$1"
-    elif command -v wget >/dev/null; then
-        wget -q -O- "$1"
-    else
-        return 1
-    fi
-}
-
 get_sha_256() {
     if command -v sha256sum >/dev/null; then
         res=$(sha256sum "$1")

diff --git a/scripts/lib/file.sh b/scripts/lib/file.sh
@@ -0,0 +1,50 @@
+#!/usr/bin/env sh
+
+# shellcheck source=scripts/lib/file/local.sh
+. "${SCRIPT_DIR}/lib/file/local.sh"
+
+# shellcheck source=scripts/lib/file/http.sh
+. "${SCRIPT_DIR}/lib/file/http.sh"
+
+# shellcheck source=scripts/lib/file/custom.sh
+. "${SCRIPT_DIR}/lib/file/custom.sh"
+
+_file_get_protocol() {
+    case "$1" in
+    http*)
+        echo "http"
+        ;;
+    *://*)
+        echo "custom"
+        ;;
+    *)
+        echo "local"
+        ;;
+    esac
+}
+
+_file_exists() {
+    file_type=$(_file_get_protocol "${1}")
+
+    _file_"${file_type}"_exists "$@"
+}
+
+_file_get() {
+    file_type=$(_file_get_protocol "${1}")
+
+    _file_"${file_type}"_get "$@"
+}
+
+_file_put() {
+    file_type=$(_file_get_protocol "${1}")
+
+    _file_"${file_type}"_put "$@"
+}
+
+_file_dec_name() {
+    if [ "${DEC_DIR}" != "" ]; then
+        printf '%s' "${DEC_DIR}/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
+    else
+        printf '%s' "$(dirname "${1}")/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
+    fi
+}
diff --git a/scripts/lib/file/custom.sh b/scripts/lib/file/custom.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+_file_custom_exists() {
+    _file_custom_get "$@" >/dev/null
+}
+
+_file_custom_get() {
+    _tmp_file=$(mktemp)
+    helm template "${SCRIPT_DIR}/lib/file/helm-values-getter" -f "${1}" >"${_tmp_file}"
+    printf '%s' "${_tmp_file}"
+}
+
+_file_custom_put() {
+    echo "Can't write to remote files!"
+    exit 1
+}
diff --git a/scripts/lib/file/helm-values-getter/Chart.yaml b/scripts/lib/file/helm-values-getter/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: helm-values-getter
+version: 1.0.0
diff --git a/scripts/lib/file/helm-values-getter/templates/values.yaml b/scripts/lib/file/helm-values-getter/templates/values.yaml
@@ -0,0 +1 @@
+{{- .Values | toYaml -}}
diff --git a/scripts/lib/file/helm-values-getter/values.yaml b/scripts/lib/file/helm-values-getter/values.yaml
diff --git a/scripts/lib/file/http.sh b/scripts/lib/file/http.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+_file_http_exists() {
+    _file_http_get "$@" >/dev/null
+}
+
+_file_http_get() {
+    _tmp_file=$(mktemp)
+    download "${1}" >"${_tmp_file}"
+    printf '%s' "${_tmp_file}"
+}
+
+_file_http_put() {
+    echo "Can't write to remote files!"
+    exit 1
+}
diff --git a/scripts/lib/file/local.sh b/scripts/lib/file/local.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env sh
+
+set -eu
+
+_file_local_exists() {
+    test -f "${1}"
+}
+
+_file_local_get() {
+    _file_local_exists "$@" && printf '%s' "${1}"
+}
+
+_file_local_put() {
+    cat - >"${1}"
+}
diff --git a/scripts/lib/http.sh b/scripts/lib/http.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env sh
+
+download() {
+    if command -v curl >/dev/null; then
+        curl -sSfL "$1"
+    elif command -v wget >/dev/null; then
+        wget -q -O- "$1"
+    else
+        return 1
+    fi
+}