Add driver-args

CHANGELOG.md

@@ -8,7 +8,10 @@ Allow override sops version on installation
 
 ## [Unreleased]
 
-## [3.4.3] - 2021-02-19
+## [3.5.0] - 2021-02-20
+
+### Added
+- Added `--driver-args` to pass additional argument to underlying commands (https://github.com/jkroepke/helm-secrets/pull/82)
 
 ### Fixes
 - "grep: Invalid range end" if locale is not C (https://github.com/jkroepke/helm-secrets/pull/81)
@@ -103,8 +106,8 @@ Started a fork of https://github.com/zendesk/helm-secrets
 - Support all helm sub commands and plugins
 
 
-[Unreleased]: https://github.com/jkroepke/helm-secrets/compare/v3.4.3...HEAD
-[3.4.3]: https://github.com/jkroepke/helm-secrets/compare/v3.4.2...v3.4.3
+[Unreleased]: https://github.com/jkroepke/helm-secrets/compare/v3.5.0...HEAD
+[3.5.0]: https://github.com/jkroepke/helm-secrets/compare/v3.4.2...v3.5.0
 [3.4.2]: https://github.com/jkroepke/helm-secrets/compare/v3.4.1...v3.4.2
 [3.4.1]: https://github.com/jkroepke/helm-secrets/compare/v3.4.0...v3.4.1
 [3.4.0]: https://github.com/jkroepke/helm-secrets/compare/v3.3.5...v3.4.0

README.md

@@ -21,13 +21,15 @@ In meanwhile, this project is officially listed on the [community projects side]
 ### Decrypt secrets via plugin command
 
 Wraps the whole helm command. Slow on multiple value files.
+
 ```
 helm secrets upgrade name . -f secrets.yaml
 ```
 
 ### Decrypt secrets via protocol handler
 
 Run decrypted command on specific value files.
+
 ```
 helm upgrade name . -f secrets://secrets.yaml
 ```
@@ -95,7 +97,7 @@ By default, helm plugin install does this for you.
 
 ```bash
 # Install a specific version (recommend)
-helm plugin install https://github.com/jkroepke/helm-secrets --version v3.4.0
+helm plugin install https://github.com/jkroepke/helm-secrets --version v3.5.0
 
 # Install latest unstable version from main branch
 helm plugin install https://github.com/jkroepke/helm-secrets
@@ -119,17 +121,18 @@ curl -LsSf https://github.com/jkroepke/helm-secrets/releases/latest/download/hel
 
 ```bash
 # Windows (inside cmd, needs to be verified)
-curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.4.0/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
+curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.5.0/helm-secrets.tar.gz | tar -C "%APPDATA%\helm\plugins" -xzf-
 
 # MacOS / Linux
-curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.4.0/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-
+curl -LsSf https://github.com/jkroepke/helm-secrets/releases/download/v3.5.0/helm-secrets.tar.gz | tar -C "$(helm env HELM_PLUGINS)" -xzf-
 ```
 
 ### Installation on Helm 2
 
 Helm 2 doesn't support downloader plugins. Since unknown keys in `plugin.yaml` are fatal, then plugin installation need special handling.
 
 Error on Helm 2 installation:
+
 ```
 # helm plugin install https://github.com/jkroepke/helm-secrets
 Error: yaml: unmarshal errors:
@@ -170,11 +173,32 @@ Pull Requests are much appreciated.
 
 The driver option is a global one. A file level switch isn't supported yet.
 
+## Pass additional arguments to secret driver
+
+```bash
+helm secrets -a "--verbose" view ./tests/assets/helm_vars/secrets.yaml
+```
+
+results into:
+
+```
+[PGP]    INFO[0000] Decryption succeeded                          fingerprint=D6174A02027050E59C711075B430C4E58E2BBBA3
+[SOPS]   INFO[0000] Data key recovered successfully
+[SOPS]   DEBU[0000] Decrypting tree
+[helm-secrets] Decrypt: tests/assets/values/sops/secrets.yaml
+==> Linting examples/sops
+[INFO] Chart.yaml: icon is recommended
+
+1 chart(s) linted, 0 chart(s) failed
+
+[helm-secrets] Removed: tests/assets/values/sops/secrets.yaml.dec
+```
+
 ## Main features
 
 The current version of this plugin using [mozilla/sops](https://github.com/mozilla/sops/) by default as backend.
 
-[Hashicorp Vault](http://vaultproject.io/) is supported as secret source since v3.2.0, too. In addition, [sops support vault since v3.6.0 natively](https://github.com/mozilla/sops#encrypting-using-hashicorp-vault). 
+[Hashicorp Vault](http://vaultproject.io/) is supported as secret source since v3.2.0, too. In addition, [sops support vault since v3.6.0 natively](https://github.com/mozilla/sops#encrypting-using-hashicorp-vault).
 
 What kind of problems this plugin solves:
 
@@ -197,14 +221,14 @@ An additional documentation, resources and examples can be found [here](USAGE.md
 
 ## Moving parts of project
 
-* [`scripts/install.sh`](scripts/install.sh) - Script used as the hook to download and install sops and install git diff configuration for helm-secrets files.
-* [`scripts/run.sh`](scripts/run.sh) - Main helm-secrets plugin code for all helm-secrets plugin actions available in `helm secrets help` after plugin install
-* [`scripts/drivers`](scripts/drivers) - Location of the in-tree secrets drivers
-* [`scripts/commands`](scripts/commands) - Sub Commands of `helm secrets` are defined here.
-* [`scripts/lib`](scripts/lib) - Common functions used by `helm secrets`.
-* [`scripts/wrapper`](scripts/wrapper) - Wrapper scripts for Windows systems.
-* [`tests`](tests) - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See [`tests/README.md`](tests/README.md) for more informations.
-* [`examples`](examples) - Some example secrets.yaml 
+- [`scripts/install.sh`](scripts/install.sh) - Script used as the hook to download and install sops and install git diff configuration for helm-secrets files.
+- [`scripts/run.sh`](scripts/run.sh) - Main helm-secrets plugin code for all helm-secrets plugin actions available in `helm secrets help` after plugin install
+- [`scripts/drivers`](scripts/drivers) - Location of the in-tree secrets drivers
+- [`scripts/commands`](scripts/commands) - Sub Commands of `helm secrets` are defined here.
+- [`scripts/lib`](scripts/lib) - Common functions used by `helm secrets`.
+- [`scripts/wrapper`](scripts/wrapper) - Wrapper scripts for Windows systems.
+- [`tests`](tests) - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See [`tests/README.md`](tests/README.md) for more informations.
+- [`examples`](examples) - Some example secrets.yaml
 
 ## Copyright and license
 

contrib/drivers/gopass.sh

@@ -6,6 +6,12 @@ _DRIVER_REGEX='!gopass [A-Za-z0-9\-\_\/]*'
 # shellcheck source=scripts//drivers/_custom.sh
 . "${SCRIPT_DIR}/drivers/_custom.sh"
 
+_gopass() {
+    # shellcheck disable=SC2086
+    set -- ${SECRET_DRIVER_ARGS} "$@"
+    gopass "$@"
+}
+
 _custom_driver_get_secret() {
     _type=$1
     _SECRET=$2
@@ -15,9 +21,9 @@ _custom_driver_get_secret() {
         exit 1
     fi
 
-    if ! gopass show -o "${_SECRET}"; then
+    if ! _gopass show -o "${_SECRET}"; then
         echo "Error while get secret from gopass!" >&2
-        echo gopass show -o "${_SECRET}" >&2
+        echo gopass show -o "${_SECRET}" "${SECRET_DRIVER_ARGS}" >&2
         exit 1
     fi
 }

scripts/commands/helm.sh

@@ -107,10 +107,6 @@ helm_wrapper() {
         j=$((j + 1))
     done
 
-    if [ "${QUIET}" = "false" ]; then
-        echo >&2
-    fi
-
     "${HELM_BIN}" ${TILLER_HOST:+--host "$TILLER_HOST"} "$@"
 }
 

scripts/commands/help.sh

@@ -3,7 +3,7 @@
 set -euf
 
 help_usage() {
-    cat <<EOF
+    cat <<'EOF'
 Secrets encryption in Helm Charts
 
 This plugin provides ability to encrypt/decrypt secrets files
@@ -24,5 +24,10 @@ Available Commands:
   dir     Get plugin directory
   <cmd>   wrapper that decrypts encrypted yaml files before running helm <cmd>
 
+Available Options:
+  --quiet       -q  Suppress info messages (env: $HELM_SECRETS_QUIET)
+  --driver      -d  Secret driver to use for decryption or encryption (env: $HELM_SECRETS_DRIVER)
+  --driver-args -a  Additional args for secret driver (env: $HELM_SECRETS_DRIVER_ARGS)
+  --help        -h  Show help
 EOF
 }

scripts/drivers/sops.sh

@@ -2,6 +2,12 @@
 
 _SOPS="${HELM_SECRETS_SOPS_BIN:-sops}"
 
+_sops() {
+    # shellcheck disable=SC2086
+    set -- ${SECRET_DRIVER_ARGS} "$@"
+    $_SOPS "$@"
+}
+
 driver_is_file_encrypted() {
     input="${1}"
 
@@ -14,9 +20,9 @@ driver_encrypt_file() {
     output="${3}"
 
     if [ "${input}" = "${output}" ]; then
-        $_SOPS --encrypt --input-type "${type}" --output-type "${type}" --in-place "${input}"
+        _sops --encrypt --input-type "${type}" --output-type "${type}" --in-place "${input}"
     else
-        $_SOPS --encrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
+        _sops --encrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
     fi
 }
 
@@ -27,15 +33,15 @@ driver_decrypt_file() {
     output="${3:-}"
 
     if [ "${output}" != "" ]; then
-        $_SOPS --decrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
+        _sops --decrypt --input-type "${type}" --output-type "${type}" --output "${output}" "${input}"
     else
-        $_SOPS --decrypt --input-type "${type}" --output-type "${type}" "${input}"
+        _sops --decrypt --input-type "${type}" --output-type "${type}" "${input}"
     fi
 }
 
 driver_edit_file() {
     type="${1}"
     input="${2}"
 
-    $_SOPS --input-type yaml --output-type yaml "${input}"
+    _sops --input-type yaml --output-type yaml "${input}"
 }

scripts/drivers/vault.sh

@@ -6,6 +6,12 @@ _DRIVER_REGEX='!vault [A-z0-9][A-z0-9/\-]*\#[A-z0-9][A-z0-9-]*'
 # shellcheck source=scripts/drivers/_custom.sh
 . "${SCRIPT_DIR}/drivers/_custom.sh"
 
+_vault() {
+    # shellcheck disable=SC2086
+    set -- ${SECRET_DRIVER_ARGS} "$@"
+    vault "$@"
+}
+
 _custom_driver_get_secret() {
     _type=$1
     _SECRET_PATH="${2%#*}"
@@ -16,9 +22,9 @@ _custom_driver_get_secret() {
         exit 1
     fi
 
-    if ! vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}"; then
+    if ! _vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}"; then
         echo "Error while get secret from vault!" >&2
-        echo vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}" >&2
+        echo vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}" "${SECRET_DRIVER_ARGS}" >&2
         exit 1
     fi
 }

scripts/run.sh

@@ -13,6 +13,8 @@ QUIET="${HELM_SECRETS_QUIET:-false}"
 
 # Define the secret driver engine
 SECRET_DRIVER="${HELM_SECRETS_DRIVER:-sops}"
+# Define the secret driver engine
+SECRET_DRIVER_ARGS="${HELM_SECRETS_DRIVER_ARGS:-}"
 
 # The suffix to use for decrypted files. The default can be overridden using
 # the HELM_SECRETS_DEC_SUFFIX environment variable.
@@ -122,6 +124,11 @@ while true; do
         # shellcheck disable=SC2034
         QUIET=true
         ;;
+    --driver-args | -a)
+        # shellcheck disable=SC2034
+        SECRET_DRIVER_ARGS="$2"
+        shift
+        ;;
     "")
         # shellcheck source=scripts/commands/help.sh
         . "${SCRIPT_DIR}/commands/help.sh"

tests/unit/dec.bats

@@ -133,3 +133,101 @@ load '../bats/extensions/bats-file/load'
     assert_success
     assert_output "[helm-secrets] Decrypting ${FILE}"
 }
+
+@test "dec: secrets.yaml + --driver-args (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets --driver-args "--verbose" dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
+
+@test "dec: secrets.yaml + -a (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets -a "--verbose" dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
+
+@test "dec: secrets.yaml + HELM_SECRETS_DRIVER_ARGS (simple)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    HELM_SECRETS_DRIVER_ARGS=--verbose
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
+
+@test "dec: secrets.yaml + --driver-args (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets --driver-args "--verbose --output-type \"yaml\"" dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}
+
+@test "dec: secrets.yaml + -a (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    run helm secrets -a "--verbose --output-type \"yaml\"" dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec"  'global_secret: '
+    assert_file_contains "${FILE}.dec"  'global_bar'
+}
+
+@test "dec: secrets.yaml + HELM_SECRETS_DRIVER_ARGS (complex)" {
+    if ! is_driver_sops; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    # shellcheck disable=SC2089
+    HELM_SECRETS_DRIVER_ARGS="--verbose --output-type \"yaml\""
+    # shellcheck disable=SC2090
+    export HELM_SECRETS_DRIVER_ARGS
+
+    run helm secrets dec "${FILE}"
+    assert_success
+    assert_output --partial "Data key recovered successfully"
+    assert_file_exist "${FILE}.dec"
+    assert_file_contains "${FILE}.dec" 'global_secret: '
+    assert_file_contains "${FILE}.dec" 'global_bar'
+}