Add remote files

scripts/commands/dec.sh

@@ -21,21 +21,21 @@ EOF
 }
 
 decrypt_helper() {
-    file="${1}"
+    encrypted_file="${1}"
 
-    if [ ! -f "$file" ]; then
-        printf 'File does not exist: %s\n' "${file}"
+    if ! encrypted_file_path=$(_file_get "${encrypted_file}"); then
+        printf '[helm-secrets] File does not exist: %s\n' "${encrypted_file}"
         exit 1
     fi
 
-    if ! driver_is_file_encrypted "${file}"; then
+    if ! driver_is_file_encrypted "${encrypted_file_path}"; then
         return 1
     fi
 
-    file_dec="$(file_dec_name "${file}")"
+    encrypted_file_dec="$(_file_dec_name "${encrypted_file_path}")"
 
-    if ! driver_decrypt_file "yaml" "${file}" "${file_dec}"; then
-        printf 'Error while decrypting file: %s\n' "${file}"
+    if ! driver_decrypt_file "yaml" "${encrypted_file_path}" "${encrypted_file_dec}"; then
+        printf '[helm-secrets] Error while decrypting file: %s\n' "${file}"
         exit 1
     fi
 
@@ -50,11 +50,6 @@ dec() {
 
     file="$1"
 
-    if [ ! -f "${file}" ]; then
-        printf 'File does not exist: %s\n' "${file}"
-        exit 1
-    else
-        printf 'Decrypting %s\n' "${file}"
-        decrypt_helper "${file}"
-    fi
+    printf '[helm-secrets] Decrypting %s\n' "${file}"
+    decrypt_helper "${file}"
 }

scripts/commands/enc.sh

@@ -33,7 +33,7 @@ encrypt_helper() {
         printf 'File does not exist: %s\n' "${dir}/${file}"
         exit 1
     fi
-    file_dec="$(file_dec_name "${file}")"
+    file_dec="$(_file_dec_name "${file}")"
 
     if [ ! -f "${file_dec}" ]; then
         file_dec="${file}"

scripts/commands/helm.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -eu
+set -eux
 
 # shellcheck disable=SC1090
 . "${SCRIPT_DIR}/commands/dec.sh"
@@ -24,18 +24,18 @@ Typical usage:
 EOF
 }
 
-helm_wrapper_cleanup() {
-    if [ -s "${decrypted_files}" ]; then
+_trap_hook() {
+    if [ -n "${decrypted_files+x}" ]; then
         if [ "${QUIET}" = "false" ]; then
             echo >&2
             # shellcheck disable=SC2016
             xargs -0 -n1 sh -c 'rm "$1" && printf "[helm-secrets] Removed: %s\n" "$1"' sh >&2 <"${decrypted_files}"
         else
             xargs -0 rm >&2 <"${decrypted_files}"
         fi
-    fi
 
-    rm "${decrypted_files}"
+        rm "${decrypted_files}"
+    fi
 }
 
 helm_wrapper() {
@@ -44,9 +44,6 @@ helm_wrapper() {
     argc=$#
     j=0
 
-    #cleanup on-the-fly decrypted files
-    trap helm_wrapper_cleanup EXIT
-
     while [ $j -lt $argc ]; do
         case "$1" in
         --)
@@ -71,15 +68,20 @@ helm_wrapper() {
                 ;;
             esac
 
-            file_dec="$(file_dec_name "${file}")"
+            if ! real_file=$(_file_get "${file}"); then
+                printf '[helm-secrets] File does not exist: %s\n' "${file}"
+                exit 1
+            fi
+
+            file_dec="$(_file_dec_name "${real_file}")"
             if [ -f "${file_dec}" ]; then
                 set -- "$@" "$file_dec"
 
                 if [ "${QUIET}" = "false" ]; then
                     printf '[helm-secrets] Decrypt skipped: %s' "${file}" >&2
                 fi
             else
-                if decrypt_helper "${file}"; then
+                if decrypt_helper "${real_file}"; then
                     set -- "$@" "$file_dec"
                     printf '%s\0' "${file_dec}" >>"${decrypted_files}"
 

scripts/commands/view.sh

@@ -17,12 +17,14 @@ EOF
 view_helper() {
     file="$1"
 
-    if [ ! -f "${file}" ]; then
+    if ! _file_exists "$file"; then
         printf 'File does not exist: %s\n' "${file}"
         exit 1
     fi
 
-    driver_decrypt_file "yaml" "${file}"
+    real_file=$(_file_get "${file}")
+
+    driver_decrypt_file "yaml" "${real_file}"
 }
 
 view() {

scripts/install.sh

@@ -2,6 +2,12 @@
 
 set -eu
 
+# Path to current directory
+SCRIPT_DIR="$(dirname "$0")"
+
+# shellcheck source=lib/http.sh
+. "${SCRIPT_DIR}/lib/http.sh"
+
 SOPS_DEFAULT_VERSION="v3.6.1"
 SOPS_VERSION="${SOPS_VERSION:-$SOPS_DEFAULT_VERSION}"
 SOPS_LINUX_URL="${SOPS_LINUX_URL:-"https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux"}"
@@ -13,16 +19,6 @@ RED='\033[0;31m'
 #YELLOW='\033[1;33m'
 NOC='\033[0m'
 
-download() {
-    if command -v curl >/dev/null; then
-        curl -sSfL "$1"
-    elif command -v wget >/dev/null; then
-        wget -q -O- "$1"
-    else
-        return 1
-    fi
-}
-
 get_sha_256() {
     if command -v sha256sum >/dev/null; then
         res=$(sha256sum "$1")

scripts/lib/file.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env sh
+
+# shellcheck source=lib/file/local.sh
+. "${SCRIPT_DIR}/lib/file/local.sh"
+
+# shellcheck source=lib/file/http.sh
+. "${SCRIPT_DIR}/lib/file/http.sh"
+
+# shellcheck source=lib/file/custom.sh
+. "${SCRIPT_DIR}/lib/file/custom.sh"
+
+_file_get_protocol() {
+    case "$1" in
+    /* | \*)
+        echo "local"
+        ;;
+    http*)
+        echo "http"
+        ;;
+    *)
+        echo "custom"
+        ;;
+    esac
+}
+
+_file_exists() {
+    file_type=$(_file_get_protocol "${1}")
+
+    _file_"${file_type}"_exists "$@"
+}
+
+_file_get() {
+    file_type=$(_file_get_protocol "${1}")
+
+    _file_"${file_type}"_get "$@"
+}
+
+_file_put() {
+    file_type=$(_file_get_protocol "${1}")
+
+    _file_"${file_type}"_put "$@"
+}
+
+_file_dec_name() {
+    if [ "${DEC_DIR}" != "" ]; then
+        printf '%s' "${DEC_DIR}/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
+    else
+        printf '%s' "$(dirname "${1}")/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
+    fi
+}

scripts/lib/file/custom.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+_file_custom_exists() {
+    _file_custom_get "$@" >/dev/null
+}
+
+_file_custom_get() {
+    _tmp_file=$(mktemp)
+    helm template "${SCRIPT_DIR}/lib/file/helm-values-getter" -f "${1}" >"${_tmp_file}"
+    printf '%s' "${_tmp_file}"
+}
+
+_file_custom_put() {
+    echo "Can't write to remote files!"
+    exit 1
+}

scripts/lib/file/helm-values-getter/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: helm-values-getter
+version: 1.0.0

scripts/lib/file/helm-values-getter/templates/values.yaml

@@ -0,0 +1 @@
+{{- .Values | toYaml -}}

scripts/lib/file/http.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+_file_http_exists() {
+    _file_http_get "$@" >/dev/null
+}
+
+_file_http_get() {
+    _tmp_file=$(mktemp)
+    download "${1}" >"${_tmp_file}"
+    printf '%s' "${_tmp_file}"
+}
+
+_file_http_put() {
+    echo "Can't write to remote files!"
+    exit 1
+}

scripts/lib/file/local.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env sh
+
+_file_local_exists() {
+    [ -f "${1}" ]
+}
+
+_file_local_get() {
+    _file_local_exists "$@"
+    printf '%s' "${1}"
+}
+
+_file_local_put() {
+    cat - >"${1}"
+}

scripts/lib/http.sh

@@ -0,0 +1,9 @@
+download() {
+    if command -v curl >/dev/null; then
+        curl -sSfL "$1"
+    elif command -v wget >/dev/null; then
+        wget -q -O- "$1"
+    else
+        return 1
+    fi
+}

scripts/run.sh

@@ -5,6 +5,9 @@ set -eu
 # Path to current directory
 SCRIPT_DIR="$(dirname "$0")"
 
+# Create temporary directory
+TMPDIR="${HELM_SECRETS_DEC_TMP_DIR:-$(mktemp -d)}"
+
 # Output debug infos
 QUIET="${HELM_SECRETS_QUIET:-false}"
 
@@ -19,6 +22,24 @@ DEC_DIR="${HELM_SECRETS_DEC_DIR:-}"
 # Make sure HELM_BIN is set (normally by the helm command)
 HELM_BIN="${HELM_BIN:-helm}"
 
+# shellcheck source=lib/file.sh
+. "${SCRIPT_DIR}/lib/file.sh"
+
+# shellcheck source=lib/http.sh
+. "${SCRIPT_DIR}/lib/http.sh"
+
+_trap_hook() {
+    true
+}
+
+_trap() {
+    rm -rf "${TMPDIR}"
+
+    _trap_hook
+}
+
+trap _trap EXIT
+
 usage() {
     cat <<EOF
 Secrets encryption in Helm Charts
@@ -52,29 +73,21 @@ is_help() {
     esac
 }
 
-file_dec_name() {
-    if [ "${DEC_DIR}" != "" ]; then
-        printf '%s' "${DEC_DIR}/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
-    else
-        printf '%s' "$(dirname "${1}")/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
-    fi
-}
-
 load_secret_driver() {
     driver="${1}"
-    if [ -f "${driver}" ]; then
-        # Allow to load out of tree drivers.
-
+    if [ -f "${SCRIPT_DIR}/drivers/${driver}.sh" ]; then
         # shellcheck disable=SC1090
-        . "${driver}"
+        . "${SCRIPT_DIR}/drivers/${driver}.sh"
     else
-        if [ ! -f "${SCRIPT_DIR}/drivers/${driver}.sh" ]; then
+        # Allow to load out of tree drivers.
+        if [ ! -f "${driver}" ]; then
+
             echo "Can't find secret driver: ${driver}"
             exit 1
         fi
 
         # shellcheck disable=SC1090
-        . "${SCRIPT_DIR}/drivers/${driver}.sh"
+        . "${driver}"
     fi
 }
 
@@ -83,7 +96,7 @@ load_secret_driver "$SECRET_DRIVER"
 while true; do
     case "${1:-}" in
     enc)
-        # shellcheck disable=SC1090
+        # shellcheck source=commands/enc.sh
         . "${SCRIPT_DIR}/commands/enc.sh"
 
         if [ $# -lt 2 ]; then
@@ -95,7 +108,7 @@ while true; do
         break
         ;;
     dec)
-        # shellcheck disable=SC1090
+        # shellcheck source=commands/dec.sh
         . "${SCRIPT_DIR}/commands/dec.sh"
 
         if [ $# -lt 2 ]; then
@@ -107,7 +120,7 @@ while true; do
         break
         ;;
     view)
-        # shellcheck disable=SC1090
+        # shellcheck source=commands/view.sh
         . "${SCRIPT_DIR}/commands/view.sh"
 
         if [ $# -lt 2 ]; then
@@ -119,7 +132,7 @@ while true; do
         break
         ;;
     edit)
-        # shellcheck disable=SC1090
+        # shellcheck source=commands/edit.sh
         . "${SCRIPT_DIR}/commands/edit.sh"
 
         if [ $# -lt 2 ]; then
@@ -131,7 +144,7 @@ while true; do
         break
         ;;
     clean)
-        # shellcheck disable=SC1090
+        # shellcheck source=commands/clean.sh
         . "${SCRIPT_DIR}/commands/clean.sh"
 
         if [ $# -lt 2 ]; then