Skip to content

Commit

Permalink
Merge pull request #390 from jkroepke/encrypt-in-tmp-dor
Browse files Browse the repository at this point in the history
  • Loading branch information
jkroepke authored Aug 14, 2023
2 parents 58b1461 + 14485d2 commit 91fceed
Show file tree
Hide file tree
Showing 7 changed files with 59 additions and 0 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added
- Added `--decrypt-secrets-in-tmp-dir` to solve concurrency issues or if work disk is read-only

### Changes
- BREAKING: helm-secrets requires vals 0.22 or higher

Expand Down
2 changes: 2 additions & 0 deletions docs/ArgoCD Integration.md
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,8 @@ repoServer:
value: "false"
- name: HELM_SECRETS_WRAPPER_ENABLED
value: "true"
- name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR
value: "true"
- name: HELM_SECRETS_HELM_PATH
value: /usr/local/bin/helm
Expand Down
1 change: 1 addition & 0 deletions docs/Usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ Available Options:
--ignore-missing-values [true|false] Ignore missing value files (env: $HELM_SECRETS_IGNORE_MISSING_VALUES)
--evaluate-templates [true|false] Evaluate secret expressions inside helm template (only supported by vals backend) (env: $HELM_SECRETS_EVALUATE_TEMPLATES)
--evaluate-templates-decode-secrets [true|false] If --evaluate-templates is set, decode base64 values from secrets to evaluate them (env: $HELM_SECRETS_EVALUATE_TEMPLATES_DECODE_SECRETS)
--decrypt-secrets-in-tmp-dir [true|false] Decrypt secrets in a temp directory. May solve concurrency issues. (env: $HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR)
--help -h Show help
--version -v Display version of helm-secrets
```
Expand Down
1 change: 1 addition & 0 deletions scripts/commands/help.sh
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Available Options:
--ignore-missing-values [true|false] Ignore missing value files (env: $HELM_SECRETS_IGNORE_MISSING_VALUES)
--evaluate-templates [true|false] Evaluate secret expressions inside helm template (only supported by vals backend) (env: $HELM_SECRETS_EVALUATE_TEMPLATES)
--evaluate-templates-decode-secrets [true|false] If --evaluate-templates is set, decode base64 values from secrets to evaluate them (env: $HELM_SECRETS_EVALUATE_TEMPLATES_DECODE_SECRETS)
--decrypt-secrets-in-tmp-dir [true|false] Decrypt secrets in a temp directory. May solve concurrency issues. (env: $HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR)
--help -h Show help
--version -v Display version of helm-secrets
EOF
Expand Down
2 changes: 2 additions & 0 deletions scripts/lib/file.sh
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,8 @@ _file_dec_name() {

if [ "${DEC_DIR}" != "" ]; then
printf '%s/%s%s%s' "${DEC_DIR}" "${DEC_PREFIX}" "${_basename}" "${DEC_SUFFIX}"
elif [ "${DECRYPT_SECRETS_IN_TMP_DIR}" = "true" ]; then
printf '%s/%s%s%s' "${TMPDIR}" "${DEC_PREFIX}" "${_basename}" "${DEC_SUFFIX}"
elif [ "${1}" != "${_basename}" ]; then
printf '%s/%s%s%s' "$(dirname "${1}")" "${DEC_PREFIX}" "${_basename}" "${DEC_SUFFIX}"
else
Expand Down
16 changes: 16 additions & 0 deletions scripts/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ EVALUATE_TEMPLATES="${HELM_SECRETS_EVALUATE_TEMPLATES:-false}"
# shellcheck disable=SC2034
EVALUATE_TEMPLATES_DECODE_SECRETS="${HELM_SECRETS_EVALUATE_TEMPLATES_DECODE_SECRETS:-false}"
# shellcheck disable=SC2034
DECRYPT_SECRETS_IN_TMP_DIR="${HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR:-false}"
# shellcheck disable=SC2034
LOAD_GPG_KEYS="${HELM_SECRETS_LOAD_GPG_KEYS:-false}"

trap _trap EXIT
Expand Down Expand Up @@ -239,6 +241,20 @@ while true; do
# shellcheck disable=SC2034
EVALUATE_TEMPLATES_DECODE_SECRETS="${1#*=}"
;;
--decrypt-secrets-in-tmp-dir)
if [ "$2" = "true" ] || [ "$2" = "false" ]; then
# shellcheck disable=SC2034
DECRYPT_SECRETS_IN_TMP_DIR="$2"
shift
else
# shellcheck disable=SC2034
DECRYPT_SECRETS_IN_TMP_DIR="true"
fi
;;
--decrypt-secrets-in-tmp-dir=*)
# shellcheck disable=SC2034
DECRYPT_SECRETS_IN_TMP_DIR="${1#*=}"
;;
"")
# shellcheck source=scripts/commands/help.sh
. "${SCRIPT_DIR}/commands/help.sh"
Expand Down
34 changes: 34 additions & 0 deletions tests/unit/template.bats
Original file line number Diff line number Diff line change
Expand Up @@ -2048,3 +2048,37 @@ load '../bats/extensions/bats-file/load'
assert_output --partial "Can't find secret backend: nonexists"
assert_failure
}

@test "template: helm template w/ chart + secrets.yaml + HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR=true" {
VALUES="assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
VALUES_PATH="${TEST_TEMP_DIR}/${VALUES}"

create_chart "${TEST_TEMP_DIR}"

# shellcheck disable=SC2030 disable=SC2031
run env HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR=true WSLENV="HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR:${WSLENV}" \
"${HELM_BIN}" secrets template "${TEST_TEMP_DIR}/chart" -f "${VALUES_PATH}" 2>&1

assert_output -e "\[helm-secrets\] Decrypt: .*${VALUES}"
assert_output --partial "port: 81"
refute_output -e "\[helm-secrets\] Removed: .*${VALUES}.dec"
assert_output -e "\[helm-secrets\] Removed: .*/secrets.yaml.dec"
assert_success
assert_file_not_exists "${VALUES_PATH}.dec"
}

@test "template: helm template w/ chart + secrets.yaml + --decrypt-secrets-in-tmp-dir" {
VALUES="assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
VALUES_PATH="${TEST_TEMP_DIR}/${VALUES}"

create_chart "${TEST_TEMP_DIR}"

run "${HELM_BIN}" secrets --decrypt-secrets-in-tmp-dir template "${TEST_TEMP_DIR}/chart" -f "${VALUES_PATH}" 2>&1

assert_output -e "\[helm-secrets\] Decrypt: .*${VALUES}"
assert_output --partial "port: 81"
refute_output -e "\[helm-secrets\] Removed: .*${VALUES}.dec"
assert_output -e "\[helm-secrets\] Removed: .*/secrets.yaml.dec"
assert_success
assert_file_not_exists "${VALUES_PATH}.dec"
}

0 comments on commit 91fceed

Please sign in to comment.