From 56ed84b57a5071e29ea9e0e56934000bc6d29e52 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Mon, 14 Aug 2023 14:03:45 +0200 Subject: [PATCH 1/2] Add HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR --- CHANGELOG.md | 3 +++ docs/ArgoCD Integration.md | 2 ++ docs/Usage.md | 1 + scripts/commands/help.sh | 1 + scripts/lib/file.sh | 2 ++ scripts/run.sh | 16 ++++++++++++++++ tests/unit/template.bats | 32 ++++++++++++++++++++++++++++++++ 7 files changed, 57 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebb091eb..41419b6c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added +- Added `--decrypt-secrets-in-tmp-dir` to solve concurrency issues or if work disk is read-only + ### Changes - BREAKING: helm-secrets requires vals 0.22 or higher diff --git a/docs/ArgoCD Integration.md b/docs/ArgoCD Integration.md index e2e84c4d..051c881c 100644 --- a/docs/ArgoCD Integration.md +++ b/docs/ArgoCD Integration.md @@ -225,6 +225,8 @@ repoServer: value: "false" - name: HELM_SECRETS_WRAPPER_ENABLED value: "true" + - name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR + value: "true" - name: HELM_SECRETS_HELM_PATH value: /usr/local/bin/helm diff --git a/docs/Usage.md b/docs/Usage.md index 2eb65758..aa16b937 100644 --- a/docs/Usage.md +++ b/docs/Usage.md @@ -25,6 +25,7 @@ Available Options: --ignore-missing-values [true|false] Ignore missing value files (env: $HELM_SECRETS_IGNORE_MISSING_VALUES) --evaluate-templates [true|false] Evaluate secret expressions inside helm template (only supported by vals backend) (env: $HELM_SECRETS_EVALUATE_TEMPLATES) --evaluate-templates-decode-secrets [true|false] If --evaluate-templates is set, decode base64 values from secrets to evaluate them (env: $HELM_SECRETS_EVALUATE_TEMPLATES_DECODE_SECRETS) + --decrypt-secrets-in-tmp-dir [true|false] Decrypt secrets in a temp directory. May solve concurrency issues. (env: $HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR) --help -h Show help --version -v Display version of helm-secrets ``` diff --git a/scripts/commands/help.sh b/scripts/commands/help.sh index d4e1ccf4..97808567 100644 --- a/scripts/commands/help.sh +++ b/scripts/commands/help.sh @@ -27,6 +27,7 @@ Available Options: --ignore-missing-values [true|false] Ignore missing value files (env: $HELM_SECRETS_IGNORE_MISSING_VALUES) --evaluate-templates [true|false] Evaluate secret expressions inside helm template (only supported by vals backend) (env: $HELM_SECRETS_EVALUATE_TEMPLATES) --evaluate-templates-decode-secrets [true|false] If --evaluate-templates is set, decode base64 values from secrets to evaluate them (env: $HELM_SECRETS_EVALUATE_TEMPLATES_DECODE_SECRETS) + --decrypt-secrets-in-tmp-dir [true|false] Decrypt secrets in a temp directory. May solve concurrency issues. (env: $HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR) --help -h Show help --version -v Display version of helm-secrets EOF diff --git a/scripts/lib/file.sh b/scripts/lib/file.sh index 11a8e5cb..392ace11 100644 --- a/scripts/lib/file.sh +++ b/scripts/lib/file.sh @@ -67,6 +67,8 @@ _file_dec_name() { if [ "${DEC_DIR}" != "" ]; then printf '%s/%s%s%s' "${DEC_DIR}" "${DEC_PREFIX}" "${_basename}" "${DEC_SUFFIX}" + elif [ "${DECRYPT_SECRETS_IN_TMP_DIR}" = "true" ]; then + printf '%s/%s%s%s' "${TMPDIR}" "${DEC_PREFIX}" "${_basename}" "${DEC_SUFFIX}" elif [ "${1}" != "${_basename}" ]; then printf '%s/%s%s%s' "$(dirname "${1}")" "${DEC_PREFIX}" "${_basename}" "${DEC_SUFFIX}" else diff --git a/scripts/run.sh b/scripts/run.sh index d20e6ea4..d8fea582 100755 --- a/scripts/run.sh +++ b/scripts/run.sh @@ -64,6 +64,8 @@ EVALUATE_TEMPLATES="${HELM_SECRETS_EVALUATE_TEMPLATES:-false}" # shellcheck disable=SC2034 EVALUATE_TEMPLATES_DECODE_SECRETS="${HELM_SECRETS_EVALUATE_TEMPLATES_DECODE_SECRETS:-false}" # shellcheck disable=SC2034 +DECRYPT_SECRETS_IN_TMP_DIR="${HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR:-false}" +# shellcheck disable=SC2034 LOAD_GPG_KEYS="${HELM_SECRETS_LOAD_GPG_KEYS:-false}" trap _trap EXIT @@ -239,6 +241,20 @@ while true; do # shellcheck disable=SC2034 EVALUATE_TEMPLATES_DECODE_SECRETS="${1#*=}" ;; + --decrypt-secrets-in-tmp-dir) + if [ "$2" = "true" ] || [ "$2" = "false" ]; then + # shellcheck disable=SC2034 + DECRYPT_SECRETS_IN_TMP_DIR="$2" + shift + else + # shellcheck disable=SC2034 + DECRYPT_SECRETS_IN_TMP_DIR="true" + fi + ;; + --decrypt-secrets-in-tmp-dir=*) + # shellcheck disable=SC2034 + DECRYPT_SECRETS_IN_TMP_DIR="${1#*=}" + ;; "") # shellcheck source=scripts/commands/help.sh . "${SCRIPT_DIR}/commands/help.sh" diff --git a/tests/unit/template.bats b/tests/unit/template.bats index 8eaaf47d..2fb640d5 100755 --- a/tests/unit/template.bats +++ b/tests/unit/template.bats @@ -2048,3 +2048,35 @@ load '../bats/extensions/bats-file/load' assert_output --partial "Can't find secret backend: nonexists" assert_failure } + +@test "template: helm template w/ chart + secrets.yaml + HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR=true" { + VALUES="assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml" + VALUES_PATH="${TEST_TEMP_DIR}/${VALUES}" + + create_chart "${TEST_TEMP_DIR}" + + run env HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR=true "${HELM_BIN}" secrets template "${TEST_TEMP_DIR}/chart" -f "${VALUES_PATH}" 2>&1 + + assert_output -e "\[helm-secrets\] Decrypt: .*${VALUES}" + assert_output --partial "port: 81" + refute_output -e "\[helm-secrets\] Removed: .*${VALUES}.dec" + assert_output -e "\[helm-secrets\] Removed: .*/secrets.yaml.dec" + assert_success + assert_file_not_exists "${VALUES_PATH}.dec" +} + +@test "template: helm template w/ chart + secrets.yaml + --decrypt-secrets-in-tmp-dir" { + VALUES="assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml" + VALUES_PATH="${TEST_TEMP_DIR}/${VALUES}" + + create_chart "${TEST_TEMP_DIR}" + + run "${HELM_BIN}" secrets --decrypt-secrets-in-tmp-dir template "${TEST_TEMP_DIR}/chart" -f "${VALUES_PATH}" 2>&1 + + assert_output -e "\[helm-secrets\] Decrypt: .*${VALUES}" + assert_output --partial "port: 81" + refute_output -e "\[helm-secrets\] Removed: .*${VALUES}.dec" + assert_output -e "\[helm-secrets\] Removed: .*/secrets.yaml.dec" + assert_success + assert_file_not_exists "${VALUES_PATH}.dec" +} From 14485d28daddf31a7062de480bc3fd1678670c6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Mon, 14 Aug 2023 14:58:03 +0200 Subject: [PATCH 2/2] Add HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR --- tests/unit/template.bats | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/unit/template.bats b/tests/unit/template.bats index 2fb640d5..fee85c0d 100755 --- a/tests/unit/template.bats +++ b/tests/unit/template.bats @@ -2055,7 +2055,9 @@ load '../bats/extensions/bats-file/load' create_chart "${TEST_TEMP_DIR}" - run env HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR=true "${HELM_BIN}" secrets template "${TEST_TEMP_DIR}/chart" -f "${VALUES_PATH}" 2>&1 + # shellcheck disable=SC2030 disable=SC2031 + run env HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR=true WSLENV="HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR:${WSLENV}" \ + "${HELM_BIN}" secrets template "${TEST_TEMP_DIR}/chart" -f "${VALUES_PATH}" 2>&1 assert_output -e "\[helm-secrets\] Decrypt: .*${VALUES}" assert_output --partial "port: 81"