helm-secrets/scripts/commands/helm.sh at a986aa0853b39900dcc6be71cd8e9cdd73d8df26 · jkroepke/helm-secrets · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/usr/bin/env sh

set -eu

# shellcheck disable=SC1090
. "${SCRIPT_DIR}/commands/dec.sh"

helm_command_usage() {
    cat <<EOF
helm secrets $1 [ --driver <driver> | -d <driver> ] [ --quiet | -q ]

This is a wrapper for "helm [command]". It will detect -f and
--values options, and decrypt any encrypted *.yaml files before running "helm
[command]".

Example:
  $ helm secrets upgrade <HELM UPGRADE OPTIONS>
  $ helm secrets lint <HELM LINT OPTIONS>

Typical usage:
  $ helm secrets upgrade i1 stable/nginx-ingress -f values.test.yaml -f secrets.test.yaml
  $ helm secrets lint ./my-chart -f values.test.yaml -f secrets.test.yaml

EOF
}

helm_wrapper_cleanup() {
    if [ -s "${decrypted_files}" ]; then
        if [ "${QUIET}" = "false" ]; then
            echo >/dev/stderr
            # shellcheck disable=SC2016
            xargs -0 -n1 sh -c 'rm "$1" && printf "[helm-secrets] Removed: %s\n" "$1"' sh >/dev/stderr <"${decrypted_files}"
        else
            xargs -0 rm >/dev/stderr <"${decrypted_files}"
        fi
    fi

    rm "${decrypted_files}"
}

helm_wrapper() {
    decrypted_files=$(mktemp)

    argc=$#
    j=0

    #cleanup on-the-fly decrypted files
    trap helm_wrapper_cleanup EXIT

    while [ $j -lt $argc ]; do
        case "$1" in
        --)
            # skip --, and what remains are the cmd args
            set -- "$1"
            shift
            break
            ;;
        -f | --values)
            set -- "$@" "$1"

            file="${2}"
            file_dec="$(file_dec_name "${file}")"
            if [ -f "${file_dec}" ]; then
                set -- "$@" "$file_dec"

                if [ "${QUIET}" = "false" ]; then
                    printf '[helm-secrets] Decrypt skipped: %s' "${file}" >/dev/stderr
                fi
            else
                if decrypt_helper "${file}"; then
                    set -- "$@" "$file_dec"
                    printf '%s\0' "${file_dec}" >>"${decrypted_files}"

                    if [ "${QUIET}" = "false" ]; then
                        printf '[helm-secrets] Decrypt: %s' "${file}" >/dev/stderr
                    fi
                else
                    set -- "$@" "$file"
                fi
            fi

            shift
            j=$((j + 1))
            ;;
        *)
            set -- "$@" "$1"
            ;;
        esac

        shift
        j=$((j + 1))
    done

    if [ "${QUIET}" = "false" ]; then
        echo >/dev/stderr
    fi

    "${HELM_BIN}" ${TILLER_HOST:+--host "$TILLER_HOST"} "$@"
}

helm_command() {
    if [ $# -lt 2 ] || is_help "$2"; then
        helm_command_usage "${1:-"[helm command]"}"
        return
    fi

    helm_wrapper "$@"
}