Helm downloader plugin support (#52)

CHANGELOG.md

@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Allow override sops version on installation
 
+## [Unreleased]
+
+### Added
+- Implement alternate syntax (https://github.com/jkroepke/helm-secrets/pull/52)
+
 ## [3.3.5] - 2020-10-16
 
 ### Added

README.md

@@ -50,6 +50,24 @@ In meanwhile, this project is officially listed on the [community projects side]
 * [`tests`](tests) - Test scripts to check if all parts of the plugin work. Using test assets with PGP keys to make real tests on real data with real encryption/decryption. See [`tests/README.md`](tests/README.md) for more informations.
 * [`examples`](examples) - Some example secrets.yaml 
 
+## Update
+
+### Decrypt secrets via plugin command
+
+Wraps the whole helm command. Slow on multiple value files.
+```
+helm secrets upgrade name . -f secrets.yaml
+```
+
+### Decrypt secrets via protocol handler
+
+Run decrypted command on specific value files
+```
+helm upgrade name . -f secrets://secrets.yaml
+```
+
+See: [USAGE.md](USAGE.md) for more information
+
 ## Installation and Dependencies
 
 ### SOPS

USAGE.md

@@ -293,6 +293,14 @@ kind: Deployment
                   key: my_secret_key
 ```
 
+## Alternative: decrypt via downloader plugin
+
+Helm supports [downloader plugin](https://helm.sh/docs/topics/plugins/#downloader-plugins) for value files, too.
+
+```
+helm upgrade . -f sops://<path to file>
+```
+
 # Important Tips
 
 ## Prevent committing decrypted files to git

plugin.yaml

@@ -12,3 +12,10 @@ command: "$HELM_PLUGIN_DIR/scripts/run.sh"
 platformCommand:
   - os: windows
     command: "cmd /c $HELM_PLUGIN_DIR/scripts/wrapper/sh.cmd $HELM_PLUGIN_DIR/scripts/run.sh"
+
+downloaders:
+  - command: "scripts/downloader.sh"
+    protocols:
+      - "sops"
+      - "secret"
+      - "secrets"

scripts/downloader.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env sh
+
+# https://helm.sh/docs/topics/plugins/#downloader-plugins
+# It's always the 4th parameter
+file=$(printf '%s' "${4}" | sed -e 's!.*://!!')
+
+exec sops --decrypt --input-type "yaml" --output-type "yaml" "${file}"

tests/it/diff.bats

@@ -221,3 +221,19 @@ load '../bats/extensions/bats-file/load'
     assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
     assert [ ! -f "${FILE}.dec" ]
 }
+
+@test "diff: helm diff upgrade w/ chart + secrets.yaml + sops://" {
+    if is_windows || [ "${HELM_SECRETS_DRIVER}" != "sops" ]; then
+        skip
+    fi
+
+    helm_plugin_install "diff"
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+    RELEASE="diff-$(date +%s)-${SEED}"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm diff upgrade --no-color --allow-unreleased "${RELEASE}" "${TEST_TEMP_DIR}/chart" -f "sops://${FILE}" 2>&1
+    assert_success
+    assert_output --partial "port: 81"
+}

tests/it/install.bats

@@ -239,3 +239,21 @@ load '../bats/extensions/bats-file/load'
     assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
     assert [ ! -f "${FILE}.dec" ]
 }
+
+@test "install: helm install w/ chart + secrets.yaml + sops://" {
+    if is_windows || [ "${HELM_SECRETS_DRIVER}" != "sops" ]; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+    RELEASE="install-$(date +%s)-${SEED}"
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm install "${RELEASE}" "${TEST_TEMP_DIR}/chart" --no-hooks -f "sops://${FILE}" 2>&1
+    assert_success
+    assert_output --partial "STATUS: deployed"
+
+    run kubectl get svc -o yaml -l "app.kubernetes.io/name=chart,app.kubernetes.io/instance=${RELEASE}"
+    assert_success
+    assert_output --partial "port: 81"
+}

tests/it/upgrade.bats

@@ -238,3 +238,21 @@ load '../bats/extensions/bats-file/load'
     assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
     assert [ ! -f "${FILE}.dec" ]
 }
+
+@test "upgrade: helm upgrade w/ chart + secrets.yaml + sops://" {
+    if is_windows || [ "${HELM_SECRETS_DRIVER}" != "sops" ]; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+    RELEASE="upgrade-$(date +%s)-${SEED}"
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm upgrade -i "${RELEASE}" "${TEST_TEMP_DIR}/chart" --no-hooks -f "sops://${FILE}" 2>&1
+    assert_success
+    assert_output --partial "STATUS: deployed"
+
+    run kubectl get svc -o yaml -l "app.kubernetes.io/name=chart,app.kubernetes.io/instance=${RELEASE}"
+    assert_success
+    assert_output --partial "port: 81"
+}

tests/unit/template.bats

@@ -195,3 +195,45 @@ load '../bats/extensions/bats-file/load'
     assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
     assert_file_not_exist "${FILE}.dec"
 }
+
+@test "template: helm template w/ chart + secrets.yaml + sops://" {
+    if is_windows || [ "${HELM_SECRETS_DRIVER}" != "sops" ]; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm template "${TEST_TEMP_DIR}/chart" -f "sops://${FILE}" 2>&1
+    assert_success
+    assert_output --partial "port: 81"
+}
+
+@test "template: helm template w/ chart + secrets.yaml + secret://" {
+    if is_windows || [ "${HELM_SECRETS_DRIVER}" != "sops" ]; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm template "${TEST_TEMP_DIR}/chart" -f "secret://${FILE}" 2>&1
+    assert_success
+    assert_output --partial "port: 81"
+}
+
+@test "template: helm template w/ chart + secrets.yaml + secrets://" {
+    if is_windows || [ "${HELM_SECRETS_DRIVER}" != "sops" ]; then
+        skip
+    fi
+
+    FILE="${TEST_TEMP_DIR}/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run helm template "${TEST_TEMP_DIR}/chart" -f "secrets://${FILE}" 2>&1
+    assert_success
+    assert_output --partial "port: 81"
+}