Skip to content

Commit

Permalink
externalize vault driver logic
Browse files Browse the repository at this point in the history
  • Loading branch information
jkroepke committed Dec 23, 2020
1 parent f20c2c6 commit 5254818
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 81 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Check [README.md](README.md#installation-on-helm-2)
- Implement alternate syntax (https://github.com/jkroepke/helm-secrets/pull/52)
- Remote values support (supporting http:// and helm downloader plugins) (https://github.com/jkroepke/helm-secrets/pull/54)
- Let downloader plugin supports remote files and all secrets drivers (https://github.com/jkroepke/helm-secrets/pull/55)
- Externalize custom vault driver logic. (https://github.com/jkroepke/helm-secrets/pull/63)

### Fixes
- Vault driver: If vault command failed, the script execution was not terminated. (https://github.com/jkroepke/helm-secrets/pull/61)
Expand Down
87 changes: 87 additions & 0 deletions scripts/drivers/_custom.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
#!/usr/bin/env sh

_sed_i() {
# MacOS syntax is different for in-place
if [ "$(uname)" = "Darwin" ]; then
sed -i "" "$@"
else
sed -i "$@"
fi
}

_regex_escape() {
# This is a function because dealing with quotes is a pain.
# http://stackoverflow.com/a/2705678/120999
sed -e 's/[]\/()$*.^|[]/\\&/g'
}

_custom_driver_get_secret() {
echo "Please override function '_custom_driver_get_secret' in your driver!" >&2
exit 1
}

driver_is_file_encrypted() {
input="${1}"

grep -q -e "${_DRIVER_REGEX}" "${input}"
}

driver_encrypt_file() {
echo "Encrypting files is not supported!"
exit 1
}

driver_decrypt_file() {
type="${1}"
input="${2}"
# if omit then output to stdout
output="${3:-}"

input_tmp="$(mktemp)"
output_tmp="$(mktemp)"
cp "${input}" "${input_tmp}"

# Grab all patterns, deduplicate and pass it to loop
# https://github.com/koalaman/shellcheck/wiki/SC2013
if ! grep -o -e "${_DRIVER_REGEX}" "${input}" | sort | uniq | while IFS= read -r EXPRESSION; do
# remove prefix
_SECRET="${EXPRESSION#* }"

if ! SECRET=$(_custom_driver_get_secret "${type}" "${_SECRET}"); then
exit 1
fi

# generate yaml anchor name
YAML_ANCHOR=$(printf 'helm-secret-%s' "${_SECRET}" | tr '#$/' '_')

# Replace vault expression with yaml anchor
EXPRESSION="$(echo "${EXPRESSION}" | _regex_escape)"
_sed_i "s/${EXPRESSION}/*${YAML_ANCHOR}/g" "${input_tmp}"

if [ "${_SECRET_FIELD}" = "data" ]; then
{
printf '.%s: &%s\n' "${YAML_ANCHOR}" "${YAML_ANCHOR}"
printf '%s\n\n' "${SECRET}" | sed -e 's/^/ /g'
} >>"${output_tmp}"
else
{
printf '.%s: &%s ' "${YAML_ANCHOR}" "${YAML_ANCHOR}"
printf '%s\n\n' "${SECRET}"
} >>"${output_tmp}"
fi
done; then
# pass exit from pipe/sub shell to main shell
exit 1
fi

if [ "${output}" = "" ]; then
cat "${output_tmp}" "${input_tmp}"
else
cat "${output_tmp}" "${input_tmp}" >"${output}"
fi
}

driver_edit_file() {
echo "Editing files is not supported!"
exit 1
}
93 changes: 12 additions & 81 deletions scripts/drivers/vault.sh
Original file line number Diff line number Diff line change
@@ -1,93 +1,24 @@
#!/usr/bin/env sh

_VAULT_REGEX='!vault [A-z0-9][A-z0-9/\-]*\#[A-z0-9][A-z0-9-]*'
# shellcheck disable=SC2034
_DRIVER_REGEX='!vault [A-z0-9][A-z0-9/\-]*\#[A-z0-9][A-z0-9-]*'

_sed_i() {
# MacOS syntax is different for in-place
if [ "$(uname)" = "Darwin" ]; then
sed -i "" "$@"
else
sed -i "$@"
fi
}

_regex_escape() {
# This is a function because dealing with quotes is a pain.
# http://stackoverflow.com/a/2705678/120999
sed -e 's/[]\/()$*.^|[]/\\&/g'
}

driver_is_file_encrypted() {
input="${1}"

grep -q -e "${_VAULT_REGEX}" "${input}"
}

driver_encrypt_file() {
echo "Encrypting files via vault driver is not supported!"
exit 1
}
# shellcheck source=scripts//drivers/_custom.sh
. "${SCRIPT_DIR}/drivers/_custom.sh"

driver_decrypt_file() {
type="${1}"
input="${2}"
# if omit then output to stdout
output="${3:-}"
_custom_driver_get_secret() {
_type=$1
_SECRET_PATH="${2%#*}"
_SECRET_FIELD="${2#*#}"

if [ "${type}" != "yaml" ]; then
if [ "${_type}" != "yaml" ]; then
echo "Only decryption of yaml files are allowed!"
exit 1
fi

input_tmp="$(mktemp)"
output_tmp="$(mktemp)"
cp "${input}" "${input_tmp}"

# Grab all patterns, deduplicate and pass it to loop
# https://github.com/koalaman/shellcheck/wiki/SC2013
if ! grep -o -e "${_VAULT_REGEX}" "${input}" | sort | uniq | while IFS= read -r EXPRESSION; do
# remove prefix
VAULT_SECRET="${EXPRESSION#* }"
VAULT_SECRET_PATH="${VAULT_SECRET%#*}"
VAULT_SECRET_FIELD="${VAULT_SECRET#*#}"

if ! SECRET="$(vault kv get -format=yaml -field="${VAULT_SECRET_FIELD}" "${VAULT_SECRET_PATH}")"; then
echo "Error while get secret from vault!" >&2
echo vault kv get -format=yaml -field="${VAULT_SECRET_FIELD}" "${VAULT_SECRET_PATH}" >&2
exit 1
fi

# generate yaml anchor name
YAML_ANCHOR=$(printf 'vault-%s-%s' "${VAULT_SECRET_PATH}" "${VAULT_SECRET_FIELD}" | tr '/' _)

# Replace vault expression with yaml anchor
EXPRESSION="$(echo "${EXPRESSION}" | _regex_escape)"
_sed_i "s/${EXPRESSION}/*${YAML_ANCHOR}/g" "${input_tmp}"

if [ "${VAULT_SECRET_FIELD}" = "data" ]; then
{
printf '.%s: &%s\n' "${YAML_ANCHOR}" "${YAML_ANCHOR}"
printf '%s\n\n' "${SECRET}" | sed -e 's/^/ /g'
} >>"${output_tmp}"
else
{
printf '.%s: &%s ' "${YAML_ANCHOR}" "${YAML_ANCHOR}"
printf '%s\n\n' "${SECRET}"
} >>"${output_tmp}"
fi
done; then
# pass exit from pipe/sub shell to main shell
if ! vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}"; then
echo "Error while get secret from vault!" >&2
echo vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}" >&2
exit 1
fi

if [ "${output}" = "" ]; then
cat "${output_tmp}" "${input_tmp}"
else
cat "${output_tmp}" "${input_tmp}" >"${output}"
fi
}

driver_edit_file() {
echo "Editing files via vault driver is not supported!"
exit 1
}

0 comments on commit 5254818

Please sign in to comment.