-
-
Notifications
You must be signed in to change notification settings - Fork 130
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
100 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
#!/usr/bin/env sh | ||
|
||
_sed_i() { | ||
# MacOS syntax is different for in-place | ||
if [ "$(uname)" = "Darwin" ]; then | ||
sed -i "" "$@" | ||
else | ||
sed -i "$@" | ||
fi | ||
} | ||
|
||
_regex_escape() { | ||
# This is a function because dealing with quotes is a pain. | ||
# http://stackoverflow.com/a/2705678/120999 | ||
sed -e 's/[]\/()$*.^|[]/\\&/g' | ||
} | ||
|
||
_custom_driver_get_secret() { | ||
echo "Please override function '_custom_driver_get_secret' in your driver!" >&2 | ||
exit 1 | ||
} | ||
|
||
driver_is_file_encrypted() { | ||
input="${1}" | ||
|
||
grep -q -e "${_DRIVER_REGEX}" "${input}" | ||
} | ||
|
||
driver_encrypt_file() { | ||
echo "Encrypting files is not supported!" | ||
exit 1 | ||
} | ||
|
||
driver_decrypt_file() { | ||
type="${1}" | ||
input="${2}" | ||
# if omit then output to stdout | ||
output="${3:-}" | ||
|
||
input_tmp="$(mktemp)" | ||
output_tmp="$(mktemp)" | ||
cp "${input}" "${input_tmp}" | ||
|
||
# Grab all patterns, deduplicate and pass it to loop | ||
# https://github.com/koalaman/shellcheck/wiki/SC2013 | ||
if ! grep -o -e "${_DRIVER_REGEX}" "${input}" | sort | uniq | while IFS= read -r EXPRESSION; do | ||
# remove prefix | ||
_SECRET="${EXPRESSION#* }" | ||
|
||
if ! SECRET=$(_custom_driver_get_secret "${type}" "${_SECRET}"); then | ||
exit 1 | ||
fi | ||
|
||
# generate yaml anchor name | ||
YAML_ANCHOR=$(printf 'helm-secret-%s' "${_SECRET}" | tr '#$/' '_') | ||
|
||
# Replace vault expression with yaml anchor | ||
EXPRESSION="$(echo "${EXPRESSION}" | _regex_escape)" | ||
_sed_i "s/${EXPRESSION}/*${YAML_ANCHOR}/g" "${input_tmp}" | ||
|
||
if [ "${_SECRET_FIELD}" = "data" ]; then | ||
{ | ||
printf '.%s: &%s\n' "${YAML_ANCHOR}" "${YAML_ANCHOR}" | ||
printf '%s\n\n' "${SECRET}" | sed -e 's/^/ /g' | ||
} >>"${output_tmp}" | ||
else | ||
{ | ||
printf '.%s: &%s ' "${YAML_ANCHOR}" "${YAML_ANCHOR}" | ||
printf '%s\n\n' "${SECRET}" | ||
} >>"${output_tmp}" | ||
fi | ||
done; then | ||
# pass exit from pipe/sub shell to main shell | ||
exit 1 | ||
fi | ||
|
||
if [ "${output}" = "" ]; then | ||
cat "${output_tmp}" "${input_tmp}" | ||
else | ||
cat "${output_tmp}" "${input_tmp}" >"${output}" | ||
fi | ||
} | ||
|
||
driver_edit_file() { | ||
echo "Editing files is not supported!" | ||
exit 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,93 +1,24 @@ | ||
#!/usr/bin/env sh | ||
|
||
_VAULT_REGEX='!vault [A-z0-9][A-z0-9/\-]*\#[A-z0-9][A-z0-9-]*' | ||
# shellcheck disable=SC2034 | ||
_DRIVER_REGEX='!vault [A-z0-9][A-z0-9/\-]*\#[A-z0-9][A-z0-9-]*' | ||
|
||
_sed_i() { | ||
# MacOS syntax is different for in-place | ||
if [ "$(uname)" = "Darwin" ]; then | ||
sed -i "" "$@" | ||
else | ||
sed -i "$@" | ||
fi | ||
} | ||
|
||
_regex_escape() { | ||
# This is a function because dealing with quotes is a pain. | ||
# http://stackoverflow.com/a/2705678/120999 | ||
sed -e 's/[]\/()$*.^|[]/\\&/g' | ||
} | ||
|
||
driver_is_file_encrypted() { | ||
input="${1}" | ||
|
||
grep -q -e "${_VAULT_REGEX}" "${input}" | ||
} | ||
|
||
driver_encrypt_file() { | ||
echo "Encrypting files via vault driver is not supported!" | ||
exit 1 | ||
} | ||
# shellcheck source=scripts//drivers/_custom.sh | ||
. "${SCRIPT_DIR}/drivers/_custom.sh" | ||
|
||
driver_decrypt_file() { | ||
type="${1}" | ||
input="${2}" | ||
# if omit then output to stdout | ||
output="${3:-}" | ||
_custom_driver_get_secret() { | ||
_type=$1 | ||
_SECRET_PATH="${2%#*}" | ||
_SECRET_FIELD="${2#*#}" | ||
|
||
if [ "${type}" != "yaml" ]; then | ||
if [ "${_type}" != "yaml" ]; then | ||
echo "Only decryption of yaml files are allowed!" | ||
exit 1 | ||
fi | ||
|
||
input_tmp="$(mktemp)" | ||
output_tmp="$(mktemp)" | ||
cp "${input}" "${input_tmp}" | ||
|
||
# Grab all patterns, deduplicate and pass it to loop | ||
# https://github.com/koalaman/shellcheck/wiki/SC2013 | ||
if ! grep -o -e "${_VAULT_REGEX}" "${input}" | sort | uniq | while IFS= read -r EXPRESSION; do | ||
# remove prefix | ||
VAULT_SECRET="${EXPRESSION#* }" | ||
VAULT_SECRET_PATH="${VAULT_SECRET%#*}" | ||
VAULT_SECRET_FIELD="${VAULT_SECRET#*#}" | ||
|
||
if ! SECRET="$(vault kv get -format=yaml -field="${VAULT_SECRET_FIELD}" "${VAULT_SECRET_PATH}")"; then | ||
echo "Error while get secret from vault!" >&2 | ||
echo vault kv get -format=yaml -field="${VAULT_SECRET_FIELD}" "${VAULT_SECRET_PATH}" >&2 | ||
exit 1 | ||
fi | ||
|
||
# generate yaml anchor name | ||
YAML_ANCHOR=$(printf 'vault-%s-%s' "${VAULT_SECRET_PATH}" "${VAULT_SECRET_FIELD}" | tr '/' _) | ||
|
||
# Replace vault expression with yaml anchor | ||
EXPRESSION="$(echo "${EXPRESSION}" | _regex_escape)" | ||
_sed_i "s/${EXPRESSION}/*${YAML_ANCHOR}/g" "${input_tmp}" | ||
|
||
if [ "${VAULT_SECRET_FIELD}" = "data" ]; then | ||
{ | ||
printf '.%s: &%s\n' "${YAML_ANCHOR}" "${YAML_ANCHOR}" | ||
printf '%s\n\n' "${SECRET}" | sed -e 's/^/ /g' | ||
} >>"${output_tmp}" | ||
else | ||
{ | ||
printf '.%s: &%s ' "${YAML_ANCHOR}" "${YAML_ANCHOR}" | ||
printf '%s\n\n' "${SECRET}" | ||
} >>"${output_tmp}" | ||
fi | ||
done; then | ||
# pass exit from pipe/sub shell to main shell | ||
if ! vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}"; then | ||
echo "Error while get secret from vault!" >&2 | ||
echo vault kv get -format="${_type}" -field="${_SECRET_FIELD}" "${_SECRET_PATH}" >&2 | ||
exit 1 | ||
fi | ||
|
||
if [ "${output}" = "" ]; then | ||
cat "${output_tmp}" "${input_tmp}" | ||
else | ||
cat "${output_tmp}" "${input_tmp}" >"${output}" | ||
fi | ||
} | ||
|
||
driver_edit_file() { | ||
echo "Editing files via vault driver is not supported!" | ||
exit 1 | ||
} |