Add variable expansion

CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 Allow override sops version on installation
 
+## [Unreleased]
+
+### Added
+- Add environment variable expansion for value files like `secrets://https://${GITHUB_TOKEN}@raw.githubusercontent.com/org/repo/ref/pathtofile.yml`.
+  This feature is disabled by default and can be enabled by set the env var `HELM_SECRETS_URL_VARIABLE_EXPANSION=true`
+
 ## [3.10.0] - 2021-11-05
 
 ### Added

scripts/lib/expand_vars_strict.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env sh
+
+set -euf
+
+# https://stackoverflow.com/a/40167919
+expand_vars_strict() {
+    _x4=$(printf '\x4')
+    # the `||` clause ensures that the last line is read even if it doesn't end with \n
+    while IFS= read -r line || [ -n "${line}" ]; do
+        # Escape ALL chars. that could trigger an expansion..
+        lineEscaped=$(
+            printf %s "$line" |
+                tr '`([$' '\1\2\3\4' |
+                # ... then selectively reenable ${ references
+                sed -e "s/$_x4{/\${/g" |
+                # Finally, escape embedded double quotes to preserve them.
+                sed -e 's/"/\\\"/g'
+        )
+        eval "printf '%s\n' \"$lineEscaped\"" | tr '\1\2\3\4' '`([$'
+    done
+}

scripts/lib/file/http.sh

@@ -2,13 +2,22 @@
 
 set -euf
 
+URL_VARIABLE_EXPANSION="${HELM_SECRETS_URL_VARIABLE_EXPANSION:-false}"
+
 _file_http_exists() {
     _file_http_get "$@" >/dev/null
 }
 
 _file_http_get() {
     _tmp_file=$(_mktemp)
-    if ! download "${1}" >"${_tmp_file}"; then
+
+    if [ "${URL_VARIABLE_EXPANSION}" = "true" ]; then
+        _url="$(printf '%s' "${1}" | expand_vars_strict)"
+    else
+        _url="${1}"
+    fi
+
+    if ! download "${_url}" >"${_tmp_file}"; then
         exit 1
     fi
 

scripts/run.sh

@@ -16,6 +16,9 @@ SCRIPT_DIR="$(dirname "$0")"
 # shellcheck source=scripts/lib/common.sh
 . "${SCRIPT_DIR}/lib/common.sh"
 
+# shellcheck source=scripts/lib/expand_vars_strict.sh
+. "${SCRIPT_DIR}/lib/expand_vars_strict.sh"
+
 # shellcheck source=scripts/lib/file.sh
 . "${SCRIPT_DIR}/lib/file.sh"
 

tests/unit/template.bats

@@ -341,6 +341,33 @@ load '../bats/extensions/bats-file/load'
     assert_output --partial "port: 81"
 }
 
+@test "template: helm template w/ chart + secrets.yaml + secrets://http:// + HELM_SECRETS_URL_VARIABLE_EXPANSION=true" {
+    if on_windows || ! is_driver "sops"; then
+        # For vault its pretty hard to have a committed files with temporary seed of this test run
+        skip
+    fi
+    FILE="secrets://https://raw.githubusercontent.com/\${GH_OWNER}/\${GH_REPO}/main/tests/assets/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run env HELM_SECRETS_URL_VARIABLE_EXPANSION=true GH_OWNER=jkroepke GH_REPO=helm-secrets helm template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_success
+    assert_output --partial "port: 81"
+}
+
+@test "template: helm template w/ chart + secrets.yaml + secrets://http:// + HELM_SECRETS_URL_VARIABLE_EXPANSION=false" {
+    if on_windows || ! is_driver "sops"; then
+        # For vault its pretty hard to have a committed files with temporary seed of this test run
+        skip
+    fi
+    FILE="secrets://https://raw.githubusercontent.com/\${GH_OWNER}/\${GH_REPO}/main/tests/assets/values/${HELM_SECRETS_DRIVER}/secrets.yaml"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run env HELM_SECRETS_URL_VARIABLE_EXPANSION=false helm template "${TEST_TEMP_DIR}/chart" -f "${FILE}" 2>&1
+    assert_failure
+}
+
 @test "template: helm template w/ chart + secrets.yaml + secrets://http://example.com/404.yaml" {
     if on_windows || ! is_driver "sops"; then
         # For vault its pretty hard to have a committed files with temporary seed of this test run