Optionally decrypt helm secrets in a temporary directory

Fixes: zendesk/helm-secrets#151

scripts/run.sh

@@ -5,6 +5,7 @@ set -eu
 # The suffix to use for decrypted files. The default can be overridden using
 # the HELM_SECRETS_DEC_SUFFIX environment variable.
 DEC_SUFFIX="${HELM_SECRETS_DEC_SUFFIX:-.yaml.dec}"
+DEC_DIR="${HELM_SECRETS_DEC_DIR:-}"
 
 # Make sure HELM_BIN is set (normally by the helm command)
 HELM_BIN="${HELM_BIN:-helm}"
@@ -148,7 +149,11 @@ is_file_encrypted() {
 }
 
 file_dec_name() {
-	echo "$(dirname "${1}")/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
+	if [ "${DEC_DIR}" != "" ]; then
+		echo "${DEC_DIR}/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
+	else
+		echo "$(dirname "${1}")/$(basename "${1}" ".yaml")${DEC_SUFFIX}"
+	fi
 }
 
 encrypt_helper() {

tests/2-dec.bats

@@ -36,7 +36,8 @@ load 'bats/extensions/bats-assert/load'
 }
 
 @test "dec: Decrypt assets/helm_vars/secrets.yaml with HELM_SECRETS_DEC_SUFFIX" {
-  export HELM_SECRETS_DEC_SUFFIX=.yaml.test
+  HELM_SECRETS_DEC_SUFFIX=.yaml.test
+  export HELM_SECRETS_DEC_SUFFIX
 
   FILE=tests/assets/helm_vars/secrets.yaml
 
@@ -50,6 +51,22 @@ load 'bats/extensions/bats-assert/load'
   assert_output 'global_secret: global_bar'
 }
 
+@test "dec: Decrypt assets/helm_vars/secrets.yaml with HELM_SECRETS_DEC_DIR" {
+  HELM_SECRETS_DEC_DIR="$(mktemp -d)"
+  export HELM_SECRETS_DEC_DIR
+
+  FILE=tests/assets/helm_vars/secrets.yaml
+
+  run helm secrets dec "${FILE}"
+  assert_success
+  assert_output "Decrypting ${FILE}"
+  assert [ -e "${HELM_SECRETS_DEC_DIR}/secrets.yaml.dec" ]
+
+  run cat "${HELM_SECRETS_DEC_DIR}/secrets.yaml.dec"
+  assert_success
+  assert_output 'global_secret: global_bar'
+}
+
 @test "dec: Decrypt assets/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml" {
   FILE=tests/assets/helm_vars/projectX/sandbox/us-east-1/java-app/secrets.yaml