From 78f794c8c87995ca292566116245e368ef8ee5e2 Mon Sep 17 00:00:00 2001 From: Dirk Wilden Date: Wed, 6 May 2020 08:54:52 +0200 Subject: [PATCH 1/2] add support for yml extension --- secrets.sh | 7 +++---- test.sh | 49 ++++++++++++++++++++++++++++++++----------------- 2 files changed, 35 insertions(+), 21 deletions(-) diff --git a/secrets.sh b/secrets.sh index 4ab9176..c128670 100755 --- a/secrets.sh +++ b/secrets.sh @@ -248,9 +248,8 @@ encrypt_helper() { local yml=$(basename "$1") cd "$dir" [[ -e "$yml" ]] || { echo "File does not exist: $dir/$yml"; exit 1; } - local ymldec=$(sed -e "s/\\.yaml$/${DEC_SUFFIX}/" <<<"$yml") + local ymldec=$(sed -e "s/\\.y\(a\|\)ml$/${DEC_SUFFIX}/" <<<"$yml") [[ -e $ymldec ]] || ymldec="$yml" - if [[ $(grep -C10000 'sops:' "$ymldec" | grep -c 'version:') -gt 0 ]] then echo "Already encrypted: $ymldec" @@ -305,7 +304,7 @@ decrypt_helper() { echo "Not encrypted: $yml" __ymldec="$yml" else - __ymldec=$(sed -e "s/\\.yaml$/${DEC_SUFFIX}/" <<<"$yml") + __ymldec=$(sed -e "s/\\.y\(a\|\)ml$/${DEC_SUFFIX}/" <<<"$yml") if [[ -e $__ymldec && $__ymldec -nt $yml ]] then echo "$__ymldec is newer than $yml" @@ -374,7 +373,7 @@ clean() { return fi local basedir="$1" - find "$basedir" -type f -name "secrets*${DEC_SUFFIX}" -exec rm -v {} \; + find "$basedir" -type f -name "*secret*${DEC_SUFFIX}" -exec rm -v {} \; } helm_wrapper() { diff --git a/test.sh b/test.sh index 85d4d7f..de8223f 100755 --- a/test.sh +++ b/test.sh @@ -23,11 +23,22 @@ trap_error() { trap "trap_error" EXIT test_encryption() { -result=$(cat < "${secret}" | grep -Ec "(40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE|4434EA5D05F10F59D0DF7399AF1D073646ED4927)") -if [ "${result}" -eq 2 ] && [ "${secret}" == "./example/helm_vars/secrets.yaml" ]; -then - echo -e "${GREEN}[OK]${NOC} File properly encrypted" -elif [ "${result}" -eq 1 ] && [ "${secret}" != "./example/helm_vars/secrets.yaml" ]; +fingerprint1Count=$(cat < "${secret}" | grep -Ec "40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE") +fingerprint2Count=$(cat < "${secret}" | grep -Ec "4434EA5D05F10F59D0DF7399AF1D073646ED4927") + +ok=0 + +if [[ $secret == *"./example/helm_vars/projectX/"* ]]; then + [[ "${fingerprint1Count}" -eq 0 && "${fingerprint2Count}" -eq 1 ]] && ok=1 +elif [[ $secret == *"./example/helm_vars/projectY/"* ]]; then + [[ "${fingerprint1Count}" -eq 1 && "${fingerprint2Count}" -eq 0 ]] && ok=1 +elif [[ $secret == *"./example/helm_vars/"* ]]; then + [[ "${fingerprint1Count}" -eq 1 && "${fingerprint2Count}" -eq 1 ]] && ok=1 +else + echo "Secret in unkown folder" +fi + +if [ "${ok}" -eq 1 ]; then echo -e "${GREEN}[OK]${NOC} File properly encrypted" else @@ -47,9 +58,12 @@ fi } test_decrypt() { -if [ -f "${secret}.dec" ]; +ymldec=$(sed -e "s/\\.y\(a\|\)ml$/.yaml.dec/" <<<"$secret") + +if [ -f "${ymldec}" ]; then - result_dec=$(cat < "${secret}.dec" | grep -Ec "(40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE|4434EA5D05F10F59D0DF7399AF1D073646ED4927)") + + result_dec=$(cat < "${ymldec}" | grep -Ec "(40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE|4434EA5D05F10F59D0DF7399AF1D073646ED4927)") if [ "${result_dec}" -gt 0 ]; then echo -e "${RED}[FAIL]${NOC} Decryption failed" @@ -57,15 +71,15 @@ then echo -e "${GREEN}[OK]${NOC} File decrypted" fi else - echo -e "${RED}[FAIL]${NOC} ${secret}.dec not exist" + echo -e "${RED}[FAIL]${NOC} ${ymldec} not exist" exit 1 fi } test_clean() { -if [ -f "${secret}.dec" ]; +if [ -f "${secret_dec}" ]; then - echo -e "${RED}[FAIL]${NOC} ${secret}.dec exist after cleanup" + echo -e "${RED}[FAIL]${NOC} ${secret_dec} exist after cleanup" exit 1 else echo -e "${GREEN}[OK]${NOC} Cleanup ${mode}" @@ -85,6 +99,7 @@ fi test_helm_secrets() { echo -e "${YELLOW}+++${NOC} ${BLUE}Testing ${secret}${NOC}" +secret_dec=$(sed -e "s/\\.y\(a\|\)ml$/.yaml.dec/" <<<"$secret") echo -e "${YELLOW}+++${NOC} Encrypt and Test" "${HELM_CMD}" secrets enc "${secret}" > /dev/null || exit 1 && \ @@ -100,18 +115,18 @@ test_view "${secret}" echo -e "${YELLOW}+++${NOC} Decrypt" "${HELM_CMD}" secrets dec "${secret}" > /dev/null || exit 1 && \ test_decrypt "${secret}" && \ -cp "${secret}.dec" "${secret}" +cp "${secret_dec}" "${secret}" echo -e "${YELLOW}+++${NOC} Cleanup Test" "${HELM_CMD}" secrets clean "$(dirname ${secret})" > /dev/null || exit 1 mode="specified directory" test_clean "${secret}" "${mode}" && \ -cp "${secret}" "${secret}.dec" && \ -"${HELM_CMD}" secrets clean "${secret}.dec" > /dev/null || exit 1 +cp "${secret}" "${secret_dec}" && \ +"${HELM_CMD}" secrets clean "${secret_dec}" > /dev/null || exit 1 mode="specified .dec file" -test_clean "${secret}" "${mode}" # && \ -# cp "${secret}" "${secret}.dec" && \ -# "${HELM_CMD}" secrets clean "${secret}.dec" > /dev/null || exit 1 +test_clean "${secret}" "${secret_dec}" "${mode}" # && \ +# cp "${secret}" "${secret_dec}" && \ +# "${HELM_CMD}" secrets clean "${secret_dec}" > /dev/null || exit 1 # mode="specified encrypted secret file" # test_clean "${secret}" "${mode}" # The functionality above doesn't work, it only works with .dec in filename @@ -155,6 +170,6 @@ else fi echo "" -for secret in $(find . -type f -name secrets.yaml); +for secret in $(find . -type f -name *secret*.yaml -o -name *secret*.yml); do test_helm_secrets "${secret}"; done From 043a8013881b23a6e9bfd78b2eab2268d43a0084 Mon Sep 17 00:00:00 2001 From: Dirk Wilden Date: Wed, 6 May 2020 12:10:13 +0200 Subject: [PATCH 2/2] process secrets without file pattern --- example/helm_vars/another-secret.yml | 52 ++++++++ example/helm_vars/no-secret.yaml.dec | 2 + .../us-east-1/java-app/another-secret.yml | 31 +++++ .../us-east-1/java-app/no-secret.yaml.dec | 2 + .../us-east-1/java-app/another-secret.yml | 31 +++++ .../us-east-1/java-app/no-secret.yaml.dec | 2 + .../us-east-1/java-app/another-secret.yml | 31 +++++ .../us-east-1/java-app/no-secret.yaml.dec | 2 + .../us-east-1/java-app/another-secret.yml | 31 +++++ .../us-east-1/java-app/no-secret.yaml.dec | 2 + secrets.sh | 114 ++++++++++++------ test.sh | 18 ++- 12 files changed, 276 insertions(+), 42 deletions(-) create mode 100644 example/helm_vars/another-secret.yml create mode 100644 example/helm_vars/no-secret.yaml.dec create mode 100644 example/helm_vars/projectX/production/us-east-1/java-app/another-secret.yml create mode 100644 example/helm_vars/projectX/production/us-east-1/java-app/no-secret.yaml.dec create mode 100644 example/helm_vars/projectX/sandbox/us-east-1/java-app/another-secret.yml create mode 100644 example/helm_vars/projectX/sandbox/us-east-1/java-app/no-secret.yaml.dec create mode 100644 example/helm_vars/projectY/production/us-east-1/java-app/another-secret.yml create mode 100644 example/helm_vars/projectY/production/us-east-1/java-app/no-secret.yaml.dec create mode 100644 example/helm_vars/projectY/sandbox/us-east-1/java-app/another-secret.yml create mode 100644 example/helm_vars/projectY/sandbox/us-east-1/java-app/no-secret.yaml.dec diff --git a/example/helm_vars/another-secret.yml b/example/helm_vars/another-secret.yml new file mode 100644 index 0000000..ed984c9 --- /dev/null +++ b/example/helm_vars/another-secret.yml @@ -0,0 +1,52 @@ +global_secret: ENC[AES256_GCM,data:tW3e3YO0mffFQQ==,iv:cLs3C0IbhdB1aybbUIZfh8VBFEno32y/YLnJwhEq/iE=,tag:4F6PsxCj2Oxn0t49W7xfTQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + lastmodified: '2019-03-29T11:02:06Z' + mac: ENC[AES256_GCM,data:rDHF8C+s0WRHxsy6JKffkpwasJDp55fAxDY5WOXtz4u44bLNw/SrMDCBsYzQ1UcwxYMY+CAQINyeFyqeH5GjDPW6sJ1pmEQk0QTV8NdD/O/dDfHsXfTyFY8ZBNoIJJe8s3uMq3vm3L6BLjRJ8jHtbXwF/c3HOFYzKC+1J0X9TmE=,iv:ydQoImoP2Jt/tvOecurX7XsEIKtAGRJ6YzI1+MsMsuQ=,tag:gB8pvoRev9iProFjEga7vQ==,type:str] + pgp: + - created_at: '2019-03-29T11:02:06Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAxYpv4YXKfBAARAAkm4oBJlVN/yMSJasC/dYJvrCAooV2P6Oljsiw+VaKzRI + fNP7guPGXm7HMMjgF4e9RrBH4XsVLVSEL1yjXsP4s1CoiLOMqti/MvkPDvKjLzxT + ATvzpD7nAs0YEnQNlf7/DHm9JAGPWjfI2UJ/oEp4ba+bMIVg4nPV47n06f31m5Ur + hYMxUoFdCQbxCOnMCvcbTR9UMPfWLdd0Rr4T2NUSAY8Tr1LTM+iXRTdeJKy1AAhr + t/mu7sDADEm9aJSIbbE8nYSIzZuN7yL02CuZZci3HGOUV71cLVeOHC8MvKx2rwf8 + iT7L0dHwmi9mdfmIyNwKRhvzSR6RllUhfuDXB4cQ54/xnQ/7vF+YNdbJa8xl9Va/ + G60XClMsTr3iGOWU4Q2wlM+f7RGF6Bfwek5R0vWxGc/GshB4kQAu37g/L2E/79JX + m8LtZJl89p1n550lioX/+pituY8zd9uTsiqn21OIT5Uk830OygBcJTQepkz5lLI5 + c6OsuODNEvw2CJ6eHxAfG6GdW+B2spDJcJyELaKbP9zxDEK9RRC8MDxILDoOsk4I + ITKbx8jgeUXH6S7fRAvRDbzCLgMjKEUuEDmYO4a7d4m4Jf4htvATtmS8JPPpv5jQ + 1exXORaScAnmkFT0haupgBAX7dsCx36xpqqPFneFgTCzH3HUVhf7IpBG+opUhFTS + 4AHkVg6v8c/fqNfd41cKSERhG+GrLODV4PXhmzbgQuJpTjIx4HXlUXDFGDg2akB8 + UjWODkgtSitXvY6t3koS6d1BLH2L5rTg1+Qv4s9R4rBbMsB5Ahw6v/+b4q55Ubnh + DrIA + =U903 + -----END PGP MESSAGE----- + fp: 4434EA5D05F10F59D0DF7399AF1D073646ED4927 + - created_at: '2019-03-29T11:02:06Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAxzSiC7ZHNQZARAAb699zXK7tDKBJXQRHkSWN5/plCP1S+VouTkxKYpB1uYU + ivNyDAbYfXnU7LMClcK+qVdpK1JPULGjxJLVQLRsg1HRwYvkY/zKkXMUz824X2Hu + MeXywxzsS0pwLJ4PutmTrRWRSEltxed4vgndrzxkJtw7Fxf2eh8lJcevsZGXQyW/ + 2fghXVhGnQZe/MaynPcmI8F3Wxxa+6r1WnlSL3fvICQtyAAzS8rmDM7n8Iwzh4j7 + +zaBQ3wavYFX7lILa4JilwAku3VxZBgUh7FDxy62lZEE1giGJykW9DQaCMCdJiJh + 5gG+yMIcjol2EQC+em//ZGcPHOR+qaG6HXUWhVFo67Gg3dKoYPXqjTFrAjg/ujja + utx6gxXUcOFyPFlJw7orG+P08PgshRVYT4Go3UAbSR/tjvcmyrKMRQBvF+Y1jRbb + y6GgCWae2lAO3wPejvFYn2yAnl9TRIZWAqet/1BJvnls+QmMCLkhLBx9l8zIA/iE + G2vO/R5vwC9j07UNLGSjrVvadnw51UT8efEiQOPRRhMSRe3tbq6g/2tkaRAt8PTP + J9SzM5BcPiGBHlrjAvJkDzmmXorEK317XZ3hPMY1326Rn37ZMenfYmCsv2Y+KN66 + 5h3tzSF2+8CeMowRjygFh5AQm0jpmHGNQkcDUfL7ewr9v/lrKJt6eGK5WnUM8VXS + 4AHkxq+E5sc6FrwYQYc5x28W/+F82+Az4O7hlATgb+LOrE4g4D7liQNTKREiREJQ + N84cvTNEp7NIHr7+tJRYuNjfAO+4743gb+Rfuqf6pXHSw7R0kYE70tid4tovsGDh + VqIA + =FY1e + -----END PGP MESSAGE----- + fp: 40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE + unencrypted_suffix: _unencrypted + version: 3.2.0 diff --git a/example/helm_vars/no-secret.yaml.dec b/example/helm_vars/no-secret.yaml.dec new file mode 100644 index 0000000..b33eb32 --- /dev/null +++ b/example/helm_vars/no-secret.yaml.dec @@ -0,0 +1,2 @@ +not: + a: "secret" \ No newline at end of file diff --git a/example/helm_vars/projectX/production/us-east-1/java-app/another-secret.yml b/example/helm_vars/projectX/production/us-east-1/java-app/another-secret.yml new file mode 100644 index 0000000..e741ce3 --- /dev/null +++ b/example/helm_vars/projectX/production/us-east-1/java-app/another-secret.yml @@ -0,0 +1,31 @@ +secret_production_projectx: ENC[AES256_GCM,data:NUSh2U7MeE9Ilg6zuUk=,iv:CVAqiUQV460zJ2J2RCcbvwxWbkF0tomXz/GI24RuDXE=,tag:lpCPR5jXR9t6tNh5HzxQrA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + lastmodified: '2019-03-29T11:02:08Z' + mac: ENC[AES256_GCM,data:IygJhBcNtb+3hb0J/DlY01XWYZFfwGQxfXGCuYiqFiMreZ91RL8PATfuQsOuUqLQdubuFJnnCGxW1rNwpqIXaUPjTN1IjUs031ALs3VSu+GGmAm9VL37d4dBbP3m4YYzhgV5m/Mn5Z19H59KcxjaLuujIBaPDztgOn211Ijkui8=,iv:kQDdkQODDg58vYXG90XjuM1ATzYHBCC7Lem5/pllX5E=,tag:MbJuvLqLW57RO/2C5g4wVA==,type:str] + pgp: + - created_at: '2019-03-29T11:02:08Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAxYpv4YXKfBAARAAAA8gRfuMZviZ+4kpzEOafKYT7kQ6QSqd/TGdgiZHtJFl + p5X0L8NJgXcgr6TNuBQF8f2AUy2IA0lfPfgESMofRD510Js0c7+W8YCrdIIV2kt7 + wgqrzGFJAMmdbfOyFPCCYQJ/4HEolRvyxuDDfVPcNFxbiPqVeTnPCEZ0fMmsm26o + 0XWDdKJ7qz5fDA/pi/9zDOsH5nBgksXpdlLGCUjGb1256FadIeYyX1L7ZFDW7jm9 + IvwU9TQUlJFQ/VPsJPoahPujIVcgRyFSi14vUd9tYglr8cLnJJlFpD1rnb/plKea + O1mu7HYQFAdHmCHNtaooHD1tIsrZbCT8SG1qDOif3q8hCDFdLh9QknljTAu/pi3r + OMR3opOxw+0ZOFKwaum4iBEG2bDLvDAF574r0HwLWrRvYFvPQLM/ZE9tB6KPBaD4 + iCm94HgUAPJsVSuuGXRpkkzixGVf3Ozt3CE4Sv3FFwtTBoCFGJxzAQVoYvjaXDjA + jZwFTfJoCMmXoq3tHoTEdTJdtvaoGXk2N8n7BZhwhj8jnOftFjhGUaJZggvC2qGT + 00IqROarjKpoErVvcVxkgPpFa4HLyhNRBdaU3ECet4dNslM+P4j/i1ojNn1BYfG+ + U5tXFyzp/vQd4MVVhLC+vyGLgQovwm1LXzghsXFHJYICaPewU0ad+qNZGozZjHrS + 4AHknsSb6QLyJKL6Pn5g/nvrfeEBZeDU4KHh3tHgYuKCnFxp4KTlOoLn0zq7FF7V + icU1zn8CpnjF7Y7ofwDhVdgUjnzdQRvgKuSsDnaoZig1t/y9Si1YaEsx4jXbVnjh + fREA + =rpBY + -----END PGP MESSAGE----- + fp: 4434EA5D05F10F59D0DF7399AF1D073646ED4927 + unencrypted_suffix: _unencrypted + version: 3.2.0 diff --git a/example/helm_vars/projectX/production/us-east-1/java-app/no-secret.yaml.dec b/example/helm_vars/projectX/production/us-east-1/java-app/no-secret.yaml.dec new file mode 100644 index 0000000..b33eb32 --- /dev/null +++ b/example/helm_vars/projectX/production/us-east-1/java-app/no-secret.yaml.dec @@ -0,0 +1,2 @@ +not: + a: "secret" \ No newline at end of file diff --git a/example/helm_vars/projectX/sandbox/us-east-1/java-app/another-secret.yml b/example/helm_vars/projectX/sandbox/us-east-1/java-app/another-secret.yml new file mode 100644 index 0000000..c005719 --- /dev/null +++ b/example/helm_vars/projectX/sandbox/us-east-1/java-app/another-secret.yml @@ -0,0 +1,31 @@ +secret_sandbox_projectx: ENC[AES256_GCM,data:KSZG/XTW6Wy6RPJ5zIQMTA==,iv:1CbKkKCtk9ze6wmwK6rvfiZcjM6KuCFGUnc6JjtbXR4=,tag:heTaPsUsr2BtkasZ1Zj+/g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + lastmodified: '2019-03-29T11:02:07Z' + mac: ENC[AES256_GCM,data:lGMVD/vMAQ1tC9nwhnskvDE+D9EDe6v/XfAu4MXZWLDaA4gpNgYCJTEvAihVoJIO4jxsbIlzvq35GDRu+mMQMRcxrBK584ZPLv8CXxFRCrfNHOpkKwY3GEQXsLBMq9zUtayYihijR72xyDKoOVpj+zEADwwRIK34/EWN7ht5d8Q=,iv:r2ObjVV9etc1qlv08C35b52kx42ZoVbJluVMA2h/iFk=,tag:WRN2uoL/J9frpaMNSVqUxg==,type:str] + pgp: + - created_at: '2019-03-29T11:02:07Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAxYpv4YXKfBAARAAUCaamEEJbGWhWCiIiOeWGaKJYzd/FkC5Qvvv3yFl4YKt + 6apRMA1/7u9nTEGzVnsH6CwgoU276Fj4oKjOiDuKdaTwEHC1gWZNT5EOll0Jh6ED + oQ2rAWexkk/A6hyGdn7tAh/7IAMQK5QIHI0Z+H88DPV8ZfbEC6NRlyepP/LUt92S + eVoH1aeUVyTEJVOwmvkKSkAEeQlP+iLJFOECyVO0T5NfnPj8E7OFvJ8Nv5kD1vec + wdYVfbRUIZwIySE6alduz2cjxuUBhpbLjMqIT25pL5uXoSzIrxKmvkVg1DInYYJ/ + 1radpOYIGJRJ1aMMfBYtNsL5rSRRjexiykgCm+ZG54SvUbnA8/KfsZLZiZqSxduD + k6YX8BAL6WzknJ0qjY3SxZ3tpu6FPBJH9U69z2sM0hFxXCBLOWfsQ3JXpQ+HKRUX + c4mlA3lBeOCLVefrJuhy1TjO9094yTEc/i+r9yG7xvLwzWlFSeFpf6ph0vvK+bYG + ITglOP9Ipy0T5cTzlKq3pCCLlBAUSRiVncHhspfnoFSSlTgN2kawbikpF1a7I/Qh + Mpe29nPBywq4LFzyOJrpOAD6n1HU+KQKp3qZCjhdxx8EawFlZqUF6j7qLkKTN1AQ + w43l9pfqS2FXVXuouLlqPcg/KjG+5lx+KFjb1l6cvpvtL0Jvr8YiJ64t75GLoPPS + 4AHkTeYCfXmj7nRhZWZCuGVaxOFlCeDv4CjhyKfgr+IOF56v4NzlwZRMyKuOnr6R + 0G8vX7H5t8XJPbUsgB99we6hRY911ZzgAORsusuyK6Aiv2+b58CnLXMp4huU1rTh + 9L4A + =eUDm + -----END PGP MESSAGE----- + fp: 4434EA5D05F10F59D0DF7399AF1D073646ED4927 + unencrypted_suffix: _unencrypted + version: 3.2.0 diff --git a/example/helm_vars/projectX/sandbox/us-east-1/java-app/no-secret.yaml.dec b/example/helm_vars/projectX/sandbox/us-east-1/java-app/no-secret.yaml.dec new file mode 100644 index 0000000..b33eb32 --- /dev/null +++ b/example/helm_vars/projectX/sandbox/us-east-1/java-app/no-secret.yaml.dec @@ -0,0 +1,2 @@ +not: + a: "secret" \ No newline at end of file diff --git a/example/helm_vars/projectY/production/us-east-1/java-app/another-secret.yml b/example/helm_vars/projectY/production/us-east-1/java-app/another-secret.yml new file mode 100644 index 0000000..7f0ce98 --- /dev/null +++ b/example/helm_vars/projectY/production/us-east-1/java-app/another-secret.yml @@ -0,0 +1,31 @@ +secret_production_projecty: ENC[AES256_GCM,data:0jcFuH/OjCjnXmaH6lM=,iv:i3KOj0uQPazU87Jb2T8RD7f3eUrKXOW9OsICuB4Rmco=,tag:VsrWeUmMiEgP/ZZvk7BrzQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + lastmodified: '2019-03-29T11:02:10Z' + mac: ENC[AES256_GCM,data:l8MS+OjSUrbaoIdlp7HxzPE3ApNyjxlK7ojuHdyjvBXXYUDuZ5gpLMtaeXxgjKNQaGtIeVOevpiENzOANkL7Hn+MtUJmmeTu7bx1hPQyxebGyLH/Y4DVAM8rY4mGZngTg4LYZcHuL3j9HBIUkf3WLSTqjYFMcbuDKqCCOPuyQf0=,iv:lSAmW9OPRoJeaNAtXFB7u/SPPIPfNJrIgUCD6yoBuR8=,tag:s2KAjECP055ZgDYBoagz5w==,type:str] + pgp: + - created_at: '2019-03-29T11:02:10Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAxzSiC7ZHNQZARAATDA+rolBbJrsHLGqgjGDjFANuSiqQOcSYKRF5kFCi1Yj + dhHbH5psqVJmdsLQzQDrO5Lrx1Sq8vSzlj5rOA1wMnWbE8M+BzZt4vkvwMw3FOgO + IMco/FZUlSUUKe3V2pvMhax9BieJMgFVDYxEB4KI0EeZhqbC/wwGrK+7X0zni7bE + jdRhIZ1Xtci6gf24/i5ttA0jc8pRKcFouVJdAz5g79AbcK3Nxph+LlrKNliwRjYc + zFs6vnwOR+fOCpCdK9aJY1zG02I1OitRjXKfQUzbsjIG/o4P5gwxuyTm87mWl9Ov + rt1vxXWX8EVSBgYfTPC6Oq+gESl47wECGJflun+hlxD06k/16/Pvk6CtQBYF65ss + mZb+YAXtck6cxMPuBVaD3L6zs3tvWMl+fdaJb5CAXQLPsXAoOuN9yXCbd9+T1rLo + Y6Kn9ZoxTEJk+zN8VAhBuE0aZ/ktmaVXwU98NimuOXTbVt+9noXfgbzRMi+kPui6 + SXg0IgSwOCSR/oRMk5gqgr3v2LKwMDw/2gdxxTTjCv4x/Mjaz4zmVIqTHM+oR0F/ + eER4EgVFFN2N5QxcMU3NgGaPgq067F+xOlb1VlXnvxANMEoE9Vcp+nD2aVtsEX+t + 5egy4xdJzhSIovWjxq4Y9QF0qRp52NYuOkDeadY/XavEjyTBLmp2AF0tpjwcPqbS + 4AHkyZ1LXa8ja6zN9lCl8gAPWOHDS+Bl4PnhCOrgOuJQ8tNI4FblAT5gFlx5vTIb + +AGwfNODVhnB6QJywpHozYV5hxAWYCfgDuQLEaOpis7ypp483Gv9UqwO4tELnnnh + ZQMA + =Pb7g + -----END PGP MESSAGE----- + fp: 40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE + unencrypted_suffix: _unencrypted + version: 3.2.0 diff --git a/example/helm_vars/projectY/production/us-east-1/java-app/no-secret.yaml.dec b/example/helm_vars/projectY/production/us-east-1/java-app/no-secret.yaml.dec new file mode 100644 index 0000000..b33eb32 --- /dev/null +++ b/example/helm_vars/projectY/production/us-east-1/java-app/no-secret.yaml.dec @@ -0,0 +1,2 @@ +not: + a: "secret" \ No newline at end of file diff --git a/example/helm_vars/projectY/sandbox/us-east-1/java-app/another-secret.yml b/example/helm_vars/projectY/sandbox/us-east-1/java-app/another-secret.yml new file mode 100644 index 0000000..9910f60 --- /dev/null +++ b/example/helm_vars/projectY/sandbox/us-east-1/java-app/another-secret.yml @@ -0,0 +1,31 @@ +secret_sandbox_projecty: ENC[AES256_GCM,data:AC3dznJbIJBZ7/r6kw2U,iv:uVeNY1dzRAvjyKqahhy2OrqI8sxWeLTqhOMdtVN3X30=,tag:qAImwVgVBnr4lwnS1Yu3iQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + lastmodified: '2019-03-29T11:02:09Z' + mac: ENC[AES256_GCM,data:aZIT/mClu2sx36vpRxzRRtlS3WM+2Qkb1mlhjhHjdrU1NqITFTPyBSemvilpxiF1bUdT5M8Y32dtRFoylsAnZ+w60DvaRynAOm2jL0PSzFq0iLo5W8oUWSPFmJv+/Ixc7SLtKpfjJO9qEt8ad0SipEHEFHc6gKpxMgMIDrbIeWc=,iv:0k7k++pPOFqDXNvOUYbt39MgkW0s2j5a7SnYcaK6WnA=,tag:hx7MixPps3ps7dThnJgcIw==,type:str] + pgp: + - created_at: '2019-03-29T11:02:09Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAxzSiC7ZHNQZARAACg4g710ru5aOFnrsOTnoUqvrdbGVTcfOqn7Pk25RmGyH + r6hS/zwdB9rbxGhWSiUFHXIpKFecJ6ste9/MuwdYtyvWC1On7ZtaOb0iGo4Oa8zu + EZBtB+yeQYvxfNMef6ibnf4H2IALVccyTJq406QDUSRIoAsrKLI5vKqzyEsrAKbS + q8TweMV7L0JySCZa9B+zyof1Y8kMjizu3ldQZiwDc63LhpUuxMkoki+2YIcB0Svx + Mm+/emXeLBfyBYjyOMUTStVh+J82Nm6nlCD1TgUgfJUwWKGKNzmRPQaUZCY2HSNf + PoW4cpw0xtfNCzQL84xL7Cgz9b+jqeMQcSeTvGS/viZaFgln84ISVQ8nz/64IxS7 + iRu6uYM92PpIqCZcuLgT3O2yL1e91+amr1UMViGLG4dOFspu8dBpUQYGgqr6wrtq + acBfiv8iihXZNLfAooCd1XGFE0b5XZ7C4e10PoAYjNg+cLtbRyh1rHhWPBX55BY8 + bFLKAJIV49hIZf7KUuaQcXi4+oBM/Gyc0ZzT147iZZdWnJ7NGz7Yn/WB7ITqWrUy + OLhRTqEn4hvKnpIlNBzlv0Z3TWhiJhw6tRZYGts3/FLEnFq646oAjbxNxcKlf3xK + ASkuJ1uNuFFZLbuTzLSrCOq/H28rBkUFP2xDQQ1eSYdAnkE0MXF+Twda8dSPdQ7S + 4AHkT7zdy5tUboxpmy9Kbs7E1+GzC+DG4MDhzmPgmOLdijXG4JzlxpCjUfI0icOx + BAL7hSieSssfq9NAW9waO0h4RZhznmHgjuQ4n27UVdWR6+iqD/TCQHq14nRsowLh + tOYA + =0z0k + -----END PGP MESSAGE----- + fp: 40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE + unencrypted_suffix: _unencrypted + version: 3.2.0 diff --git a/example/helm_vars/projectY/sandbox/us-east-1/java-app/no-secret.yaml.dec b/example/helm_vars/projectY/sandbox/us-east-1/java-app/no-secret.yaml.dec new file mode 100644 index 0000000..b33eb32 --- /dev/null +++ b/example/helm_vars/projectY/sandbox/us-east-1/java-app/no-secret.yaml.dec @@ -0,0 +1,2 @@ +not: + a: "secret" \ No newline at end of file diff --git a/secrets.sh b/secrets.sh index c128670..f5e500c 100755 --- a/secrets.sh +++ b/secrets.sh @@ -24,7 +24,7 @@ then else GNU_GETOPT=0 fi - + if [ "${GNU_GETOPT}" -ne 1 ]; then cat < "$yml" - echo "Encrypted $ymldec to $yml" + sops --encrypt --input-type yaml --output-type yaml "$ymldec" > "$yml" + echo "Encrypted $ymldec to $yml" fi } @@ -288,36 +321,36 @@ decrypt_helper() { if [[ ${BASH_VERSINFO[0]} -lt 4 || ${BASH_VERSINFO[0]} -eq 4 && ${BASH_VERSINFO[1]} -lt 3 ]] then - local __ymldec_var='' __dec_var='' - [[ $# -ge 2 ]] && __ymldec_var=$2 - [[ $# -ge 3 ]] && __dec_var=$3 - [[ $__dec_var ]] && eval $__dec_var=0 + local __ymldec_var='' __dec_var='' + [[ $# -ge 2 ]] && __ymldec_var=$2 + [[ $# -ge 3 ]] && __dec_var=$3 + [[ $__dec_var ]] && eval $__dec_var=0 else - [[ $# -ge 2 ]] && local -n __ymldec=$2 - [[ $# -ge 3 ]] && local -n __dec=$3 + [[ $# -ge 2 ]] && local -n __ymldec=$2 + [[ $# -ge 3 ]] && local -n __dec=$3 fi __dec=0 [[ -e "$yml" ]] || { echo "File does not exist: $yml"; exit 1; } - if [[ $(grep -C10000 'sops:' "$yml" | grep -c 'version:') -eq 0 ]] + if ! is_encrypted_secret "$yml" then - echo "Not encrypted: $yml" - __ymldec="$yml" + echo "Not encrypted: $yml" + __ymldec="$yml" else - __ymldec=$(sed -e "s/\\.y\(a\|\)ml$/${DEC_SUFFIX}/" <<<"$yml") - if [[ -e $__ymldec && $__ymldec -nt $yml ]] - then - echo "$__ymldec is newer than $yml" - else - sops --decrypt --input-type yaml --output-type yaml "$yml" > "$__ymldec" || { rm "$__ymldec"; exit 1; } - __dec=1 - fi + get_decrypted_filename "$yml" __ymldec + if [[ -e $__ymldec && $__ymldec -nt $yml ]] + then + echo "$__ymldec is newer than $yml" + else + sops --decrypt --input-type yaml --output-type yaml "$yml" > "$__ymldec" || { rm "$__ymldec"; exit 1; } + __dec=1 + fi fi if [[ ${BASH_VERSINFO[0]} -lt 4 || ${BASH_VERSINFO[0]} -eq 4 && ${BASH_VERSINFO[1]} -lt 3 ]] then - [[ $__ymldec_var ]] && eval $__ymldec_var="'$__ymldec'" - [[ $__dec_var ]] && eval $__dec_var="'$__dec'" + [[ $__ymldec_var ]] && eval $__ymldec_var="'$__ymldec'" + [[ $__dec_var ]] && eval $__dec_var="'$__dec'" fi true # just so that decrypt_helper will exit with a true status on no error } @@ -367,13 +400,20 @@ edit() { } clean() { - if is_help "$1" + if is_help "$1" + then + clean_usage + return + fi + local basedir="$1" + + find "$basedir" -type f -name "*${DEC_SUFFIX}" -print0 | while read -d $'\0' ymldec + do + if is_decrypted_secret "$ymldec" then - clean_usage - return + rm -v $ymldec fi - local basedir="$1" - find "$basedir" -type f -name "*secret*${DEC_SUFFIX}" -exec rm -v {} \; + done } helm_wrapper() { @@ -414,7 +454,7 @@ options='$options' longoptions='$longoptions' EOF fi - + # parse command line local parsed # separate line, otherwise the return value of getopt is ignored # if parsing fails, getopt returns non-0, and the shell exits due to "set -e" @@ -429,7 +469,7 @@ EOF case "$1" in --) # skip --, and what remains are the cmd args - shift + shift break ;; -f|--values) @@ -439,8 +479,8 @@ EOF if [[ $yml =~ ^=.*$ ]]; then yml="${yml/=/}" fi - if [[ $yml =~ ^(.*/)?secrets(\.[^.]+)*\.yaml$ ]] - then + if is_encrypted_secret "$yml" + then decrypt_helper $yml ymldec decrypted cmdopts+=("$ymldec") [[ $decrypted -eq 1 ]] && decfiles+=("$ymldec") diff --git a/test.sh b/test.sh index de8223f..b0481af 100755 --- a/test.sh +++ b/test.sh @@ -62,7 +62,7 @@ ymldec=$(sed -e "s/\\.y\(a\|\)ml$/.yaml.dec/" <<<"$secret") if [ -f "${ymldec}" ]; then - + result_dec=$(cat < "${ymldec}" | grep -Ec "(40B6FAEC80FD467E3FE9421019F6A67BB1B8DDBE|4434EA5D05F10F59D0DF7399AF1D073646ED4927)") if [ "${result_dec}" -gt 0 ]; then @@ -82,7 +82,14 @@ then echo -e "${RED}[FAIL]${NOC} ${secret_dec} exist after cleanup" exit 1 else - echo -e "${GREEN}[OK]${NOC} Cleanup ${mode}" + echo "looking in $(dirname ${secret_dec})/no-secret.yaml.dec" + if [ ! -f "$(dirname ${secret_dec})/no-secret.yaml.dec" ]; + then + echo -e "${RED}[FAIL]${NOC} no-secret.yaml.dec has been deleted" + exit 1 + else + echo -e "${GREEN}[OK]${NOC} Cleanup ${mode}" + fi fi } @@ -115,21 +122,22 @@ test_view "${secret}" echo -e "${YELLOW}+++${NOC} Decrypt" "${HELM_CMD}" secrets dec "${secret}" > /dev/null || exit 1 && \ test_decrypt "${secret}" && \ -cp "${secret_dec}" "${secret}" +cp "${secret_dec}" "${secret_dec}.bak" echo -e "${YELLOW}+++${NOC} Cleanup Test" "${HELM_CMD}" secrets clean "$(dirname ${secret})" > /dev/null || exit 1 mode="specified directory" test_clean "${secret}" "${mode}" && \ -cp "${secret}" "${secret_dec}" && \ +cp "${secret_dec}.bak" "${secret_dec}" && \ "${HELM_CMD}" secrets clean "${secret_dec}" > /dev/null || exit 1 mode="specified .dec file" test_clean "${secret}" "${secret_dec}" "${mode}" # && \ -# cp "${secret}" "${secret_dec}" && \ +# cp "${secret_dec}.bak" "${secret_dec}" && \ # "${HELM_CMD}" secrets clean "${secret_dec}" > /dev/null || exit 1 # mode="specified encrypted secret file" # test_clean "${secret}" "${mode}" # The functionality above doesn't work, it only works with .dec in filename +rm "${secret_dec}.bak" echo -e "${YELLOW}+++${NOC} Once again Encrypt and Test" "${HELM_CMD}" secrets enc "${secret}" > /dev/null || exit 1 && \