feat: update helm secrets (#1839)

Co-authored-by: jeho <[email protected]>

Author: CasLubbers

Dockerfile

@@ -1,4 +1,4 @@
-FROM linode/apl-tools:v2.8.5 AS ci
+FROM linode/apl-tools:v2.8.6 AS ci
 
 ENV APP_HOME=/home/app/stack
 
@@ -26,7 +26,7 @@ FROM ci AS clean
 # below command removes the packages specified in devDependencies and set NODE_ENV to production
 RUN npm prune --production
 
-FROM linode/apl-tools:v2.8.5  AS prod
+FROM linode/apl-tools:v2.8.6  AS prod
 ENV APP_HOME=/home/app/stack
 ENV ENV_DIR=/home/app/stack/env
 ENV VERBOSITY='0'

bin/common.sh

@@ -202,7 +202,7 @@ function crypt() {
         [ -n "$VERBOSE" ] && echo "Found timestamp diff in seconds: $sec_diff"
       fi
       if [ ! -f $file.dec ] || [ $sec_diff -gt 1 ]; then
-        helm secrets enc $file >$out
+        helm secrets encrypt -i $file >$out
         ts=$(stat -c %Y $file)
         chek_ts=$(expr $ts + 1)
         touch -d @$chek_ts $file.dec
@@ -211,7 +211,7 @@ function crypt() {
         [ -n "$VERBOSE" ] && echo "Skipping encryption for $file as it is not changed."
       fi
     else
-      if helm secrets dec $file >$out; then
+      if helm secrets decrypt "$file" > "${file}.dec"; then
         # we correct timestamp of decrypted file to match source file,
         # in order to detect changes for conditional encryption
         [ -n "$VERBOSE" ] && echo "Setting timestamp of decrypted file to that of source file."

charts/raw/README.md

@@ -119,7 +119,7 @@ mysecret: abc123
 ```
 
 ```
-$ helm secrets enc secrets.yaml
+$ helm secrets encrypt secrets.yaml
 ```
 
 #### STEP 2: Install your templated resources.

src/common/crypt.ts

@@ -15,8 +15,8 @@ export interface Arguments extends BasicArguments {
 EventEmitter.defaultMaxListeners = 20
 
 enum CryptType {
-  ENCRYPT = 'helm secrets enc',
-  DECRYPT = 'helm secrets dec',
+  ENCRYPT = 'helm secrets -q encrypt -i',
+  DECRYPT = 'helm secrets decrypt',
   ROTATE = 'sops --input-type=yaml --output-type=yaml -i -r',
 }
 
@@ -60,11 +60,27 @@ const processFileChunk = async (crypt: CR, files: string[]): Promise<(ProcessOut
   const commands = files.map(async (file) => {
     if (!crypt.condition || (await crypt.condition(file))) {
       d.debug(`${crypt.cmd} ${file}`)
-      const result = $`${crypt.cmd.split(' ')} ${file}`
-      return result.then(async (res) => {
-        if (crypt.post) await crypt.post(file)
-        return res
-      })
+      const result = $`${crypt.cmd.split(' ')} ${file}`.quiet()
+      return result
+        .then(async (res) => {
+          if (crypt.cmd === CryptType.DECRYPT) {
+            const outputFile = `${file}.dec`
+            await $`echo ${res.stdout} > ${outputFile}`
+          }
+          if (crypt.post) await crypt.post(file)
+          return res
+        })
+        .catch(async (error) => {
+          if (error.message.includes('Already encrypted')) {
+            const res = await $`helm secrets encrypt ${file}.dec`
+            await $`echo ${res.stdout} > ${file}`
+            if (crypt.post) await crypt.post(file)
+            return res
+          } else {
+            d.error(error)
+            throw error
+          }
+        })
     }
     return undefined
   })
@@ -172,8 +188,8 @@ export const encrypt = async (path = env.ENV_DIR, ...files: string[]): Promise<v
 
         const encTS = await stat(absFilePath)
         const decTS = await stat(`${absFilePath}.dec`)
-        d.debug('encTS.mtime: ', encTS.mtime)
-        d.debug('decTS.mtime: ', decTS.mtime)
+        d.debug(`${file} encTS.mtime: `, encTS.mtime)
+        d.debug(`${file} decTS.mtime: `, decTS.mtime)
         const timeDiff = Math.round((decTS.mtimeMs - encTS.mtimeMs) / 1000)
         if (timeDiff > 1) {
           d.info(`Encrypting ${file}, time difference was ${timeDiff} seconds`)

tests/bootstrap/input.yaml

@@ -5,6 +5,9 @@ cluster:
   domainSuffix: local.host
 otomi:
   version: 'main'
+kms:
+  sops:
+    provider: age
 apps:
   metrics-server:
     enabled: false

tools/Dockerfile

@@ -10,7 +10,7 @@ ARG HELM_VERSION=3.16.2
 # https://github.com/databus23/helm-diff/releases
 ARG HELM_DIFF_VERSION=3.9.11
 # https://github.com/jkroepke/helm-secrets/releases
-ARG HELM_SECRETS_VERSION=3.15.0
+ARG HELM_SECRETS_VERSION=4.6.2
 # https://github.com/mozilla/sops/releases
 ARG SOPS_VERSION=3.9.1
 # https://github.com/FiloSottile/age/releases