fix: Error on custom protocol value files which are not resolving into yaml files (#355)

Author: jkroepke

.github/workflows/ci.yaml

@@ -72,10 +72,6 @@ jobs:
           - os: macos-latest
             shell: bash 3.2 with coreutils
             jobs: 4
-          - os: ubuntu-latest
-            container: ubuntu:22.04
-            shell: bash 5.1
-            jobs: 4
           - os: ubuntu-latest
             container: centos:7
             shell: bash 4.2

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Fixed
+- Error on custom protocol value files which are not resolving into yaml files
+
 ## [4.4.1] - 2023-03-06
 
 ### Fixed

scripts/commands/helm.sh

@@ -24,19 +24,19 @@ Typical usage:
 EOF
 }
 
-decrypted_files=$(_mktemp)
+decrypted_file_list=$(_mktemp)
 
 _trap_hook() {
-    if [ -s "${decrypted_files}" ]; then
+    if [ -s "${decrypted_file_list}" ]; then
         if [ "${QUIET}" = "false" ]; then
             echo >&2
             # shellcheck disable=SC2016
-            xargs -0 -n1 sh -c 'rm "$1" && printf "[helm-secrets] Removed: %s\n" "$1"' sh >&2 <"${decrypted_files}"
+            xargs -0 -n1 sh -c 'rm "$1" && printf "[helm-secrets] Removed: %s\n" "$1"' sh >&2 <"${decrypted_file_list}"
         else
-            xargs -0 rm >&2 <"${decrypted_files}"
+            xargs -0 rm >&2 <"${decrypted_file_list}"
         fi
 
-        rm "${decrypted_files}"
+        rm "${decrypted_file_list}"
     fi
 }
 
@@ -70,6 +70,8 @@ helm_wrapper() {
 '
 
             for literal in $(printf '%s' "${literals}" | sed -E 's/([^\\]),/\1\n/g'); do
+                unset IFS
+
                 opt_prefix="${literal%%=*}="
                 literal="${literal#*=}"
 
@@ -96,83 +98,98 @@ helm_wrapper() {
                 fi
             done
 
-            unset IFS
-
             set -- "$@" "${decrypted_literals%*,}"
             ;;
         -f | --values | --values=?* | --set-file | --set-file=?*)
             _1="${1}"
 
             case "${_1}" in
             --values=* | --set-file=*)
-                file="${_1#*=}"
+                files="${_1#*=}"
 
                 set -- "$@" "${_1%%=*}"
                 ;;
             *)
-                file="${2}"
+                files="${2}"
 
                 set -- "$@" "$1"
                 shift
                 j=$((j + 1))
                 ;;
             esac
 
-            case "$_1" in
-            -f | --values | --values=?*)
-                double_escape_need=0
-                sops_type="yaml"
-                opt_prefix=""
-                ;;
-            --set-file | --set-file=?*)
-                double_escape_need=1
-                sops_type="auto"
-                opt_prefix="${file%%=*}="
-                file="${file#*=}"
-                ;;
-            esac
+            decrypted_files=""
 
-            # Ignore error on files beginning with ?
-            if [ "${file##\?}" != "${file}" ]; then
-                file="${file##\?}"
-                IGNORE_MISSING_VALUES=true
-            fi
+            IFS='
+'
 
-            # Force secret backend
-            if [ "${file#*!}" != "${file}" ]; then
-                load_secret_backend "${file%%\!*}"
-                file="${file#*!}"
-            else
-                load_secret_backend "${DEFAULT_SECRET_BACKEND}"
-            fi
+            for file in $(printf '%s' "${files}" | sed -E 's/([^\\]),/\1\n/g'); do
+                unset IFS
+
+                case "$_1" in
+                -f | --values | --values=?*)
+                    double_escape_need=0
+                    sops_type="yaml"
+                    opt_prefix=""
+                    ;;
+                --set-file | --set-file=?*)
+                    double_escape_need=1
+                    sops_type="auto"
+                    opt_prefix="${file%%=*}="
+                    file="${file#*=}"
+                    ;;
+                esac
+
+                # Ignore error on files beginning with ?
+                if [ "${file##\?}" != "${file}" ]; then
+                    file="${file##\?}"
+                    IGNORE_MISSING_VALUES=true
+                fi
 
-            if ! real_file=$(_file_get "${file}"); then
-                if [ "${IGNORE_MISSING_VALUES}" = "true" ]; then
-                    real_file="$(_mktemp)"
+                # Force secret backend
+                if [ "${file#*!}" != "${file}" ]; then
+                    if is_secret_backend "${file%%\!*}"; then
+                        load_secret_backend "${file%%\!*}"
+                        file="${file#*!}"
+                    else
+                        load_secret_backend "${DEFAULT_SECRET_BACKEND}"
+                    fi
                 else
-                    fatal 'File does not exist: %s' "${file}"
+                    load_secret_backend "${DEFAULT_SECRET_BACKEND}"
                 fi
-            fi
 
-            file_dec="$(_file_dec_name "${real_file}")"
-            if [ -f "${file_dec}" ]; then
-                set -- "$@" "${opt_prefix}$(_helm_winpath "${file_dec}" "${double_escape_need}")"
-
-                if [ "${QUIET}" = "false" ]; then
-                    log 'Decrypt skipped: %s' "${file}"
+                if ! real_file=$(_file_get "${file}"); then
+                    if [ "${IGNORE_MISSING_VALUES}" = "true" ]; then
+                        real_file="$(_mktemp)"
+                    else
+                        fatal 'File does not exist: %s' "${file}"
+                    fi
                 fi
-            else
-                if decrypt_helper "${real_file}" "${sops_type}"; then
-                    set -- "$@" "${opt_prefix}$(_helm_winpath "${file_dec}" "${double_escape_need}")"
-                    printf '%s\0' "${file_dec}" >>"${decrypted_files}"
+
+                file_dec="$(_file_dec_name "${real_file}")"
+                if [ -f "${file_dec}" ]; then
+                    decrypted_files="${decrypted_files}${opt_prefix}$(_helm_winpath "${file_dec}" "${double_escape_need}"),"
 
                     if [ "${QUIET}" = "false" ]; then
-                        log 'Decrypt: %s' "${file}"
+                        log 'Decrypt skipped: %s' "${file}"
                     fi
                 else
-                    set -- "$@" "${opt_prefix}$(_helm_winpath "${real_file}" "${double_escape_need}")"
+                    if decrypt_helper "${real_file}" "${sops_type}"; then
+                        printf '%s\0' "${file_dec}" >>"${decrypted_file_list}"
+
+                        if [ "${QUIET}" = "false" ]; then
+                            log 'Decrypt: %s' "${file}"
+                        fi
+
+                        decrypted_files="${decrypted_files}${opt_prefix}$(_helm_winpath "${file_dec}" "${double_escape_need}"),"
+                    else
+                        decrypted_files="${decrypted_files}${opt_prefix}$(_helm_winpath "${real_file}" "${double_escape_need}"),"
+                    fi
                 fi
-            fi
+            done
+
+            set -- "$@" "${decrypted_files%*,}"
+
             ;;
         *)
             if [ -d "$1" ] || [ -f "$1" ]; then

scripts/lib/common.sh

@@ -97,7 +97,7 @@ _winpath() { printf '%s' "${1}"; }
 _helm_winpath() { printf '%s' "${1}"; }
 
 case "$(uname -s)" in
-CYGWIN*)
+CYGWIN* | MINGW64_NT*)
     on_cygwin() { true; }
     _winpath() {
         if [ "${2:-0}" = "1" ]; then

scripts/lib/file/custom.sh

@@ -9,12 +9,15 @@ _file_custom_exists() {
 _file_custom_get() {
     _tmp_file=$(_mktemp)
     GETTER_CHART_PATH="$(_helm_winpath "${SCRIPT_DIR}/lib/file/helm-values-getter")"
-    VALUES="$(_helm_winpath "${1}")"
 
-    if ! "${HELM_BIN}" template "${GETTER_CHART_PATH}" --set-file "content=${VALUES}" >"${_tmp_file}"; then
-        exit 1
+    if ! CONTENT="$(env -u HELM_DEBUG "${HELM_BIN}" template "${GETTER_CHART_PATH}" --set-file "content=${1}")"; then
+        fatal "helm template command errored on value '%s'" "${1}"
+    fi
+
+    # shellcheck disable=SC2016
+    if ! printf '%s' "${CONTENT}" | sed -e '1,3d' -e 's/^  //g' >"${_tmp_file}"; then
+        fatal "sed command errored on value '%s'" "${1}"
     fi
 
-    _sed_i '/^# Source: /d' "${_tmp_file}"
     printf '%s' "${_tmp_file}"
 }

scripts/lib/file/helm-values-getter/templates/values.yaml

@@ -1 +1,3 @@
-{{- .Values.content }}
+---
+content: |
+  {{- .Values.content | nindent 2 -}}

tests/it/diff.bats

@@ -186,18 +186,18 @@ load '../bats/extensions/bats-file/load'
 }
 
 @test "diff: helm diff upgrade w/ chart + secrets.yaml + special path" {
-    FILE="!${SPECIAL_CHAR_DIR}/assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
+    FILE="${SPECIAL_CHAR_DIR}/assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
     SEED="${RANDOM}"
     RELEASE="diff-$(date +%s)-${SEED}"
 
     create_chart "${SPECIAL_CHAR_DIR}"
 
     run "${HELM_BIN}" secrets diff upgrade --no-color --allow-unreleased "${RELEASE}" "${SPECIAL_CHAR_DIR}/chart" -f "${FILE}" 2>&1
     assert_success
-    assert_output --partial "[helm-secrets] Decrypt: ${FILE##\!}"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
     assert_output --partial "port: 81"
-    assert_output --partial "[helm-secrets] Removed: ${FILE##\!}.dec"
-    assert_file_not_exists "${FILE##\!}.dec"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exists "${FILE}.dec"
 }
 
 @test "diff: helm diff upgrade w/ chart + invalid yaml" {

tests/it/install.bats

@@ -218,15 +218,15 @@ load '../bats/extensions/bats-file/load'
 }
 
 @test "install: helm install w/ chart + secrets.yaml + special path" {
-    FILE="!${SPECIAL_CHAR_DIR}/assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
+    FILE="${SPECIAL_CHAR_DIR}/assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
     SEED="${RANDOM}"
     RELEASE="install-$(date +%s)-${SEED}"
     create_chart "${SPECIAL_CHAR_DIR}"
 
     run "${HELM_BIN}" secrets install "${RELEASE}" "${SPECIAL_CHAR_DIR}/chart" --no-hooks -f "${FILE}" 2>&1
-    assert_output --partial "[helm-secrets] Decrypt: ${FILE##\!}"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
     assert_output --partial "STATUS: deployed"
-    assert_output --partial "[helm-secrets] Removed: ${FILE##\!}.dec"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
     assert_file_not_exists "${FILE}.dec"
     assert_success
 

tests/it/upgrade.bats

@@ -218,17 +218,17 @@ load '../bats/extensions/bats-file/load'
 }
 
 @test "upgrade: helm upgrade w/ chart + secrets.yaml + special path" {
-    FILE="!${SPECIAL_CHAR_DIR}/assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
+    FILE="${SPECIAL_CHAR_DIR}/assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
     SEED="${RANDOM}"
     RELEASE="upgrade-$(date +%s)-${SEED}"
     create_chart "${SPECIAL_CHAR_DIR}"
 
     run "${HELM_BIN}" secrets upgrade -i "${RELEASE}" "${SPECIAL_CHAR_DIR}/chart" --no-hooks -f "${FILE}" 2>&1
     assert_success
-    assert_output --partial "[helm-secrets] Decrypt: ${FILE##\!}"
+    assert_output --partial "[helm-secrets] Decrypt: ${FILE}"
     assert_output --partial "STATUS: deployed"
-    assert_output --partial "[helm-secrets] Removed: ${FILE##\!}.dec"
-    assert_file_not_exists "${FILE##\!}.dec"
+    assert_output --partial "[helm-secrets] Removed: ${FILE}.dec"
+    assert_file_not_exists "${FILE}.dec"
 
     run kubectl get svc -o yaml -l "app.kubernetes.io/name=${HELM_SECRETS_BACKEND},app.kubernetes.io/instance=${RELEASE}"
     assert_success

tests/unit/lint.bats

@@ -238,7 +238,7 @@ load '../bats/extensions/bats-file/load'
     fi
 
     VALUES="assets/values/${HELM_SECRETS_BACKEND}/secrets.yaml"
-    VALUES_PATH="!${SPECIAL_CHAR_DIR}/${VALUES}"
+    VALUES_PATH="${SPECIAL_CHAR_DIR}/${VALUES}"
 
     create_chart "${SPECIAL_CHAR_DIR}"