Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

intellij-sops-plugin doesn't respect path_regex and encrypted_regex in config .sops.yaml #9

Closed
antonioua opened this issue Jul 6, 2023 · 5 comments
Closed

intellij-sops-plugin doesn't respect path_regex and encrypted_regex in config .sops.yaml #9

antonioua opened this issue Jul 6, 2023 · 5 comments

Comments

@antonioua
Copy link

antonioua commented Jul 6, 2023
edited

I've instructed sops don't encrypt metadata fields in my Kubernetes Secret with the following config .sops.yaml:

creation_rules:
- path_regex: ".*-secret.yaml|.*-secret.patch.yaml"
  encrypted_regex: ^(data|stringData)$
  azure_keyvault: https://xxx
- path_regex: ""
  azure_keyvault: https://xxx

But as a result I get encrypted both metada and data in my Secret datasource-secret.enc.yaml:

apiVersion: ENC[AES256_GCM,data:EUE=,iv:HTIqw0lOoUzwxMR5t7PihyP3wqBw4jkLjOUdX0Qq/Ms=,tag:wUfy5isnV1CYCDek5UEnHA==,type:str]
kind: ENC[AES256_GCM,data:zzYYjAkj,iv:SWmwGdqwAfo/9yBrBLkvPt12zoVhYlBjJoBbyVg9F1E=,tag:X9o9byzQ2vUJh7hnEtuYVw==,type:str]
metadata:
    name: ENC[AES256_GCM,data:YDi1NH/10KjCqdeNxe8b19L3Jw==,iv:F2JTPS1xDJiWt9S1ZA4sK3sQ9GIlaZJ0CMx7uf+kGUs=,tag:VW2WOvQNf9pBE1hSeqq7+A==,type:str]
    labels:
        grafana_datasource: ENC[AES256_GCM,data:hQ==,iv:qfZL9xZehxFtAAPZdyAnXgssq8YJgPTi4K5lj/IqFyM=,tag:FpsgH9j9LZr8zezWrOWScQ==,type:str]
type: ENC[AES256_GCM,data:Ke1N21eD,iv:R72nJnkhhJrfh9pMWhTKaOhhGD8k8HtX4ww2wuwWycU=,tag:EZ5KBhnc1RfG7xa2VEooog==,type:str]
stringData:
    datasource.yaml: ENC[XXX]

Running the original sops binary it works as expected and metadata is not encrypted:

sops -e datasource-secret.yaml > datasource-secret.enc.yaml
apiVersion: v1
kind: Secret
metadata:
    name: grafana-datasources
    labels:
        grafana_datasource: "1"
type: Opaque
stringData:
    datasource.yaml: ENC[XXX]
@antonioua antonioua changed the title intellij-sops-plugin doesn't respect path_regex and encrypted_regex in .sops.yaml intellij-sops-plugin doesn't respect path_regex and encrypted_regex in config .sops.yaml Jul 6, 2023
@DaPutzy
Copy link
Owner

DaPutzy commented Jul 6, 2023

Thats odd, we do the same thing and I am sure I though of that 🤔

I will look into that!

@DaPutzy
Copy link
Owner

DaPutzy commented Jul 6, 2023

Indeed: Because of this issue I implemented this:

public void encrypt(final Project project, final VirtualFile file, ...) {
	final GeneralCommandLine command = new GeneralCommandLine(...);
	command.setWorkDirectory(file.getParent().getPath());

...

}

to make sure my CWD is the same one the file is located in❓❓❓

@DaPutzy
Copy link
Owner

DaPutzy commented Jul 6, 2023
edited

Is your file actually called datasource-secret.enc.yaml? Because than your regex wont match?

I just tested this in our repository and it works as expected 🤔

@antonioua
Copy link
Author

antonioua commented Jul 6, 2023
edited

you're right @DaPutzy that's because my regexp don't match, I need to modify it.
It works for the case when I do encryption with command-line sops and this confused me.

@DaPutzy
Copy link
Owner

DaPutzy commented Jul 10, 2023

I will close this issue, if anything changes feel free to open it again :)

@DaPutzy DaPutzy closed this as completed Jul 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@antonioua @DaPutzy