Initial commit of SOPS encryption logic#181
Merged
rhs merged 2 commits intodatawire:masterfrom Jun 22, 2018
Merged
Conversation
Contributor
|
This looks really cool. I'm gonna set this up and play with it a bit next week. Regarding the added dependency, I don't think it's a problem to have an optional dependency on the sops binary. I'd say just try to have a friendly/useful error message so if it's not present you get clear instructions on how to acquire it rather than a scary stack trace. ;-) |
Author
|
Sounds great! Currently, I just check if the master key is available as an environment variable that SOPS requires and tell the user to set the variable if it doesn’t find it. I could add to that text and let the user know what to do if they haven’t installed SOPS.
… On Apr 29, 2018, at 5:23 AM, Rafael Schloming ***@***.***> wrote:
This looks really cool. I'm gonna set this up and play with it a bit next week.
Regarding the added dependency, I don't think it's a problem to have an optional dependency on the sops binary. I'd say just try to have a friendly/useful error message so if it's not present you get clear instructions on how to acquire it rather than a scary stack trace. ;-)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
I have added the ability to use the forge CLI to view and edit SOPS encrypted secret files in cleartext. In addition, upon
forge deploy, if there are any files that end in '-enc.yaml' in the 'k8s' directory it will attempt to decrypt the files, base64 encode the secret values, and use for deployment. SOPS is a dependency so perhaps using the python SOPS library is another option, although it is no longer accepting improvements.Let me know if you have any suggestions or changes or if there are any issues.
Note: When deploying, the encrypted files will not be modified, which is ideal if you are using version control to track your SOPS encrypted secret files
Requirements:
First, install SOPS: https://github.com/mozilla/sops
You will also need to create or get the SOPS Master Key using AWS KMS, then:
$ export SOPS_KMS_ARN="your-master-key"Verify your AWS credentials are in
~/.aws/credentials:Usage:
In addition to normal forge usage, you can:
Edit a SOPS encrypted file in cleartext
forge edit <path-to-sops-encrypted-file>Note: If you do not make any changes the encryption/decryption will not affect the file, which is great if you are using version control to track
View a SOPS encrypted file in cleartext
forge view <path-to-sops-encrypted-file>