Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial commit of SOPS encryption logic #181

merged 2 commits into from Jun 22, 2018

Initial commit of SOPS encryption logic #181

merged 2 commits into from Jun 22, 2018


Copy link

@aj0415 aj0415 commented Apr 25, 2018

I have added the ability to use the forge CLI to view and edit SOPS encrypted secret files in cleartext. In addition, upon forge deploy, if there are any files that end in '-enc.yaml' in the 'k8s' directory it will attempt to decrypt the files, base64 encode the secret values, and use for deployment. SOPS is a dependency so perhaps using the python SOPS library is another option, although it is no longer accepting improvements.

Let me know if you have any suggestions or changes or if there are any issues.

Note: When deploying, the encrypted files will not be modified, which is ideal if you are using version control to track your SOPS encrypted secret files

First, install SOPS:

You will also need to create or get the SOPS Master Key using AWS KMS, then:

$ export SOPS_KMS_ARN="your-master-key"

Verify your AWS credentials are in ~/.aws/credentials:

$ cat ~/.aws/credentials
aws_access_key_id = AKI.....
aws_secret_access_key = mw......

In addition to normal forge usage, you can:

Edit a SOPS encrypted file in cleartext
forge edit <path-to-sops-encrypted-file>
Note: If you do not make any changes the encryption/decryption will not affect the file, which is great if you are using version control to track

View a SOPS encrypted file in cleartext
forge view <path-to-sops-encrypted-file>

@aj0415 aj0415 force-pushed the aj0415:master branch from 603bdc8 to a7da708 Apr 27, 2018
A.J. Herbert
Copy link

@rhs rhs commented Apr 29, 2018

This looks really cool. I'm gonna set this up and play with it a bit next week.

Regarding the added dependency, I don't think it's a problem to have an optional dependency on the sops binary. I'd say just try to have a friendly/useful error message so if it's not present you get clear instructions on how to acquire it rather than a scary stack trace. ;-)

Copy link

@aj0415 aj0415 commented Apr 30, 2018

@rhs rhs merged commit a99c633 into datawire:master Jun 22, 2018
1 of 2 checks passed
1 of 2 checks passed
continuous-integration/travis-ci/pr The Travis CI build failed
deploy/netlify Deploy preview ready!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.