-
Notifications
You must be signed in to change notification settings - Fork 842
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Behavior of path_regex changed in patch release and broke some usecases #480
Comments
Hey @michael-k
That sounds good to me. Can get onto this shortly (or will be happy to review a PR). |
Any updates on this? Currently running into the same issue - can you point me towards what needs updating @ajvb ? Happy to open a PR to address this |
If I understand this correctly, the above proposal would break the following use-case: we have a .sops.yaml in a folder, soft-linked to a sops.yaml in "configuration" folder. So given /a/.sops.yaml -> /b/sops.yaml, the above would cause sops -e /c/somefile.yaml to end up seeing path as ../../c/somefile.yaml. Not sure. |
Relative to the project root is closer to what I'm looking for than relative to the config file. Whatever the project root is. Maybe traverse the path up until a config file, a And I'm also happy if this is available as an option. Maybe another config next to I'm also able to pass the prefix that |
While writing my latest comment, I thought of a solution that works for us. Since we're calling sops from a small wrapper script anyway, we're now adjusting the configuration on the fly: sed -r "s|- (path_regex):\s+/*|- \1: ^$(pwd)/|g" ./.sops.template.yaml > ./.sops.yaml This takes |
Since release 3.3.1 (#478) path regexes check against the full path as implemented in PR #466 (issue #465). This solved the usecase mentioned in the issue but broke another one.
Consider this config (taken from #466):
If the repo that contains the secrets is located under a path like
/home/user/development/secrets/
, the first rule will always match. I have no control over the location where other developers store their repos.We tried to prevent this by using
^(./)?development/.+\.yaml
as apath_regex
and calling sops always from the project root, but this no longer works with sops 3.3.1 and fails with error loading config: no matching creation rules found. It even fails for existing encrypted files, despite the irrelevance of creation rules for them.Possible solution
Instead of simply converting the path passed to sops to an absolute path, the absolute path should be made relative to the config file (if one exists).
This should support both the use case from #465 and ours.
The text was updated successfully, but these errors were encountered: