-
Notifications
You must be signed in to change notification settings - Fork 872
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for --unencrypted-regex #715
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #715 +/- ##
===========================================
+ Coverage 36.44% 36.65% +0.21%
===========================================
Files 22 22
Lines 3205 3222 +17
===========================================
+ Hits 1168 1181 +13
- Misses 1918 1922 +4
Partials 119 119
Continue to review full report at Codecov.
|
@autrilla Looking forward to feedback on this PR |
LGTM. With this, I think we should deprecate encrypted and unencrypted suffixes and remove them eventually, since this is much more flexible. Are all the files |
I'll take a look. I would have expected that |
I could do the deprecation in a separate MR to avoid polluting this one |
Ah, I didn't mean we had to do it now. It's just an argument in favor of adding this feature -- we add one flag and now we can remove two :) |
Yeah, we should get that set up at some point... |
@autrilla I ran
I have added them to the PR |
@autrilla Anything else to be done here? |
Another thing that I ran today while testing the Let's say I have creation_rules:
- kms: "key1,key2"
pgp: "fingerprint3"
unencrypted_regex: '^(name|last_name)$' And I have a yaml file encrypted using that configuration, e.g: name: rene
last_name: hernandez
... # rest of encrypted data
sops:
kms:
... # kms section
pgp:
... # pgp section
unencrypted_regex: ^(name|last_name)$
version: 3.6.999 If I then, update the creation_rules:
- kms: "key1,key2"
pgp: "fingerprint3"
unencrypted_regex: '^(name|last_name|age)$' When I edit the existing encrypted file and add the Is this expected? If so, what alternatives do I have to update the metadata on the encrypted files automatically? |
I found that the affecting code is here. If the file to be edited already exists, we don't pass down the encrypted/unencrypted options. Any suggestions? |
Yes, it's intended. Currently, there are no options to do that, other than recreating the file. |
Description
Fix #538
This will allow to specify a regex so that only keys that match will not be encrypted. Essentially, the reverse of the
--encrypted-regex
functionalityChanges
--unencrypted-regex
cli flagunencrypted_regex
field