Skip to content

Allow using SOPS with PGP, GCP and Azure #228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
drdaeman wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Allow using SOPS with PGP, GCP and Azure #228

drdaeman wants to merge 2 commits into from

Conversation

@drdaeman
Copy link

@drdaeman drdaeman commented Dec 29, 2018

Hello. I'd like to use Forge with Sops but the current implementation from #181 is limited AWS KMS-only. So, naturally, I'd like to propose a slight improvement.

This PR improves key_check function to look out for PGP, GCP and Azure environment variables, not just AWS.

Also, key checks are removed for decryption (and re-encryption) operations. Sops is smart enough to figure the keys on its own: the encrypted files actually contain all the necessary information. At the very least, just running sops -d example-enc.yml without any environment variables set is enough to decrypt it, as long as I have the keys, of course.

I've tested my changes and they seem to work with my PGP+GCP KMS Sops-encrypted files without any issues.

Thanks!

@drdaeman
Allow using SOPS with PGP, GCP and Azure
c7afdf2 
This commit improves `key_check` function to look out for PGP, GCP and
Azure environment variables, not just AWS.

Also, key checks are removed for decryption operations.
Sops is smart enough to figure the keys on its own.
@drdaeman
Do not use temporary files with Sops
035dbf4 
This commit improves and simplifies handling of Sops-encrypted secrets.
Instead of using temporary files, and leaving unencrypted data
on rendering failures, Forgen now decrypts in-memory.
@drdaeman
Copy link
Author

drdaeman commented Jan 3, 2019

Sorry for the scope creep, I was just using Forge quite actively and noticed that whenever I made a mistake in the encrypted templates, they were left on disk unencrypted. So I decided to add one more commit and improve this in the same PR.

On an unrelated note, I'd also like to propose adding base64.b64encrypt and b64decrypt functions to the Jinja2 Environment. Those should be really for generating K8s Secrets on the fly. However, that would be certainly way out of scope for this PR...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@drdaeman