Open fredcooke opened 3 years ago
This will need some configuration with defaults:
src/main/secrets/values
enc -md sha256 -pbkdf2 -aes-256-cbc -base64
enc -md sha256 -pbkdf2 -aes-256-cbc -d -base64
.sha256.aes256
.txt
.raw
Commands should be:
verifykey quiet
finds all ready to encrypt
files and encrypts them into the encrypted suffix file name variant
2.branchout secrets decrypt - requests key, runs verifykey quiet
, finds all encrypted secret
files and decrypts them into the decrypted suffix file name variantverifykey quiet
, creates .raw file, encrypts it, then removes .raw fileAs per original ticket it should establish the project base directory and use that and function identically anywhere below that. Eg if you have:
~/projects/myProject/myGroup/myRepo/
and in it is src/main/secrets/values
and numerous other files/dirs, then it should work in that base dir and anywhere below it equally well. It should use the standard branchout project structure to do this, not search for a .git directory as sometimes projects are built locally before git init
, commit, and being pushed to the remote repository.
Output for 1, 2, 3 should be like this:
Decrypted N secrets from DIR matching SUFFIX Encrypted N secrets in DIR matching SUFFIX Cleaned N secrets in DIR matching SUFFIX and SUFFIX
With 0 outputting something like:
Found and successfully decrypted N secrets in DIR OR Found N secrets in DIR but failed to decrypt Y of them, only X were valid
And 4 being the same as 1 but with a leading line like:
Created secret with value N bytes long and name NAME in DIR
And then followed by the output from 1 which it calls before cleaning up using 3
This spec is a bit different than my original post but I think it's more thorough and useful, too. For review by @stickycode before I go ahead and implement it.
In my day to day work, environmental secrets are stored encrypted in src/main/secrets and src/main/secrets/values and sub directories thereof. I have a set of scripts to make adding and reviewing and managing the life cycle of secrets easier but it would be nice if this was built into the tool used for managing the source code and doing the builds.
I understand there used to be a kubesec implementation in branchout and that it may be found in the history somewhere - I'll check that out before getting too deep into this, but some thoughts on commands needed:
This should have a few smarts:
I will review this and edit in more or correct things tomorrow, however that's a good start in terms of a spec, and clearly there's a priority order for commands from basic/essential to fancy/optional/extra.