search

PierreBeucher / novops

Cross-platform secret & config manager for development and CI environments
https://novops.dev
GNU Lesser General Public License v3.0
158 stars 9 forks source link

crash with 2 sops_dotenv and an extract #99

Open teto opened 3 months ago

teto commented 3 months ago

I haven't linked the secrets file but in one of my .novops.yaml

    sops_dotenv:
      - file: deploysecrets.dev.yaml
      - file: nixos/secrets.dev.yaml
        extract: '["sshPrivateKey"]'

novops load triggers:

❌130 ❯ RUST_BACKTRACE=1 novops load -e dev -s .envrc
thread 'main' panicked at src/modules/sops.rs:121:52:
called `Option::unwrap()` on a `None` value
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::panic
   3: <novops::modules::sops::SopsDotenvInput as novops::core::ResolveTo<alloc::vec::Vec<novops::modules::variables::VariableOutput>>>::resolve::{{closure}}
   4: novops::load_context_and_resolve::{{closure}}
   5: novops::main::{{closure}}
   6: tokio::runtime::park::CachedParkThread::block_on
   7: tokio::runtime::context::runtime::enter_runtime
   8: tokio::runtime::runtime::Runtime::block_on
   9: novops::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

if I remove the "extract" novops doesn't crash

    sops_dotenv:
      - file: deploysecrets.dev.yaml
      - file: nixos/secrets.dev.yaml

this happens with this version b8e95903a86a7ec0c1593dd368a6ee00a2a6086f

PierreBeucher commented 3 months ago

Oh. Will take a look asap

PierreBeucher commented 3 months ago

Can you share an example with encrypted and clear SOPS files please? And your sops --version. I can't reproduce as-is.

The problem comes from https://github.com/PierreBeucher/novops/blob/b8e95903a86a7ec0c1593dd368a6ee00a2a6086f/src/modules/sops.rs#L121

This module uses sops --output-type dotenv option which supposedly outputs lines to stdout like

KEY=VALUE
FOO=BAR

But for some reason SOPS returns a line on stdout which is not a key=value pair as expected (it does not contain = character), hence the issue.

Admittedly this naïve method is not good enough, we should either ignore or error safely on lines not containing = but I can't find the reason behind this SOPS behavior.

PierreBeucher commented 2 months ago

@teto ping :) can you provide the data you used please?