Closed felixfontein closed 2 months ago
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 66.16%. Comparing base (
038577d
) to head (81a6484
). Report is 8 commits behind head on main.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Thank you for contribution!β¨
This PR has been merged and the docs are now incorporated into main
:
https://ansible-collections.github.io/community.sops/branch/main
I agree with this change but there is a caveat we need to double check.
As this uses the generic vars file extension is it now possible for sops to run on non sops encrypted files. I remember choosing a separate extension on purpose, due to limitations on running sops on such files. I don't exactly remember if the issue was just with non sops encrypted files or with partially encrypted files too.
To ensure this functionality works as expected I think we need to add a couple of test to ensure that:
This would address being able to use just yaml/json extensions without unexpected failures.
What do you think? I may have a look during the next week.
As long as SOPS can decrypt the files, it will work.
It will definitely fail with non-encrypted files (sops will exit with sops metadata not found
). (There's already a test for that, using the original extensions: tests/integration/targets/vars_sops/test-bad-file/
.)
There's currently no way to test whether a file is sops-encrypted (I'm still waiting for https://github.com/getsops/sops/pull/545 to get rebased ;) ). It's probably best to add a warning that the plugin will not work if it applies to any file that's not sops-encrypted.
(Once that PR is merged and a new SOPS release is out I'd like to add some code that tests files before trying to decrypt them. There are quite a few things I'm planning to do once a new SOPS release is out. I really hope it happens soon...)
I improved the documentation accordingly (and while at it improved/removed some other things).
@endorama is the current version of the PR ok enough for you? If yes I'll merge it and create a new release so it can get included in tomorrow's Ansible releases.
As long as SOPS can decrypt the files, it will work. It will definitely fail with non-encrypted files
@felixfontein It make sense and I think it's a good change anyway. It opens the door for shooting yourself in the foot but is also a useful feature for more advanced use cases and users.
I'm still waiting for https://github.com/getsops/sops/pull/545 to get rebased ;)
π Found some time to do it finally, it's now up to date.
(Once that PR is merged and a new SOPS release is out I'd like to add some code that tests files before trying to decrypt them. There are quite a few things I'm planning to do once a new SOPS release is out. I really hope it happens soon...)
Looking forward to it!
@endorama @markuman thanks a lot for reviewing this!
Is it now possible with the new filestatus in SOPS to encrypt only some of the inventory-files and the sops_vars plugin can automatically recognize if a "sops:"-part is present in the file or not? If not, it will skip the file without throwing an error.
This would allow a seamless integration into ansible.
@ZzenlD check out the handle_unencrypted_files
option (https://docs.ansible.com/ansible/devel/collections/community/sops/sops_vars.html#parameter-handle_unencrypted_files). You can set it to skip
.
Oh, my mistake... I really should read better the documentation. Thanks for the implementation :)
Motivation
See #183.
Changes description
Makes the valid extensions configurable by the
valid_extensions
option in the[community.sops]
section of ansible.cfg, or by theANSIBLE_VARS_SOPS_PLUGIN_VALID_EXTENSIONS
environment variable.Additional notes
Fixes #183.