search

datawire / forge

Define and run multi-container apps in Kubernetes
http://forge.sh
Apache License 2.0
416 stars 43 forks source link

Initial commit of SOPS encryption logic #181

Closed aj0415 closed 6 years ago

aj0415 commented 6 years ago

Summary: I have added the ability to use the forge CLI to view and edit SOPS encrypted secret files in cleartext. In addition, upon forge deploy, if there are any files that end in '-enc.yaml' in the 'k8s' directory it will attempt to decrypt the files, base64 encode the secret values, and use for deployment. SOPS is a dependency so perhaps using the python SOPS library is another option, although it is no longer accepting improvements.

Let me know if you have any suggestions or changes or if there are any issues.

Note: When deploying, the encrypted files will not be modified, which is ideal if you are using version control to track your SOPS encrypted secret files

Requirements: First, install SOPS: https://github.com/mozilla/sops

You will also need to create or get the SOPS Master Key using AWS KMS, then:

$ export SOPS_KMS_ARN="your-master-key"

Verify your AWS credentials are in ~/.aws/credentials:

$ cat ~/.aws/credentials
[default]
aws_access_key_id = AKI.....
aws_secret_access_key = mw......

Usage: In addition to normal forge usage, you can:

Edit a SOPS encrypted file in cleartext forge edit <path-to-sops-encrypted-file> Note: If you do not make any changes the encryption/decryption will not affect the file, which is great if you are using version control to track

View a SOPS encrypted file in cleartext forge view <path-to-sops-encrypted-file>

rhs commented 6 years ago

This looks really cool. I'm gonna set this up and play with it a bit next week.

Regarding the added dependency, I don't think it's a problem to have an optional dependency on the sops binary. I'd say just try to have a friendly/useful error message so if it's not present you get clear instructions on how to acquire it rather than a scary stack trace. ;-)

aj0415 commented 6 years ago

Sounds great! Currently, I just check if the master key is available as an environment variable that SOPS requires and tell the user to set the variable if it doesn’t find it. I could add to that text and let the user know what to do if they haven’t installed SOPS.

On Apr 29, 2018, at 5:23 AM, Rafael Schloming notifications@github.com wrote:

This looks really cool. I'm gonna set this up and play with it a bit next week.

Regarding the added dependency, I don't think it's a problem to have an optional dependency on the sops binary. I'd say just try to have a friendly/useful error message so if it's not present you get clear instructions on how to acquire it rather than a scary stack trace. ;-)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.