Closed aj0415 closed 6 years ago
This looks really cool. I'm gonna set this up and play with it a bit next week.
Regarding the added dependency, I don't think it's a problem to have an optional dependency on the sops binary. I'd say just try to have a friendly/useful error message so if it's not present you get clear instructions on how to acquire it rather than a scary stack trace. ;-)
Sounds great! Currently, I just check if the master key is available as an environment variable that SOPS requires and tell the user to set the variable if it doesn’t find it. I could add to that text and let the user know what to do if they haven’t installed SOPS.
On Apr 29, 2018, at 5:23 AM, Rafael Schloming notifications@github.com wrote:
This looks really cool. I'm gonna set this up and play with it a bit next week.
Regarding the added dependency, I don't think it's a problem to have an optional dependency on the sops binary. I'd say just try to have a friendly/useful error message so if it's not present you get clear instructions on how to acquire it rather than a scary stack trace. ;-)
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
Summary: I have added the ability to use the forge CLI to view and edit SOPS encrypted secret files in cleartext. In addition, upon
forge deploy
, if there are any files that end in '-enc.yaml' in the 'k8s' directory it will attempt to decrypt the files, base64 encode the secret values, and use for deployment. SOPS is a dependency so perhaps using the python SOPS library is another option, although it is no longer accepting improvements.Let me know if you have any suggestions or changes or if there are any issues.
Note: When deploying, the encrypted files will not be modified, which is ideal if you are using version control to track your SOPS encrypted secret files
Requirements: First, install SOPS: https://github.com/mozilla/sops
You will also need to create or get the SOPS Master Key using AWS KMS, then:
$ export SOPS_KMS_ARN="your-master-key"
Verify your AWS credentials are in
~/.aws/credentials
:Usage: In addition to normal forge usage, you can:
Edit a SOPS encrypted file in cleartext
forge edit <path-to-sops-encrypted-file>
Note: If you do not make any changes the encryption/decryption will not affect the file, which is great if you are using version control to trackView a SOPS encrypted file in cleartext
forge view <path-to-sops-encrypted-file>