Open rvangsgaard opened 2 weeks ago
I will be implementing a disable for in-place as an arguement. I still believe the default should be to decrypt in-place.
I am thinking something in terms of:
ksail sops <cluster-name> --decrypt file --in-place false
SOPS already supports redirecting the output to an editor, so for outputting the decrypted file, I think I can rely on the hosts EDITOR env. I will explore the options here, but I want to lean into the what could be expected if using sops outside of sail. I will add more information when I learn it.
I want to lean into the what could be expected if using sops outside of sail.
SOPS by default writes to stdout, and most CLIs do this.
Sometimes you just want to inspect a secret variable, and doing a git restore
of the file afterwards is cumbersome, because it was edited in-place.
The CLI sed
does it like this: https://linux.die.net/man/1/sed - look for --in-place
.
I respect your choice, and I might not really understand the most common use case for this yet.
You are right. I was thinking of this functionality, which I want to be the default:
But maybe it makes sense to add a specific arguments in this case?
ksail sops <cluster-name> edit <file>
Opens your $EDITOR to edit the file in-place. This is what I envisioned is the most likely use case for most. They run the ksail sops because they want to see or update sops encrypted file. This enables both those use cases.
ksail sops <cluster-name> decrypt <file>
Decrypts the file defaulting to stdout.
ksail sops <cluster-name> encrypt <file>
Encrypts the file defaulting to stdout.
ksail sops <cluster-name> decrypt <file> --in-place
Decrypts the file in place.
ksail sops <cluster-name> encrypt <file> --in-place
Encrypts the file in place.
ksail sops <cluster-name> decrypt <file> --output <file>
Decrypts the file and outputs it to another file.
ksail sops <cluster-name> encrypt <file> --output <file>
Encrypts the file and outputs it to another file.
--in-place
and --output
can be mixed resulting in the file being decrypted/encrypted in place, and outputted to some other file.
Having to add <cluster-name>
is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey
argument to allow overwriting the default key used in case that is needed.
Would this work for you?
Personally I have no use of the --output
option. Piping the results of stdout
to a file is a well-known practice on Unix/Linux:
ksail sops <cluster-name> decrypt <file> > output-file
Decrypts the file and pipes the result to stdout.
Is this comment for another issue?
Having to add
is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey argument to allow overwriting the default key used in case that is needed.
Nonetheless it seem like a good approach.
Is this comment for another issue?
Having to add is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey argument to allow overwriting the default key used in case that is needed.
Nonetheless it seem like a good approach.
No it was just to inform you that my examples would like change a bit from what is presented here :-)
Personally I have no use of the
--output
option. Piping the results ofstdout
to a file is a well-known practice on Unix/Linux:
ksail sops <cluster-name> decrypt <file> > output-file
Decrypts the file and pipes the result to stdout.
It would be optional :-) So what you suggest here would also be possible. Piping and stuff is just not for everyone, and I want to make it easier for people who find it easier with flag for it. Kind of like a very verbose shortcut, compared to piping which requires some more Linux/syntax knowledge to understand :-)
Description
When decrypting files, do not overwrite the existing file. Either write to stdout, or write to another file.
I prefer printing the results to stdout, allowing the user to choose if I want to pipe to a file, or just see the results in the console.
Preconditions
No response
Expected work done
No response
Postconditions
When I decrypt a file, the results should be printed to stdout.