search

devantler / ksail

CLI tool for provisioning GitOps enabled K8s clusters in Docker.
https://devantler.github.io/ksail/
Apache License 2.0
46 stars 3 forks source link

Do not decrypt in-place #284

Open rvangsgaard opened 2 weeks ago

rvangsgaard commented 2 weeks ago

Description

When decrypting files, do not overwrite the existing file. Either write to stdout, or write to another file.

I prefer printing the results to stdout, allowing the user to choose if I want to pipe to a file, or just see the results in the console.

Preconditions

No response

Expected work done

No response

Postconditions

When I decrypt a file, the results should be printed to stdout.

devantler commented 2 weeks ago

I will be implementing a disable for in-place as an arguement. I still believe the default should be to decrypt in-place.

I am thinking something in terms of:

ksail sops <cluster-name> --decrypt file --in-place false

SOPS already supports redirecting the output to an editor, so for outputting the decrypted file, I think I can rely on the hosts EDITOR env. I will explore the options here, but I want to lean into the what could be expected if using sops outside of sail. I will add more information when I learn it.

rvangsgaard commented 2 weeks ago

I want to lean into the what could be expected if using sops outside of sail.

SOPS by default writes to stdout, and most CLIs do this.

Sometimes you just want to inspect a secret variable, and doing a git restore of the file afterwards is cumbersome, because it was edited in-place.

The CLI sed does it like this: https://linux.die.net/man/1/sed - look for --in-place.

I respect your choice, and I might not really understand the most common use case for this yet.

devantler commented 2 weeks ago

You are right. I was thinking of this functionality, which I want to be the default:

image
devantler commented 2 weeks ago

But maybe it makes sense to add a specific arguments in this case?

ksail sops <cluster-name> edit <file> Opens your $EDITOR to edit the file in-place. This is what I envisioned is the most likely use case for most. They run the ksail sops because they want to see or update sops encrypted file. This enables both those use cases. ksail sops <cluster-name> decrypt <file> Decrypts the file defaulting to stdout. ksail sops <cluster-name> encrypt <file> Encrypts the file defaulting to stdout. ksail sops <cluster-name> decrypt <file> --in-place Decrypts the file in place. ksail sops <cluster-name> encrypt <file> --in-place Encrypts the file in place. ksail sops <cluster-name> decrypt <file> --output <file> Decrypts the file and outputs it to another file. ksail sops <cluster-name> encrypt <file> --output <file> Encrypts the file and outputs it to another file.

--in-place and --output can be mixed resulting in the file being decrypted/encrypted in place, and outputted to some other file. Having to add <cluster-name> is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey argument to allow overwriting the default key used in case that is needed.

Would this work for you?

rvangsgaard commented 2 weeks ago

Personally I have no use of the --output option. Piping the results of stdout to a file is a well-known practice on Unix/Linux:

ksail sops <cluster-name> decrypt <file> > output-file Decrypts the file and pipes the result to stdout.

rvangsgaard commented 2 weeks ago

Is this comment for another issue?

Having to add is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey argument to allow overwriting the default key used in case that is needed.

Nonetheless it seem like a good approach.

devantler commented 2 weeks ago

Is this comment for another issue?

Having to add is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey argument to allow overwriting the default key used in case that is needed.

Nonetheless it seem like a good approach.

No it was just to inform you that my examples would like change a bit from what is presented here :-)

devantler commented 2 weeks ago

Personally I have no use of the --output option. Piping the results of stdout to a file is a well-known practice on Unix/Linux:

ksail sops <cluster-name> decrypt <file> > output-file Decrypts the file and pipes the result to stdout.

It would be optional :-) So what you suggest here would also be possible. Piping and stuff is just not for everyone, and I want to make it easier for people who find it easier with flag for it. Kind of like a very verbose shortcut, compared to piping which requires some more Linux/syntax knowledge to understand :-)