Open mumoshu opened 6 years ago
For more versatility, maybe:
.sopsed.yaml
:
vaults:
# Vault containing KUBECONFIG=clusters/test/kubeconfig and the encrypted version of kubeconfig
kube-test:
# With SOPSED_COMMAND envvar populated and visible to the script
enabled_if:
- ./scripts/env_is test
- [ "$SOPSED_COMMAND" == "kubectl" ];
files:
- clusters/test/credentials/*-key.pem
# Run maybe `sops set KUBECONFIG=clusters/test/kubeconfig --vault kube-test` to set the envvar
# Vault containing KUBECONFIG=clusters/prod/kubeconfig and the encrypted version of kubeconfig
# corresponds to the encrypted vault at .sopsed/kube-prod.yaml
kube-prod:
enabled_if:
- ./scripts/env_is prod
- [ "$SOPSED_COMMAND" == "kubectl" ];
files:
- clusters/prod/credentials/*-key.pem
Usage:
# This runs the kubectl command inside the "test" vault in which KUBECONFIG envvar is populated and the kubeconfig file is there decrypted
$ ENV=test sopsed kubectl get po
# This runs the kubectl command inside the "prod" vault in which KUBECONFIG envvar is populated and the kubeconfig file is there decrypted
$ ENV=prod sopsed kubectl get po
.sopsed.yaml
should just be:
vaults:
kube-test:
enabled_if:
- ./scripts/env_is test
- [ "$SOPSED_COMMAND" == "kubectl" ];
kube-prod:
enabled_if:
- ./scripts/env_is prod
- [ "$SOPSED_COMMAND" == "kubectl" ];
without the files:
keys after #5
Suppose that a "vault" is a "set of credentials to be decrypted".
Probably with
.sopsed.yaml
like:whereas decrypted
.sopsed/test.yaml
is:so that e.g.
ENV=test helmfile sync
only triggers decryption necessary to work on the test env.