By default, ops will load secrets from config/$environment/secrets.ejson. If this file does not exist, it will load secrets from config/$environment/secrets.json. This allows the development environment to have unencrypted secrets (which is safe because development secrets should not be checked in).
However, if the user overrides the secrets file path with options.secrets.path, this fall-back-to-json logic is not employed.
Even if a repo changed the path to the secrets file, it is still likely that there would be different secrets for different environments, and that the development secrets would still not be committed to source control. Therefore, the fallback-to-json logic should be used in this case as well.
nickthecook
commented
4 years ago
By default,
opswill load secrets fromconfig/$environment/secrets.ejson. If this file does not exist, it will load secrets fromconfig/$environment/secrets.json. This allows the development environment to have unencrypted secrets (which is safe because development secrets should not be checked in).However, if the user overrides the secrets file path with
options.secrets.path, this fall-back-to-json logic is not employed.Even if a repo changed the path to the secrets file, it is still likely that there would be different secrets for different environments, and that the development secrets would still not be committed to source control. Therefore, the fallback-to-json logic should be used in this case as well.
E.g., with the following options:
opsshould look for that file first, and, if it does not exist, look forsecrets/$environment.json.