Stretch - Provide a way to redact sensitive values that are not encrypted using SOPS

[dwinchell]

Success Criteria:

• Values stored in vault do not show up in the GitHub log output

Initial Tasks:

• Understand the current implementation - https://github.com/ploigos/ploigos-step-runner/blob/main/src/ploigos_step_runner/config/config_value_decryptor.py
• Decide on how to tell PSR or have it detect that something should be redacted (see below for some suggestions, also Aaron thought of telling it everything in a given file is secret)
• Make sure you can run the psr command iteratively for testing (i.e. no long dev cycle that uses a 10 min pipeline run. run it locally or something)
• Plan out how the code will change (classes/high level methods/etc.)
• Write some unit tests
• Actually write the code

[itewk]

@dwinchell the framework is there for this, you jsut need to add different types of decryptors. https://github.com/ploigos/ploigos-step-runner/blob/main/src/ploigos_step_runner/config/config_value_decryptor.py

So in theroy you could add a decryptor that looks for keys that have a specific name and treat them as something to decrypt. that will add them to the list of things to obfuscate even if the value doesn't actually ahve to be decrypted

[dwinchell]

@itewk Perfect. Thanks for pointing us in the right direction.

[itewk]

then for the new decypor i would have a default set of keys that are automatically treated as "secret" so like ".password." maybe something about ".private." or ssl or something but then have a config option to provide addtional other keys to treat as secret.

....resisting urge to go into programing mode.....