Giter VIP home page Giter VIP logo

sopstool's Introduction

sopstool

Maintainability Test Coverage

sopstool is a multi-file wrapper around sops. It uses the sops binary to encrypt and decrypt files, and piggybacks off the .sops.yaml configuration file.

sopstool provides functionality to manage multiple secret files at once, and even use as an entrypoint to decrypt at startup, for container images. Much of this behavior is inspired by the great blackbox project.

1.0.0 Release and Breaking Changes

1.0.0 release of sopstool introduces M1 / darwin-arm64 support. We also want to match build artifacts produced by GoReleaser to what sops produces. Therefore, this version introduces a breaking change where we no longer produce artifacts like sopstool_linux.(deb|rpm|tar.gz) and sopstool_darwin.tar.gz. Instead, you'll see artifacts like sopstool_darwin_(arm64|amd64)_(deb|rpm|tar.gz) and sopstool_linux_(arm64|amd64)_(deb|rpm|tar.gz) in future releases.

Installation

Package Repositories

sopstool is available in the following repositories

  • homebrew via the Ibotta/public tap: brew install Ibotta/public/sopstool
  • asdf (and rtx) via the sopstool plugin: asdf plugin add sopstool

Container Image

Images are tagged with the same version numbering as the releases, and latest always gets the latest release. Note that your image will need root CA certificates (typically installed with curl, or a ca-certificates package).

To use sopstool from container (avoiding doing binary installs):

docker run --rm -v $(pwd):/work -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_REGION -e AWS_SECURITY_TOKEN -e AWS_SESSION_TOKEN ghcr.io/ibotta/sopstool:latest $COMMAND
  • sopstool is the entrypoint, so any sopstool subcommand can be run.
  • /work is the default WORKDIR - this should be mounted to the root where .sops.yml is stored.
  • the commands need access to your AWS credentials session to authenticate KMS.

Or, use as a install source in your Dockerfile. sops and sopstool are in /usr/local/bin/:

COPY --from=ghcr.io/ibotta/sopstool:latest usr/local/bin/sops usr/local/bin/sopstool /usr/local/bin/

Packages or binaries from Releases

Check the Releases for the latest artifacts

  • Binaries (compressed as .tar.gz or .zip) (note, you will need sops installed manually)
  • RPM, Debian and APK packages

All artifacts have their sha256 checksums recorded in sopstool_checksums.txt, and SPDX SBOM artifacts are available.

Shell installer

The most direct install uses a shell script hosted in this repository. This script will install the latest sops (if the command does not exist) and sopstool to ./bin by default.

curl https://raw.githubusercontent.com/Ibotta/sopstool/main/install.sh | bash
  • Override the sops version with the -s argument
  • Override the sopstool version with the -t argument
  • Override the binary install location with the -b argument
    • remember, you may need sudo or root access if you are installing to /usr/*

Example with overrides:

curl https://raw.githubusercontent.com/Ibotta/sopstool/main/install.sh | bash -s -- -b /usr/local/bin -s 3.0.0 -t 0.3.0

Installing sops manually

sopstool requires sops. You can use one of the following methods:

  • From one of the public repositories (it is available in most)
  • From the official releases

Installing the sops binary with our script installer

The install script above uses a separate script to download sops

curl https://raw.githubusercontent.com/Ibotta/sopstool/main/sopsinstall.sh | bash
  • Override the tag with the first shell argument (defaults to latest)
  • Override the binary install location with the -b flag (defaults to /.bin)

Download sops from our https mirror

To avoid needing to find the 'latest' binary by hand or by script, use our https server to download the binary. The latest binary is uploaded automatically whenever sopstool is deployed. The file has the pattern sops_$OS_$ARCH, except for windows

  • OS: linux, darwin
    • ARCH: amd64, arm64
    • filenames: sops_$OS_$ARCH.tar.gz
  • OS: windows
    • ARCH amd64 only
    • filename: sops_windows.zip
  • Versions
    • latest: https://oss-pkg.ibotta.com/sops/$filename
    • specific tags: https://oss-pkg.ibotta.com/sops/$TAG/$filename

Installing sopstool manually

Following the lead of sops, we only build 64bit binaries.

Installing the sopstool binary using our script installer

The install script above uses a separate script to download sopstool

curl https://raw.githubusercontent.com/Ibotta/sopstool/main/sopstoolinstall.sh | bash
  • Override the tag with the first shell argument (defaults to latest)
  • Override the binary install location with the -b flag (defaults to /.bin)

Download sopstool from our https mirror

To avoid needing to find the 'latest' binary by hand or by script, use our https server to download the binary. The latest binary is uploaded automatically whenever sopstool is deployed.

  • OS: linux, darwin
    • ARCH: amd64, arm64
    • filenames: sopstool_$OS_$ARCH.tar.gz
  • OS: windows
    • ARCH: amd64, arm64
    • filename: sopstool_windows_$ARCH.zip
  • Versions
    • latest: https://oss-pkg.ibotta.com/sopstool/$filename
    • specific tags: https://oss-pkg.ibotta.com/sopstool/$TAG/$filename

Additionally, all other release assets are also within this folder. This includes the checksums, packages, sboms, as well as installers:

  • https://oss-pkg.ibotta.com/sopstool/install.sh for the combined installer
  • https://oss-pkg.ibotta.com/sopstool/sopsinstall.sh for the sops installer
  • https://oss-pkg.ibotta.com/sopstool/sopstoolinstall.sh for the sopstool installer

Usage

This is a package that builds a single binary (per architecture) for wrapping sops with multi-file capabilities.

for more details, use the built-in documentation on commands:

sopstool -h

to get the shell completion helpers:

#!/usr/bin/env bash
sopstool completion
#!/usr/bin/env zsh
sopstool completion --sh zsh

Configuration

  1. use a .sops.yaml file

    • this will be at the root of your project. this file is used to both configure keys as well as hold the list of files managed.

    • it needs to specify at least one KMS key accessible by your environment

      creation_rules:
  - kms: arn:aws:kms:REGION:ACCOUNT:key/KEY_ID

    • it can specify more complex cases of patterns vs keys too (see link)

How-To

  1. Create a KMS Key.
  2. Follow along the Configuration Steps, and place the .sops.yaml file at the root directory where your scripts will run.
    • All files added to SOPS are relative, or in child directories to the .sops.yaml configuration file.
  3. Create a file to encrypt(any extension other than .yaml if you wish to do the ENTIRE file), or create a yaml file with key: value pairs(and make sure it's extension is .yaml). Sops will encrypt the values, but not it's keys.
  4. At this point, sopstool is ready and you can now sopstool add filename. You'll notice it will create a filename.sops.extension. This is your newly encrypted file.
    • When your files are properly encyrepted, you can run sopstool clean to remove the original plain text secret files.
  5. Now, you can interact via the command line in various ways.
    • Editing an encrypted file - sopstool edit filename.sops.extension. You can also use your original filename too! sopstool edit filename.extension
    • Listing all encrypted files - sopstool list
    • Removing encrypted file - sopstool remove filename.extension
    • Display the contents of encrypted file - sopstool cat filename.extension

Walkthrough

In this walkthrough, we will go through the steps required to get a secure yaml configuration file running.

  1. Configure your .sops.yaml

    # .sops.yaml
creation_rules:
  - kms: arn:aws:kms:REGION:ACCOUNT:key/KEY_ID

  2. Create a secrets yaml configuration file

    # credentials.yaml
database.password: supersecretdb
database.user: supersecretpassword
redshift:
  user: my.user.name
  password: my.password

  3. Encrypt the newly created file

    sopstool add credentials.yaml

  4. Create a sample script

    # myscript.py
import yaml
with open('credentials.yaml', 'r') as f:
    credentials = yaml.load(f)

print credentials["database.user"]
print credentials["database.password"]
print credentials["redshift"]["user"]
print credentials["redshift"]["password"]

  5. Here is what your folder structure would look like to this point(after deleting the unencrypted credentials.yaml file)

    my-project/
├── .sops.yaml
├── credentials.sops.yaml
└── myscript.py

  6. Accessing credentials

    The flow should be as follows: unencrypt credentials -> run script -> destroy credentials. You can use the sopstool entrypoint to achieve this.

    sopstool entrypoint python myscript.py

Contributing

Bug reports and pull requests are welcome at https://github.com/Ibotta/sopstool

docs

Generate markdown docs for the commands via

sopstool docs

sopstool's People

Contributors

blimmer avatar dependabot[bot] avatar elementalvoid avatar ibottamike avatar kcmerrill avatar onyxraven avatar physik932 avatar randrusiak avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

mikelew88 rmorris43 randrusiak antgarsil heavenly999

sopstool's Issues

Remove installer scripts in favor of popular or upstream install methods

Current Behavior

Currently, we recommend installing sopstool via the install.sh script. This installs sops first before installing sopstool. I believe we should instead ask the user to install sops themselves. Other popular wrapper tools like terragrunt or saml2aws do this to simplify management of their tool. I propose we:

  1. Remove the install scripts (install.sh, sopsinstall.sh, sopstoolinstall.sh).
  2. Adjust Travis by downloading (via curl?) a copy of sops 3.7.2 or later directly from the release during the build process.
  3. Adjust the Dockerfile to do the same when we build the image.
  4. Ask the user to install sops as a dependency.

While the scripts themselves aren't a ton of maintenance, it'll just be less the maintain. I'm stuck between hard coding 3.7.2 into Travis or the Dockerfile, or just saying "install sops" and worrying about compatibility ourselves though.

Switch to GitHub Action instead of Travis

Current Behavior

We currently use Travis for our CI process. We'd like to move over to GitHub Actions. It'll also make our linting process with golangci-lint a little cleaner.

Expected Behavior

Moving away from Travis for cleaner setup with GitHub Actions.

Consider using go 1.10+

Current Behavior

Currently builds are executed with go 1.9

Expected Behavior

Test with 1.9 and 1.10 and above, and consider building with 1.10 or above

Alias `encrypt` to `add`

Current Behavior

sopstool encrypt secrets/foo.yaml

Error: unknown command "encrypt" for "sopstool"

Did you mean this?
	decrypt

Run 'sopstool --help' for usage.
unknown command "encrypt" for "sopstool"

Did you mean this?
	decrypt

Expected Behavior

It would be kind of nice if this did the same thing as add. It feels like a natural parallel to sopstool decrypt.

Steps to reproduce

linux, sopstool 0.1.0

`sopstool add` fails on files without extensions

Current Behavior

root@e7210cdad8a8:/src# sopstool add secrets/some_file_without_ext
added file to list: secrets/some_file_without_ext
Error: open .sopssecrets/some_file_without_ext: no such file or directory
Usage:
  sopstool add [files ...] [flags]

Aliases:
  add, a

Flags:
  -h, --help         help for add
  -n, --no-encrypt   Do not encrypt the file after adding

Global Flags:
      --configpath string   config file path (default ".")

open .sopssecrets/some_file_without_ext: no such file or directory

it also doesn't work with a . in the path:

root@e7210cdad8a8:/src# sopstool add ./secrets/some_file_without_ext
added file to list: ./secrets/some_file_without_ext
Error: open .sops./secrets/some_file_without_ext: no such file or directory
Usage:
  sopstool add [files ...] [flags]

Aliases:
  add, a

Flags:
  -h, --help         help for add
  -n, --no-encrypt   Do not encrypt the file after adding

Global Flags:
      --configpath string   config file path (default ".")

open .sops./secrets/some_file_without_ext: no such file or directory

Expected Behavior

I expected this to add the file to my .sops.yaml and encrypt the file.

Steps to reproduce

Try to sopstool add any file without an extension.

Clean up files during add/remove file

Current Behavior

  • Plaintext files are not removed when a file is added to the list
  • Files are not removed when a file is removed from the list

Expected Behavior

Add and remove should clean up the proper files. There should be a flag to skip this behavior

0 exit code returned when sopstools fails to decrypt

Current Behavior

root@eb5ff60030dd:/src# sopstool decrypt secrets/myfile.sops.yaml
[AWSKMS]	 WARN[0005] Decryption failed                             arn="arn:aws:kms:us-east-1:010101010101:key/my-key-hash"
Failed to get the data key required to decrypt the SOPS file.

Group 0: FAILED
  arn:aws:kms:us-east-1:010101010101:key/my-key-hash: FAILED
    - | Error decrypting key: NoCredentialProviders: no valid
      | providers in chain. Deprecated.
      | 	For verbose messaging see
      | aws.Config.CredentialsChainVerboseErrors

Recovery failed because no master key was able to decrypt the file. In
order for SOPS to recover the file, at least one key has to be successful,
but none were.
root@eb5ff60030dd:/src# echo $?
0

Expected Behavior

Since the command fails, I would expect sopstool to exit with a non-zero exit code.

Steps to reproduce

  1. Encrypt any file with sopstool
  2. Remove all AWS env configuration so that the KMS decrypt will fail
  3. Run sopstool decrypt
  4. Inspect the exit code - it will be 0

Possible error in How-To in README

On step 3 of the How-To it is mentioned that Sops will encrypt the keys of a .yaml file but not the values. I believe this was flipped as documentation states that only leaf values are encrypted.

Install script deletes other files in /tmp

Current Behavior

curl https://raw.githubusercontent.com/Ibotta/sopstool/master/install.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1947  100  1947    0     0    802      0  0:00:02  0:00:02 --:--:--   802
Ibotta/sopstool info checking GitHub for latest tag
Ibotta/sopstool info found version: 0.3.3 for v0.3.3/darwin/amd64
Ibotta/sopstool info installed ./bin/sopstool
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_56536/Microsoft_AutoUpdate_4.5.18110402_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_56536: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_68972/Microsoft_AutoUpdate_4.2.18081201_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_68972: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_46114/Microsoft_AutoUpdate_4.10.19041401_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_46114: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_93231/Microsoft_AutoUpdate_4.7.19011500_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_93231: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_79259/Microsoft_AutoUpdate_4.12.19060901_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_79259: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_71209/Microsoft_AutoUpdate_4.6.18120801_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_71209: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_33437/Microsoft_AutoUpdate_4.3.18090901_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_33437: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_615/Microsoft_AutoUpdate_4.4.18101400_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_615: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_44823/Microsoft_AutoUpdate_4.8.19022003_Updater.pkg: Operation not permitted
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T//MSau_44823: Directory not empty
rm: /var/folders/jy/3fbjh0t51q9chp0b4mxpc9ch0000gn/T/: Operation not permitted

Expected Behavior

I expect to not get rm warning on a normal install.

sopstool installation failing, mozilla/sops crit unable to find

Current Behavior

When installing sopstool on a large number of worker nodes on a spark cluster, there are times when sopstool fails to install on some nodes, leading to issues for the entire cluster. mozilla/sops crit unable to find is seemingly a throttling issue.

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 1937 100 1937 0 0 23258 0 --:--:-- --:--:-- --:--:-- 23337
mozilla/sops info checking GitHub for latest tag
mozilla/sops crit unable to find '' - use 'latest' or see https://github.com/mozilla/sops/releases for details
mv: cannot stat ���/tmp/bin/sopstool���: No such file or directory
mv: cannot stat ���/tmp/bin/sops���: No such file or directory
Completed 1.5 KiB/3.9 KiB (26.6 KiB/s) with 3 file(s) remaining
download: .../.ds_util_config.sops.yml to .../.ds_util_config.sops.yml
Completed 1.5 KiB/3.9 KiB (26.6 KiB/s) with 2 file(s) remaining
Completed 2.7 KiB/3.9 KiB (44.0 KiB/s) with 2 file(s) remaining
download: .../pip.sops.conf to .../pip.sops.conf
Completed 2.7 KiB/3.9 KiB (44.0 KiB/s) with 1 file(s) remaining
Completed 3.9 KiB/3.9 KiB (42.0 KiB/s) with 1 file(s) remaining
download: .../.sops.pypirc to .../.sops.pypirc
Completed 183 Bytes/183 Bytes (449 Bytes/s) with 1 file(s) remaining
download: .../.sops.yaml to ./.sops.yaml
/usr/lib/hadoop/logs/ds_bootstraps/default_spark.sh: line 85: sopstool: command not found
Collecting ds_util
Could not find a version that satisfies the requirement ds_util (from versions: )
No matching distribution found for ds_util

Expected Behavior

Most of the nodes in the cluster spin up correctly:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 1937 100 1937 0 0 22920 0 --:--:-- --:--:-- --:--:-- 23059
mozilla/sops info checking GitHub for latest tag
mozilla/sops info found version 3.0.5 for 3.0.5/linux/amd64
mozilla/sops info downloading from https://github.com/mozilla/sops/releases/download/3.0.5/sops-3.0.5.linux
mozilla/sops info installed ./bin/sops
Ibotta/sopstool info checking GitHub for latest tag
Ibotta/sopstool info found version: 0.3.0 for v0.3.0/linux/amd64
Ibotta/sopstool info installed ./bin/sopstool
Both sops and sopstool installed
Completed 1.5 KiB/3.9 KiB (17.3 KiB/s) with 3 file(s) remaining
download: .../.ds_util_config.sops.yml to .../.ds_util_config.sops.yml
Completed 1.5 KiB/3.9 KiB (17.3 KiB/s) with 2 file(s) remaining
Completed 2.7 KiB/3.9 KiB (16.5 KiB/s) with 2 file(s) remaining
download: .../.sops.pypirc to .../.sops.pypirc
Completed 2.7 KiB/3.9 KiB (16.5 KiB/s) with 1 file(s) remaining
Completed 3.9 KiB/3.9 KiB (2.9 KiB/s) with 1 file(s) remaining 
download: .../pip.sops.conf to .../pip.sops.conf
Completed 183 Bytes/183 Bytes (550 Bytes/s) with 1 file(s) remaining
download: .../ds_util/.sops.yaml to ./.sops.yaml
Collecting ds_util

Steps to reproduce

Spamming installation seems to reproduce the issue.

Publish deb, rpm and brew packages

Current Behavior

Only binary packages available

Expected Behavior

Publish more installable packages, especially ones that can include a dependency on sops automatically for easier user installs.

Environment entrypoint

Current Behavior

It would be nice to have a command that loads a (yml/json) file and turns its top-level key-values into environment variables in the called context

Expected Behavior

a command like sopstool entrypoint --env=myenv.yaml mycommand would import the values in myenv.yaml (after decrypting) into the shell environment when calling mycommand

Enhancement Request: Bulk re-encryption command for edited secrets in sopstool

Current Behavior

When using sopstool to decrypt every secret in the folder defined in the .sops.yaml file via sopstool d, it allows for decryption and editing of the secrets. However, once the secrets are edited and we want to re-encrypt all of them, there is no direct command provided. Currently, the available command is sopstool add, but it throws an error when trying to re-encrypt a file that already exists in .sops.yaml. As a workaround, one has to manually delete the entry from .sops.yaml before being able to add and re-encrypt the secret again.

There is also the sopstool edit command which allows opening an encrypted file in an editor, and post-editing and saving, it re-encrypts the file. However, this method is not practical when editing multiple secrets as it requires the user to open each file individually.

Expected Behavior

Ideally, sopstool should provide a straightforward method to re-encrypt all the decrypted files without the need to manually edit the .sops.yaml file. It should either have a dedicated command for this purpose or the existing sopstool add should be able to handle the re-encryption without errors. For workflows involving the editing of multiple secrets, there should be an efficient method to decrypt, edit, and re-encrypt all files seamlessly.

Steps to reproduce

  1. Use sopstool to decrypt all secrets in the folder specified in .sops.yaml using the command sopstool d.
  2. Edit any of the decrypted files.
  3. Attempt to re-encrypt the edited files using sopstool add.
  4. Observe the error complaining about the existing entry in .sops.yaml.
  5. Manually delete the problematic entry from .sops.yaml.
  6. Try re-encrypting the file again using sopstool add.
  7. Additionally, try using sopstool edit for a single file and note that while it works for individual files, it's not practical for multiple files.

OS: Linux
sops version: 3.7.3
sopstool version: v1.2.1

Missing file errors are not clear

Current Behavior

The 'file missing' type errors are not obvious - is the file in question actually missing from disk, or is it missing from the config?

Expected Behavior

The error should say more about where the file was missing from

Steps to reproduce

New directory initializer

Current Behavior

Initializing a new directory is not very friendly. Create a init command to create the top level config.

Expected Behavior

Note this will take a little bit of refactoring. The current command structure loads the config early, and fails if it doesn't exist. This needs to be broken out and loaded later

sopstool add should add the file to SCM ignores

Current Behavior

sopstool add currently just tracks a file by adding it to the config. it doesn't mess with any other operations, like the .*ignore files for SCM

Expected Behavior

add the file to the repository .*ignore file. MVP this should work on git, but should consider supporting other SCM providers.

shortcut to update the KMS keys and rotate all files

Current Behavior

When you run sopstool rotate it doesn't re-encrypt all the files against the new key.

Expected Behavior

I expected to be able to:

  • change the kms key in .sops.yaml
  • run sopstool rotate
  • all files re-encrypted against the new key

However, I needed to find/replace all occurrences of the kms key arn and then run sopstool rotate.

Steps to reproduce

See above. Linux, Sopstool v0.2.0

sopstool cannot decrypt with absolute path + configfile path option

I have a ruby project directory that looks like this:

my_gem
├── .sops.yaml
├── lib
│   └── my_gem.rb
└── secrets
    └── my_secrets.sops.yaml

from within the my_gem directory, I can decrypt using this command

sopstool decrypt secrets/my_secrets.sops.yaml

However, I can't decrypt that same file when using an absolute path

sopstool decrypt /src/my_gem/secrets/my_secrets.sops.yaml --configpath /src/my_gem

This seems to have something to do with the .sops.yaml configuration. This is the configuration where I was experiencing the problem:

creation_rules:
- kms: ...snip...
encrypted_files:
- secrets/deployment.yaml

If I change the encrypted_files to the absolute path, it starts working

encrypted_files:
- /src/my_gem/secrets/deployment.yaml

Clean should not display errors for already cleaned files

If you run sopstool clean twice in a row, it currently displays an error for every file in the list

% sopstool clean
rm: example1.json: No such file or directory
rm: example2.yaml: No such file or directory

Instead it should check for existence first, then clean.

`sopstool entrypoint` fails to delete cleartext files on non-zero exit codes

Current Behavior

When using sopstool entrypoint if the command returns a non-zero exit code the unencrypted file is left on disk.

Expected Behavior

When using sopstool entrypoint if the command returns a non-zero exit code the unencrypted file is removed and the command's exit code is still returned.

Steps to reproduce

$ stat foo.sh
stat: cannot stat 'foo.sh': No such file or directory

$ sopstool entrypoint --files=foo.sh bash -- -c 'set -e; ./i-do-no-exist'
bash: ./i-do-no-exist: No such file or directory
Error: exit status 127
Usage:
  sopstool entrypoint [flags]

Aliases:
  entrypoint, e, enter

Flags:
      --allow-fail      Do not fail if not all files can be decrypted
  -e, --exec            Delegate to the command directly with exec(3), no cleanup
  -f, --files strings   files to decrypt (default all)
  -h, --help            help for entrypoint

Global Flags:
      --configpath string   config file path (default ".")

exit status 127

$ stat foo.sh
  File: foo.sh
  Size: 24075           Blocks: 48         IO Block: 4096   regular file

Versions

OS: macOS 10.14.2
Sopstools: 0.3.0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.