Skip to content

Instantly share code, notes, and snippets.

@jamcole
Created February 25, 2020 21:58
Show Gist options
  • Save jamcole/b0054f9b54aabc733cf33b26ab0e0132 to your computer and use it in GitHub Desktop.
Save jamcole/b0054f9b54aabc733cf33b26ab0e0132 to your computer and use it in GitHub Desktop.
SOPS POC - Run before and after 'kustomize' commands... Secret files are named *.secret.*, files are renamed to *.encrypted.*
# Config file for Mozilla SOPS: https://github.com/mozilla/sops
#
# find files to decrypt with `find . -name '*.encrypted.*'
# find files to encrypt with `find . -name '*.secret.*'
#
# creation rules are evaluated sequentially, the first match wins
creation_rules:
# all files that match pattern *.secret.* or *.encrypted.*
- path_regex: \.(secret|encrypted)\.
pgp: '166586CD6F1A906D0786BE50C26EFAE7B312A5D8'
#!/usr/bin/env bash
# Files to decrypt
SHOULD_DECRYPT_FILEGLOB='*.encrypted.*'
# sed regex replace for decrypted filename
SED_REPLACE_FILENAME='s/\.encrypted\./\.secret\./'
if [ ! -f .sops.yaml ]; then
>&2 echo "Error finding '.sops.yaml'!"
exit 1;
fi
if ! which sops > /dev/null; then
>&2 echo "Error finding 'sops' on PATH!"
exit 1;
fi
if which cygpath > /dev/null; then
if which gpg2 > /dev/null; then
export SOPS_GPG_EXEC=$($(which cygpath) -w $(which gpg2))
elif which gpg > /dev/null; then
export SOPS_GPG_EXEC=$($(which cygpath) -w $(which gpg))
else
>&2 echo "Error finding 'gpg2' or 'gpg' on PATH!"
>&2 echo "You may install it with 'apt-cyg install gnupg2'"
exit 1;
fi
elif ! which gpg > /dev/null; then
>&2 echo "Error finding 'gpg' on PATH!"
exit 1;
fi
find . -name "${SHOULD_DECRYPT_FILEGLOB}" -exec bash -c 'for F; do output=$(sops -d "$F") && echo "$output">"$(echo $F|sed -e "'${SED_REPLACE_FILENAME}'")" && rm -f "$F" || >&2 echo "Error decrypting $F" && exit 1; done' bash {} +
if [ $? != 0 ]; then
exit 1
fi
#!/usr/bin/env bash
# Files to encrypt
SHOULD_ENCRYPT_FILEGLOB='*.secret.*'
# sed regex replace for encrypted filename
SED_REPLACE_FILENAME='s/\.secret\./\.encrypted\./'
if [ ! -f .sops.yaml ]; then
>&2 echo "Error finding '.sops.yaml'!"
exit 1;
fi
if ! which sops > /dev/null; then
>&2 echo "Error finding 'sops' on PATH!"
exit 1;
fi
if which cygpath > /dev/null; then
if which gpg2 > /dev/null; then
export SOPS_GPG_EXEC=$($(which cygpath) -w $(which gpg2))
elif which gpg > /dev/null; then
export SOPS_GPG_EXEC=$($(which cygpath) -w $(which gpg))
else
>&2 echo "Error finding 'gpg2' or 'gpg' on PATH!"
>&2 echo "You may install it with 'apt-cyg install gnupg2'"
exit 1;
fi
elif ! which gpg > /dev/null; then
>&2 echo "Error finding 'gpg' on PATH!"
exit 1;
fi
find . -name "${SHOULD_ENCRYPT_FILEGLOB}" -exec bash -c 'for F; do output=$(sops -e "$F") && echo "$output">"$(echo $F|sed -e "'${SED_REPLACE_FILENAME}'")" && rm -f "$F" || >&2 echo "Error encrypting $F" && exit 1; done' bash {} +
if [ $? != 0 ]; then
exit 1
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment