Last active
April 16, 2023 03:39
-
-
Save schlomo/2e2fab3d45b1132ef4d051a0fc75a1ce to your computer and use it in GitHub Desktop.
Demo for simple adding & using of SOPS in Docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Written by Schlomo Schapiro, Licensed under CC0 | |
| for b in sops gpg mkdir rm chmod cat date ; do | |
| if ! type $b &>/dev/null ; then | |
| echo -e "\n******** REQUIRED BINARY $b IS MISSING! ********\n" | |
| exit 1 | |
| fi | |
| done | |
| MYSECRET="It works now $(date) !" | |
| cat <<EOF | |
| This demo will encrypt | |
| MYSECRET=$MYSECRET | |
| in a SOPS dotenv formatted file 'secrets.env' | |
| with the help of a temporary generated PGP key. It will | |
| then create a Docker image that includes the sops binary pulled from the | |
| official SOPS Docker image to demonstrate how to use SOPS in Docker | |
| in a convenient way. Look at this script ($0) for the details. | |
| Written by Schlomo Schapiro, Licensed under CC0 | |
| https://schlomo.schapiro.org | |
| EOF | |
| export GNUPGHOME="$(pwd)/gnupg" | |
| rm -Rf "$GNUPGHOME" | |
| mkdir -p "$GNUPGHOME" | |
| chmod 700 "$GNUPGHOME" | |
| echo "*** Generating a basic OpenPGP key" | |
| # from https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html#Unattended-GPG-key-generation | |
| gpg --quiet --batch --generate-key <( | |
| cat <<EOF | |
| %no-protection | |
| Key-Type: DSA | |
| Key-Length: 1024 | |
| Subkey-Type: ELG-E | |
| Subkey-Length: 1024 | |
| Name-Real: Joe Tester | |
| Name-Comment: without passphrase | |
| Name-Email: joe@foo.bar | |
| Expire-Date: 0 | |
| %commit | |
| EOF | |
| ) | |
| key_fp=$(gpg --list-secret-keys | sed -n -e '/^ /p') | |
| unset SOPS_PGP_FP # in case you have this set | |
| sops --encrypt --input-type dotenv --pgp $key_fp --output-type dotenv /dev/stdin >secrets.env <<<"MYSECRET=$MYSECRET" | |
| cat <<EOF | |
| Here is the encrypted secret in secrets.env: | |
| $(grep MYSECRET secrets.env) | |
| And here is the decrypted file: | |
| $(sops --decrypt secrets.env) | |
| EOF | |
| cat >"$GNUPGHOME"/run.sh <<'EOF' | |
| #!/bin/sh | |
| cat <<CAT | |
| Running in Docker | |
| You should see the same secret again: | |
| $MYSECRET | |
| CAT | |
| EOF | |
| chmod +x "$GNUPGHOME"/run.sh | |
| echo "*** Building Docker image" | |
| docker build -t sops-demo - <<EOF | |
| FROM alpine | |
| WORKDIR / | |
| COPY --from=mozilla/sops:alpine /usr/local/bin/sops /bin/sops | |
| RUN apk add --no-cache gnupg | |
| ENTRYPOINT ["/bin/sops", "--verbose", "exec-env", "secrets.env"] | |
| ENV GNUPGHOME=/gnupg | |
| CMD ["/gnupg/run.sh"] | |
| EOF | |
| echo "*** Running Docker image" | |
| docker run --rm -it -v "$(pwd)/secrets.env":/secrets.env -v "$GNUPGHOME:/gnupg" sops-demo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment