sops
sops copied to clipboard
getsops
Unable to pass --keyservice in .sops.conf or as an env variable (feature)
Small feature request. I am using helmfile for the deployment of our k8s infrastructure and wanted to use sops for encryption of secrets. I need to use the --keyservice but as I am calling sops inside a wrapper (helmfile) of a wrapper (helm secrets) I cannot pass this variable to sops in a clean way.
Could you provide an alternative way to provide this option to sops in the .sops.conf and/or in an ENV variable?
Why do you need to use --keyservice in this context? Is this running on a machine without access to your private key(s)?
I am using a yubikey for all the secrets but I am automating the deployment inside docker containers for any of my colleagues to be able to redeploy without having to install dependencies. In fact we had issues in the past with cross dependencies so we are trying the approach of using dockers for all deployment clients.
In this case, I can easily set the keyservice sops daemon in my working laptop where my yubikey is plugged in unix:///tmp/sops.sock so I just mount it in the same location when spawning the docker container which will deploy all the k8s infrastructure. Sops works great, but when using helm secrets I cannot pass the keyservice config variable to sops. And in fact I am using helmfile, which makes it even harder.
Either options ENV variable or config file will make it possible.
Ok, yeah that makes sense. Then yeah, I support this. In my opinion, I think an env var would be preferable.
Both options are good. In fact, sops supports the --keyservice several times, so if passing in an ENV var, it will need to support a list of keyservices (with some kind of separator, maybe a "," ).
Hi @ajvb, I was looking for a good first issue to start on, may I take this up?
