Mic92
Allow nested secrets in `secrets.json`
Prior to this change, if secrets.json had nested secrets (example) we would see this error:
sops-install-secrets: Manifest is not valid: secret jenkins-nix-ci/cachix-auth-token/description in /nix/store/wxm763za3rbrpiijfbgss9g5ll0sd29z-secrets.json is not valid: Key 'jenkins-nix-ci' does not refer to a dictionary
The reason happens to be that introspecting the map key to be interface fails, when it is in fact a string. This PR makes it so that we always expect the key to be a string (what else could it be?). It also improves the error message, by telling the user what the actual value type is.
I am trying to write the test for this. Here's how the nixos-test.nix looks:
nested-json = makeTest {
name = "sops-nested-json-secrets";
nodes.server = {
imports = [ ../../modules/sops ];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
defaultSopsFile = ./test-assets/secrets.json;
secrets."nested/test/file" = { };
};
};
testScript = ''
start_all()
server.succeed("cat /run/secrets/nested/test/file | grep -q 'another value'")
'';
} {
inherit pkgs;
inherit (pkgs) system;
};
Expected: testScript should fail with Key 'nested' does not refer to a dictionary
Actual: Test passes
On the other hand, if I try to run nix build .#nixosConfigurations.actual.config.system.build.toplevel on @srid 's nixos-config with sops-nix.url pointing to github:Mic92/sops-nix, I am able to reproduce the same error.
@Mic92 Is there something that's happening under-the-hood in nixos-test.nix that I might be missing?
