sops icon indicating copy to clipboard operation
sops copied to clipboard
verified publisher icon getsops

YAML starting three dashes not preserved during encryption

Open mloskot opened this issue 2 years ago • 4 comments

The https://yaml.org/spec/1.2.2/#22-structures says

YAML uses three dashes (“---”) to separate directives from document content. This also serves to signal the start of a document (...)

The sops 3.7.2 (and possibly earlier too) do not preserve the --- present in YAML file when running with --in-place option.

For example, here is my test.yaml

---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: test-secret
data:
  crt: MTIzNDU2Nzg5MA==

which I encrypt with

sops --encrypt --in-place --azure-kv $(az keyvault key show --name sops-key-aks --vault-name kv-aks-dev --query key.kid --output tsv) .\test.yaml`

and here is the result:

>  head .\test.yaml
apiVersion: ENC[AES256_GCM,data:Ruc=,iv:mlHqE4A4ZSG9nOySG34gWAIN/GGqWmryS4F+/TV1VnE=,tag:HFp30nc6Eur03F7GPh/+ow==,type:str]
kind: ENC[AES256_GCM,data:xBQRIkJU,iv:EVzl7BT5nfVj7JD0eziDUQLwWwyXMyOQ6PJqntgE+O8=,tag:DnnBdBwmbOFRJdPFJy2EPw==,type:str]
type: ENC[AES256_GCM,data:LRD+jCyosIIwgFmtkgaAD2M=,iv:g35TjzFYJ4hxbW/nC2i8EbeASHkkQehd0UxXGlVkKBc=,tag:TjH30dUgCqqEOCkdR7Mnxw==,type:str]
metadata:
    name: ENC[AES256_GCM,data:fGAaeI+eKLgh4NY=,iv:RxRusjFjTnq+5Aqkoy5I3+0iqXuEeiArqGwB0gBJDqE=,tag:nF+ibSJvYYy6GJS4C59b1w==,type:str]
data:
    crt: ENC[AES256_GCM,data:P7WgLE0BIVZMBRYjsnIUZQ==,iv:TvdrJ9RLhG3UPZZlzMlOPeM6YsON+aOXfSCkmMKx1VQ=,tag:t9ovrrUsJQ+YYlHufIkkAQ==,type:str]
sops:
    kms: []

This is not a big deal but an annoyance for those using CI/CD linting their YAML-s with https://yamllint.readthedocs.io/en/latest/rules.html#module-yamllint.rules.document_start

mloskot avatar Jan 05 '23 10:01 mloskot

Observing same issue, but for us it's not just annoyance since decrypted file is parsed by ytt which requires "---" to be present to separate set of instructions. Current workaround with sed after decryptions doesn't look very neat

MaximShepelev avatar Jun 30 '23 11:06 MaximShepelev

Observing same issue, but for us it's not just annoyance since decrypted file is parsed by ytt which requires "---" to be present to separate set of instructions. Current workaround with sed after decryptions doesn't look very neat

spot on - we have exactly the same thing and I ended up using the same sed workaround. A little sad but works.

larssb avatar Nov 14 '24 20:11 larssb

There is no reason not to add it, it is a more correct format which is also matched by any YAML "magic number" checking.

There are more reasons to add the header that simply saying "it isn't required".

red-lichtie avatar Feb 15 '25 22:02 red-lichtie

linter have a problem with yaml without ---. eg:

yaml[document-start]:` Missing document start "---"
playbooks/inventory/host_vars/example.com.sops.yml:1

Please just keep it during encryption or add an option to manage it.

aiv avatar May 17 '25 11:05 aiv