sops icon indicating copy to clipboard operation
sops copied to clipboard

Published 20 hours ago verified publisher icon getsops

encrypted_regex for particular nodes in yaml?

Open craighurley opened this issue 1 year ago • 4 comments

Hello,

For the given yaml, how can I write an encrypted_regex to only match "Default" under "B"?

A:
  Type: string
  Default: string

B:
  Type: string
  Default: string

If I use encrypted_regex: "Default", it encrypts "Default" under both "A" and "B".

Version info

$ sops -v
sops 3.8.1 (latest)

Thank you.

craighurley avatar Dec 07 '23 06:12 craighurley

This isn't possible right now. What you can do is using comments to determine what to encrypt and what not. This feature has been merged in main, but isn't available in a release yet though.

felixfontein avatar Dec 07 '23 07:12 felixfontein

Hmm, I'm sorry, actually it hasn't been merged yet. It's in #974.

felixfontein avatar Dec 15 '23 20:12 felixfontein

#974 is about using a comment to pick what is encrypted, not field name itself. Regex by the name itself seems to be already supported: https://github.com/getsops/sops#48encrypting-only-parts-of-a-file

I think what OP is asking for is that there might need to be another flag like encrypted_regex_path which would match against A.Default and B.Default so that one could pick which exactly field to encrypt based on its name. Currently it seems we match just Default part.

Would changing existing encrypted_regex to match the whole path be a to much of a breaking change?

mitar avatar Jan 04 '24 13:01 mitar

Would changing existing encrypted_regex to match the whole path be a to much of a breaking change?

IMO yes. I don't think this is something we will add anytime soon though, so using comments and #974 is the best way to achieve what OP wants.

felixfontein avatar Jan 05 '24 16:01 felixfontein