-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multiple backends for SOPS #575
Comments
An alternative is that we use the |
That's definitely a solution! Still concerned we're getting more and more embedded into not-scalable practices though 😕 |
I've just added my Columbia UNI to the |
Similar in nature to #560 and #561 but involving sops
Summary
Related to needing to access resources stored in
two-eye-two-see
, but 2i2c.org account doesn't have access to the destination project (i.e. Pangeo/Columbia).After we decided to use a different terraform backend so the state can be stored in the same project as the infrastructure, I am running into a similar issue with sops. I created a new GCP KMS in the Pangeo/Columbia project to handle the encryption of the deployer key in #489 and updated the
.sops.yaml
file to use it. So far so good.https://github.com/2i2c-org/pilot-hubs/blob/94f4be1cf54f67c424440f2f74ba57d9eece14e1/.sops.yaml#L2-L3
The conflict arises from the auth0 key stored in
config/secrets.yaml
, for which the sops key is stored intwo-eye-two-see
and I am not logged into an account that can access that.gcp_kms
keys be adding to a single creation rule in.sops.yaml
? (I seriously doubt it.)I'm really not sure about how to go about tackling this one, tbh!
Additional context
I realised that the order of the creation rules in
.sops.yaml
matters. Such that, if a path matches more than onepath_regex
key, sops will only try to en/decrypt with the first match and not progress onto the second match if the first one fails.Therefore:
will always fail for the Pangeo project; and
will always fail for the
two-eye-two-see
project.The text was updated successfully, but these errors were encountered: