Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove aws_profile from encrypted file to be decrypted #226

Closed
wants to merge 3 commits into from
Closed

Remove aws_profile from encrypted file to be decrypted #226

wants to merge 3 commits into from

Conversation

rafaelcpalmeida
Copy link

@rafaelcpalmeida rafaelcpalmeida commented May 19, 2022
edited
Loading

What this PR does / why we need it:
This PR modifies SOPS to replace aws_profile: my_profile with a blank string.
When using AWS KMS with several profiles, SOPS will add the field aws_profile: my_profile to the encrypted file, which will cause ArgoCD to fail when using helm-secrets to decrypt said file.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

  • the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

@codecov
Copy link

codecov bot commented May 19, 2022
edited
Loading

Codecov Report

Merging #226 (be9ae46) into main (f3ef290) will decrease coverage by 0.02%.
The diff coverage is 80.00%.

@@            Coverage Diff             @@
##             main     #226      +/-   ##
==========================================
- Coverage   84.08%   84.05%   -0.03%     
==========================================
  Files          26       26              
  Lines         735      740       +5     
==========================================
+ Hits          618      622       +4     
- Misses        117      118       +1
Impacted Files Coverage Δ
scripts/drivers/sops.sh 78.04% <80.00%> (+0.27%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f3ef290...be9ae46. Read the comment docs.

@jkroepke
Copy link
Owner

If you are using

AWS_PROFILE=profile sops

instead

sops --aws-profile profile

sops should not save the aws profile into the yaml file.

@rafaelcpalmeida
Copy link
Author

rafaelcpalmeida commented May 19, 2022
edited
Loading

If you are using

AWS_PROFILE=profile sops

instead

sops --aws-profile profile

sops should not save the aws profile into the yaml file.

Actually I encrypt my secrets using helm secrets enc secret.yaml 🤔 Also, I define the profile I'm using through the .sops.yaml file.

@jkroepke
Copy link
Owner 

AWS_PROFILE=profile helm secrets enc secret.yaml

Should also work

getsops/sops#614 (comment)

@rafaelcpalmeida
Copy link
Author

Using that approach encrypts my file and and still adds the aws_profile field. However, it's now aws_profile: "" and that doesn't break ArgoCD 🎉

@jkroepke jkroepke closed this May 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rafaelcpalmeida @jkroepke