gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

automates creation+verification of sops config

Browse Source
ADP-179_sops_manage_keys
LeeW 11 months ago
parent a63b96fe2e
commit 20c2a79808
2 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File

6
README.md
Unescape Escape View File

@ -22,10 +22,10 @@ GPG_TTY=$(tty) sops secrets.yaml
#!/usr/bin/env bash #!/usr/bin/env bash
set -ueo pipefail set -ueo pipefail
# demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321 # demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321
yq -n '.demo.credentials.secret = "hunter2"' > secret.yaml yq -n '.demo.credentials.secret = "hunter2"' > mock_secrets.yaml
# encrypt # encrypt
sops -e -i secret.yaml sops -e -i mock_secrets.yaml
# decript, print to console # decript, print to console
sops -d secret.yaml sops -d mock_secrets.yaml
``` ```

26
__update_sops.sh
Unescape Escape View File

@ -1,7 +1,6 @@
#/usr/bin/env bash #/usr/bin/env bash
# Purpose: manage .sops.yaml based on gpg keys in the same dir # Purpose: manage .sops.yaml based on gpg keys in the same dir _and_ verify correct configuration
set -euo pipefail set -euo pipefail
# sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
sops_config=".sops.yaml" sops_config=".sops.yaml"
@ -26,7 +25,8 @@ function fn_extract_uid(){
} }
function fn_update_sops_config(){ function fn_update_sops_config(){
# CAVEAT: dirty hacks, just get it done. Not DRY at all. # sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
# CAVEAT: dirty hacks, just get it done. Not DRY, very WET.
echo "# Fingerprint | User Type | User ID" echo "# Fingerprint | User Type | User ID"
for gpgkeyfile in *automation*gpg.pub; do for gpgkeyfile in *automation*gpg.pub; do
@ -57,4 +57,22 @@ EOM
done done
} }
(fn_update_sops_config) >> "${sops_config}" # UPDATE SOPS CONFIG
(fn_update_sops_config) > "${sops_config}"
# VERIFY
fn_verify_sops_config(){
sops_enc_file="${1}";shift;
# update keys in mock secret file
# prereq: create a file with a mock secret, src: https://bash-org-archive.com/?244321
test -e mock_secrets.yaml || (yq -n '.demo.credentials.secret = "hunter2"' > mock_secrets.yaml && sops -e -i mock_secrets.yaml )
# "update the keys of SOPS files using the config file"
sops updatekeys mock_secrets.yaml
# dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
GPG_TTY=$(tty) sops -d mock_secrets.yaml
}
fn_verify_sops_config
echo "# SUCESS: all users with keys in this dir should have functional keys"

Write Preview
Loading…
Cancel
Save