ADP-216: sops automation UAT

* clarifies README
* disables error when operating on unencrypted "dummy" secrets files (some workflows have strict requirement for a file named 'secrets.yaml' even if it's empty,unencrypted)
* avoids printing secrets by default after sops update, moves the "for verification" dump back into the verify script (it had wandered out of quarantine at some point)
* improves cross-platform operation (s/realpath/readlink), although not strictly necessary, it is the result of troubleshooting and not a bad idea to just keep the change.

README.md

@@ -81,23 +81,26 @@ The following commands explain how to update the `.sops.yaml` for a repository:
 
 ```shell
 # List available groups
-% ${PATH_TO_THIS_REPO}/bin/update_sops.sh --list_groups
+% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh --list_groups
 # INFO: listing groups
 admin
 automation
 devnso-adp-argocd
 
 # For a given group, update sops config
-% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd
+% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd
 # RUN: generate SOPS config
 # WARN: no secrets file passed in, make sure to call 'sops updatekeys' on secrets files
 
 # [OPTIONAL] For a given group, update sops config AND specified secrets file
-% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml
+% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml
 
 # commit the changes to any .sops.yaml or secrets files, e.g. with 
 ## OPINIONATED GIT - use preferred method
 % git add -p
+# 1. review changes to the .sops.yaml
+# 2. press 'y' to accept the changes
+y
 % git commit -m "adds <firstname>.<lastname> to sops config"
 % git push
 ```
@@ -154,7 +157,7 @@ find groups/ -name ${keyname}
 # For each group, update sops config in that repo
 # Example:
 % cd devnso-adp-argocd
-% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -g devnso-adp-argocd
+% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd
 # now git commit, push, etc
 ```
 

bin/update_sops.sh

@@ -10,7 +10,7 @@ function fn_gpg_extract_fpr(){
   # uid ... <...@mehrwerk.net>
   # uid ... <...@netgo.de>
   # fancy gpg src: https://unix.stackexchange.com/a/731872
-  fpr="$(gpg --show-keys --list-options show-only-fpr-mbox "${gpgkeyfile}" | grep '@netgo.de' | awk "{print \$1}")"
+  fpr="$(gpg --show-keys --list-options show-only-fpr-mbox "$(readlink -f "${gpgkeyfile}")" | grep '@netgo.de' | awk "{print \$1}")"
   echo "${fpr}"
 }
 
@@ -22,7 +22,7 @@ function fn_gpg_extract_uid(){
   # uid ... <...@mehrwerk.net>
   # uid ... <...@netgo.de>
   # fancy gpg src: https://unix.stackexchange.com/a/731872
-  uid="$(gpg --show-keys --with-colons "${gpgkeyfile}" | awk -F':' '$1=="uid" {print $10}' | grep '@netgo.de')"
+  uid="$(gpg --show-keys --with-colons "$(readlink -f "${gpgkeyfile}")" | awk -F':' '$1=="uid" {print $10}' | grep '@netgo.de')"
   echo "${uid}"
 }
 
@@ -113,10 +113,8 @@ fn_sops_updatekeys_and_verify(){
 
   # "update the keys of SOPS files using the config file"
   >&2 echo "# RUN: sops updatekeys ${sops_enc_file}"
-  sops updatekeys "${sops_enc_file}"
-
-  # verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
-  GPG_TTY=$(tty) sops -d "${sops_enc_file}"
+  # HAAAACK: loop through all passed-in files, ignore any errors, always say "yes" -> rely on git diff to verify!
+  sops updatekeys -y "${sops_enc_file}" || echo "SKIPPING"
 }
 
 function main(){

verify/usr_confirm_keycfg.sh

@@ -14,6 +14,9 @@ set -x
 # within current dir: update .sops.yaml, update keys in encrypted file
 ../bin/update_sops.sh -c "${PWD}" "${secrets_file}"
 
+# verify: dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
+GPG_TTY=$(tty) sops -d "${secrets_file}"
+
 # Special Case: Add caveat header
 cat <<EOM > .sops.yaml.tmp
 # PURPOSE: BLUEPRINT for .sops.yaml config