Skip to content

Latest commit

 

History

History
92 lines (69 loc) · 3.3 KB

sops_decrypt.md

File metadata and controls

92 lines (69 loc) · 3.3 KB

sops_decrypt

sops_decrypt(name, srcs, age_keys_file, sops_yaml)

Decrypt secrets using sops

To load the rule use:

load("//sops:defs.bzl", "sops_decrypt")

You can decrypt as many secrets as you want using sops_decrypt rule. Use the rule attribute src to provide the encrypted secrets that you want to decrypt. The rule also needs the sops config file with the keyring id in order to decrypt files (.sops.yaml). You can provide it using the sops_yaml rule attribute. If no sops_yaml config is provided, the rule will try to locate a .sops.yaml file by default in the same directory where the target is placed.

Example of use:

# explicit .sops.yaml config
load("//sops:defs.bzl", "sops_decrypt")

sops_decrypt(
    name = "decrypt_secret_files",
    srcs = [":secrets.yaml"]
    sops_yaml = ":.sops.yaml"
)
# implicit .sops.yaml config
load("//sops:defs.bzl", "sops_decrypt")

sops_decrypt(
    name = "decrypt_secret_files",
    srcs = [":secrets.yaml"]
)

The outputs of the rule are the decrypted secrets that you can later provide to other rules, as for example to helm_release:

sops_decrypt(
    name = "decrypt_secret_files",
    srcs = [":secrets.yaml"]
)

helm_release(
    name = "chart_install",
    chart = ":chart",
    namespace = "myapp",
    release_name = "release-name",
    values = glob(["charts/myapp/values.yaml"]) + [":decrypt_secret_files"],
)

You can also use age key file to decrypt your secrets. To provide the key_file use the rule attribute age_keys_file to point to the age keys file used to encrypt your secrets.

sops_decrypt(
    name = "decrypt_secret_files",
    srcs = [":secrets.yaml"],
    age_keys_file = "sops/age_keys.txt"
)

helm_release(
    name = "chart_install",
    chart = ":chart",
    namespace = "myapp",
    release_name = "release-name",
    values = glob(["charts/myapp/values.yaml"]) + [":decrypt_secret_files"],
)

ATTRIBUTES

Name Description Type Mandatory Default
name A unique name for this target. Name required
srcs List of encrypted files to be decrypted. List of labels required
age_keys_file Age file with age keys used to encrypt the secret. Check official docs about how to use age with sops. Label optional None
sops_yaml The .sops.yaml configuration file. If no provided, the macro will usually try to locate the configuration file in the same dir where the BUILD file is located. Label required