feat: Add SOPS and age for secrets management#81
feat: Add SOPS and age for secrets management#81jflowers wants to merge 9 commits intocomplytime:mainfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
@jflowers Great guide for setting up age with sops. This is very helpful.
Signed-off-by: Hannah Braswell <hbraswel@redhat.com>
feat: adds hbraswel sops maintainer yas indeed let's give it a try
marcusburghardt
left a comment
marcusburghardt
left a comment
There was a problem hiding this comment.
@jflowers it is nice solution. Thanks. I have some comments about the implementation details.
|
|
||
| - name: Decrypt Secrets | ||
| run: | | ||
| sops -d secrets.enc.yaml > secrets.yaml |
There was a problem hiding this comment.
In the documentation introduced by this PR I understood this will be a "production" file, so this command would basically save the output in clear text. Although the runner have a short lifetime, I have concerns to with this command. Or we make it clear that is just a demo and the file must not be used with real data.
| brew install age sops | ||
|
|
||
| # For Fedora: | ||
| sudo dnf install age sops |
There was a problem hiding this comment.
Unfortunately sops is not available as a package for Fedora.
I could install with these commands:
curl -LO https://github.com/getsops/sops/releases/download/v3.11.0/sops-v3.11.0.linux.amd64
mv sops-v3.11.0.linux.amd64 ~/bin/sops
chmod +x ~/bin/sopsThere was a problem hiding this comment.
It is all fine with age.
There was a problem hiding this comment.
Is there a brew(LinuxBrew) formula?
There was a problem hiding this comment.
I am not aware of a brew package for Fedora now. It can be manually installed, similarly to the sops approach above. But then we would have another manual/ad-hoc installation process. It seems brew could be skipped in this case, at least for now.
Co-authored-by: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com>
- Add top-level permissions: {} to demo_secrets.yml for Scorecard
- Upgrade SOPS from v3.9.4 to v3.11.0
- Replace sops -d with sops --extract to avoid writing clear text to disk
- Fix Fedora install instructions (sops not available via dnf)
Signed-off-by: Jay Flowers <jflowers@redhat.com>
* feat/secrets-management: fix: address review comments from marcusburghardt
There was a problem hiding this comment.
@jflowers I believe your user has to run the sops updatekeys secrets.enc.yaml to update the encrypted secrets.enc.yaml with my key added to the .sops.yaml. Then, I can test the decryption functionality.
marcusburghardt
left a comment
marcusburghardt
left a comment
There was a problem hiding this comment.
LGTM. Thanks @jflowers
| @@ -0,0 +1,28 @@ | |||
| name: Demo Secrets | |||
There was a problem hiding this comment.
Ah, I forgot another minor point. We have simple style guide for these files names.
I just noticed this case is not clearly covered there, but ideally this workflow should be prefixed by ci_ for organizational purposes. In any case, I would not block the PR because of this specially considering the number of workflows currently implemented. So, up to you to update or keep as it is. : )
|
Moving it to draft as agreed with @jflowers |
4 participants
Summary
This PR introduces SOPS and age for secrets management to improve security workflows. It also includes the necessary documentation updates.
Related Issues
No related issues.
Review Hints
This PR includes the following changes: