You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We assume you are already have authentication profile set-up, ~/.oci/config exists and DEFAULT profile will be used to access OCI KMS. For details follow official OCI documentation.
521
+
522
+
.. code:: sh
523
+
524
+
$ # CRYPTO_ENDPOINT is diffrenet for different types of KMS and Regions, correct endpoint can be found in OCI console
Copy file name to clipboardExpand all lines: cmd/sops/main.go
+77-14Lines changed: 77 additions & 14 deletions
Original file line number
Diff line number
Diff line change
@@ -38,6 +38,7 @@ import (
38
38
"github.com/getsops/sops/v3/keyservice"
39
39
"github.com/getsops/sops/v3/kms"
40
40
"github.com/getsops/sops/v3/logging"
41
+
"github.com/getsops/sops/v3/ocikms"
41
42
"github.com/getsops/sops/v3/pgp"
42
43
"github.com/getsops/sops/v3/stores/dotenv"
43
44
"github.com/getsops/sops/v3/stores/json"
@@ -86,14 +87,14 @@ func main() {
86
87
},
87
88
}
88
89
app.Name="sops"
89
-
app.Usage="sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support"
90
+
app.Usage="sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, OCI KMS, age, and GPG support"
90
91
app.ArgsUsage="sops [options] file"
91
92
app.Version=version.Version
92
93
app.Authors= []cli.Author{
93
94
{Name: "CNCF Maintainers"},
94
95
}
95
96
app.UsageText=`sops is an editor of encrypted files that supports AWS KMS, GCP, AZKV,
96
-
PGP, and Age
97
+
OCI KMS, PGP, and Age
97
98
98
99
To encrypt or decrypt a document with AWS KMS, specify the KMS ARN
99
100
in the -k flag or in the SOPS_KMS_ARN environment variable.
@@ -131,12 +132,12 @@ func main() {
131
132
To use multiple KMS or PGP keys, separate them by commas. For example:
132
133
$ sops -p "10F2...0A, 85D...B3F21" file.yaml
133
134
134
-
The -p, -k, --gcp-kms, --hc-vault-transit, and --azure-kv flags are only
135
+
The -p, -k, --gcp-kms, --hc-vault-transit, --oci-kms, and --azure-kv flags are only
135
136
used to encrypt new documents. Editing or decrypting existing documents
136
137
can be done with "sops file" or "sops decrypt file" respectively. The KMS and
137
138
PGP keys listed in the encrypted documents are used then. To manage master
138
-
keys in existing documents, use the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}"
139
-
and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags with --rotate
139
+
keys in existing documents, use the "add-{kms,pgp,gcp-kms,azure-kv,oci-kms,hc-vault-transit}"
140
+
and "rm-{kms,pgp,gcp-kms,azure-kv,oci-kms,hc-vault-transit}" flags with --rotate
140
141
or the updatekeys command.
141
142
142
143
To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC.
@@ -534,6 +535,10 @@ func main() {
534
535
Name: "azure-kv",
535
536
Usage: "the Azure Key Vault key URL the new group should contain. Can be specified more than once",
536
537
},
538
+
cli.StringSliceFlag{
539
+
Name: "oci-kms",
540
+
Usage: "the OCI KMS URL the new group should contain. Can be specified more than once",
541
+
},
537
542
cli.StringSliceFlag{
538
543
Name: "hc-vault-transit",
539
544
Usage: "the full vault path to the key used to encrypt/decrypt. Make you choose and configure a key with encryption/decryption enabled (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev'). Can be specified more than once",
@@ -561,6 +566,7 @@ func main() {
561
566
gcpKmses:=c.StringSlice("gcp-kms")
562
567
vaultURIs:=c.StringSlice("hc-vault-transit")
563
568
azkvs:=c.StringSlice("azure-kv")
569
+
ociKmses:=c.StringSlice("oci-kms")
564
570
ageRecipients:=c.StringSlice("age")
565
571
ifc.NArg() !=0 {
566
572
returncommon.NewExitError(fmt.Errorf("error: no positional arguments allowed"), codes.ErrorGeneric)
returncommon.NewExitError(fmt.Sprintf("Error: cannot add or remove keys on non-existent file %q, use the `edit` subcommand instead.", fileName), codes.CannotChangeKeysFromNonExistentFile)
1150
1176
}
1151
1177
}
@@ -1236,6 +1262,11 @@ func main() {
1236
1262
Usage: "comma separated list of Azure Key Vault URLs",
1237
1263
EnvVar: "SOPS_AZURE_KEYVAULT_URLS",
1238
1264
},
1265
+
cli.StringFlag{
1266
+
Name: "oci-kms",
1267
+
Usage: "comma separated list of OCI KMS URLs",
1268
+
EnvVar: "SOPS_OCI_KMS_URLS",
1269
+
},
1239
1270
cli.StringFlag{
1240
1271
Name: "hc-vault-transit",
1241
1272
Usage: "comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev')",
@@ -1610,6 +1641,11 @@ func main() {
1610
1641
Usage: "comma separated list of Azure Key Vault URLs",
1611
1642
EnvVar: "SOPS_AZURE_KEYVAULT_URLS",
1612
1643
},
1644
+
cli.StringFlag{
1645
+
Name: "oci-kms",
1646
+
Usage: "comma separated list of OCI KMS resource OCIDs",
1647
+
EnvVar: "SOPS_OCI_KMS_URLS",
1648
+
},
1613
1649
cli.StringFlag{
1614
1650
Name: "hc-vault-transit",
1615
1651
Usage: "comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev')",
@@ -1661,6 +1697,14 @@ func main() {
1661
1697
Name: "rm-azure-kv",
1662
1698
Usage: "remove the provided comma-separated list of Azure Key Vault key URLs from the list of master keys on the given file",
1663
1699
},
1700
+
cli.StringFlag{
1701
+
Name: "add-oci-kms",
1702
+
Usage: "add the provided comma-separated list of OCI KMS URL to the list of master keys on the given file",
1703
+
},
1704
+
cli.StringFlag{
1705
+
Name: "rm-oci-kms",
1706
+
Usage: "remove the provided comma-separated list of OCI KMS URL from the list of master keys on the given file",
1707
+
},
1664
1708
cli.StringFlag{
1665
1709
Name: "add-kms",
1666
1710
Usage: "add the provided comma-separated list of KMS ARNs to the list of master keys on the given file",
returncommon.NewExitError(fmt.Sprintf("Error: cannot add or remove keys on non-existent file %q, use `--kms` and `--pgp` instead.", fileName), codes.CannotChangeKeysFromNonExistentFile)
0 commit comments