Operations

Scripts

Encrypt / Decrypt

Description

Wrappers around sops to encrypt/decrypt files. These scripts take only one parameter: the file to encrypt for ./scripts/encrypt.sh and the file to decrypt for ./scripts/decrypt.sh. The wrappers will create an encrypted/decrypted file named as the source file with .enc (or .dec) inserted between the filename and the extension. No assumptions are made about the input file name conventions.

Usage

To encrypt:

./scripts/encrypt.sh path/to/file.yaml

Will encrypt path/to/file.yaml to path/to/file.enc.yaml

To decrypt:

./scripts/decrypt.sh path/to/file.enc.conf

Will decrypt path/to/file.enc.conf to path/to/file.dec.conf

Update Secrets

Description

This helper command updates the secret files (all matching *.enc.*) to reflect changes in the list of recipients in a project's .sops.yaml file (i.e., the list of allowed public keys).

Usage

./scripts/update-secrets.sh

This will update all secret files in the clusters project.

WARNING

Do not use this command to update secrets after editing a secret file, as you will lose your modifications. Instead, use ./scripts/decrypt.sh to encrypt the updated decrypted file.

Adding a New Developer

To grant a new developer access, add their public key to the .sops.yaml file. This file lists path regexes indicating for each path the recipients (allowed developers) to use when encrypting a file located in the matching path.