Skip to content
This repository has been archived by the owner on Nov 23, 2024. It is now read-only.

SOPS can't fine configuration file if it's not in the current working directory #121

Open
pvanderlinden opened this issue May 29, 2019 · 11 comments

Comments

@pvanderlinden
Copy link

If I put the .sops.yaml file in any other directory then the current working directory, like suggested in the README.md, sops won't pick it up. It will give the following error: config file not found and no keys provided through command line options. Are the docs incorrect, or am I missing something, e.g.:

$ find . -name '.sops.yaml'
./helm-values/.sops.yaml
$ helm secrets enc helm-values/secrets.yaml 
Encrypting helm-values/secrets.yaml
config file not found and no keys provided through command line options
Error: plugin "secrets" exited with error
@mhyllander
Copy link
Contributor

https://github.com/mozilla/sops/#29using-sopsyaml-conf-to-select-kmspgp-for-new-files

According to the documentation, sops will search recursively upwards in the directory hierarchy until it finds a .sops.yaml file. It could be that sops is searching upwards from the current working directory, and not upwards from the folder secrets.yaml is in. The documentation isn't clear on that point.

@pvanderlinden
Copy link
Author

I'm following the example directory tree from the readme in the plugin GitHub though. Where it looks like it would pick up the yaml file if it is in the same directory or in one upwards. So far it's only picking it up if it is the working directory. Your comment might explain that, but it means the readme in this plugin is not correct or missing information.

@mhyllander
Copy link
Contributor

mhyllander commented May 31, 2019

I tested the different scenarios. It looks like sops is searching upwards from the directory of the secrets file (as it should, anything else would have given unpredictable behavior).

.sop.yaml in parent directory (current working directory):

$ find . -name .sops.yaml
./.sops.yaml
$ cp platform/values.yaml platform/secrets.issue.yaml
$ helm secrets enc platform/secrets.issue.yaml
Encrypting platform/secrets.issue.yaml
Encrypted secrets.issue.yaml

.sops.yaml in secret file directory (./platform):

$ mv .sops.yaml platform/
$ find . -name .sops.yaml
./platform/.sops.yaml
$ cp platform/values.yaml platform/secrets.issue.yaml
$ helm secrets enc platform/secrets.issue.yaml
Encrypting platform/secrets.issue.yaml
Encrypted secrets.issue.yaml

.sops.yaml in other sibling directory (./yaml):

$ mv platform/.sops.yaml yaml/
$ find . -name .sops.yaml
./yaml/.sops.yaml
$ cp platform/values.yaml platform/secrets.issue.yaml
$ helm secrets enc platform/secrets.issue.yaml
Encrypting platform/secrets.issue.yaml
config file not found and no keys provided through command line options
Error: plugin "secrets" exited with error

So for me it works as expected. Could something else be causing the problem you're having?

@pvanderlinden
Copy link
Author

The first and third works like my install, the second doesn't. Maybe a different version of sops? I'm using 3.3.0

@pvanderlinden
Copy link
Author

Or a different version of helm:

Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}

For the rest there isn't much special, it's a clean project I started the other day.

@jacobsvante
Copy link
Contributor

jacobsvante commented Jun 4, 2019

This is a regression that was introduced in helm-secrets 2.0 (nice improvements otherwise, @mhyllander!). The current readme shows examples of putting the sops config at helm_vars/.sops.yaml, but that no longer works in 2.0.

So if you have helm-secrets 2.0 or higher you can:

  1. Install helm-secrets 1.3.1 by running helm plugin remove secrets && helm plugin install --version=1.3.1 https://github.com/futuresimple/helm-secrets
  2. Keep 2.0 and move the SOPS config to the project directory mv helm_vars/.sops.yaml . I previously had creation_rules.path_regex: secrets.yaml$ set in the SOPS config but I had to change this value to secrets.yaml.dec$ for it to work.

@pvanderlinden
Copy link
Author

I changed my project structure a bit due some other issues with Helm, which solves this issue for me as a side effect. But the bug will probably affect others as well

@mhyllander
Copy link
Contributor

I believe this is a regression caused by #117. The original encrypt_helper would cd to the directory before running sops (https://github.com/futuresimple/helm-secrets/pull/117/files#diff-60baae393acfb88c61e9d2e0d7eea239L249), now it doesn't.

@mhyllander
Copy link
Contributor

mhyllander commented Jun 24, 2019

When I did my testing above I got a bit confused regarding the default sops behavior. Sops actually does search for the config file to use starting from the current working directory and upwards:

$ mv .sops.yaml platform/
$ cp platform/values.yaml platform/secrets.foo.yaml
$ sops -e -i platform/secrets.foo.yaml
config file not found and no keys provided through command line options
$ (cd platform; sops -e -i secrets.foo.yaml)

The original version 1.3.1 code did its own search for the sops config file, starting from the current working directory and downwards, until it found the one nearest the secrets file. Then it set the config file explicitly on the sops command line. (This approach assumes that the secrets file is in a subdir of the cwd, and also that the config file is not above the cwd.)

When I rewrote the function I simplified this by doing a "cd" to the secret file's directory and letting sops find the closest config file above. This seems like the correct thing to do, to me. For some reason this has been changed now by issue #92 and PR #117. I think the usage of path_regex in that issue may be incorrect, compared to the examples in the sops documentation: https://github.com/mozilla/sops/blob/master/README.rst#29using-sopsyaml-conf-to-select-kmspgp-for-new-files

Update: I think sops 3.3.1 has changed the path_regex behavior so that it fixes the problem in #92. If so #117 was not needed and should be reverted.

@jdamata
Copy link

jdamata commented Nov 24, 2019

I still have the issue above with these versions:

$ sops --version
sops 3.5.0 (latest)

$ helm version
version.BuildInfo{Version:"v3.0.0", GitCommit:"e29ce2a54e96cd02ccfce88bee4f58bb6e2a28b6", GitTreeState:"clean", GoVersion:"go1.13.4"}

$ helm plugin list
NAME VERSION DESCRIPTION
secrets 2.0.2 This plugin provides secrets values encryption for Helm charts secure storing

@dcasadevall
Copy link

dcasadevall commented Dec 11, 2019

I have published 2.0.1 on a forked version in my personal repo.
This version has been tested to not reproduce the issue.

You should be able to do:
helm plugin remove secrets && helm plugin install --version=2.0.1 https://github.com/dcasadevall/helm-secrets

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants