Sops EDIT function DOESN'T take latest configuration, was always using original configuration #1788
Comments
|
That has been the behavior for many, many years. Editing does not automatically add or remove keys, unless you explicitly tell |
|
Thanks a lot for your reply. However I am not updating the keys, but to change from I tried with updateKeys function, it seems not work with this scenario. |
|
I don't think there's an update functionality for these kind of changes so far. CC @getsops/maintainers. (Related: #1610 (comment)) |
|
@felixfontein I played with a forked sops for a little bit to add a So maybe I should build a script myself to loop through all the encryption files, get them decrypt and encrypt again with new configurations. Or you think that can be something that Sops can support. |
Background
We are changing the sops configuration for all our env vars saved in a project, but we don't want to re-encrypt all the files and commit them massively at once. Instead, we would like to ONLY change the sops configuration and leave all files as this for later operation. What I meant by later operation is that whenever people
sops edita file, then after editing we expect the sops will re-encrypt the file by using the new configuration. This way while people changing each file, we can gradually migrate all the env vars files with new configuration, this could potentially avoid everything change at once risk.Issue
However current
editfunction doesn't take the configuration as a parameter, it will keep using the original config https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L1305, a non-existing file will trigger the new config https://github.com/getsops/sops/blob/main/cmd/sops/main.go#L1328.Does this make sense to always use latest config while doing the editing? Or is there any context I don't understand?
The text was updated successfully, but these errors were encountered: