Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Filter files before SOPS decryption #3248

Merged
merged 2 commits into from
Aug 17, 2020
Merged

Filter files before SOPS decryption #3248

merged 2 commits into from
Aug 17, 2020

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Aug 15, 2020
edited

Changes:

  • Decrypt YAMLs with SOPS only if the file has a 'sops' field. This should speed up the apply time for large repositories.
  • Update SOPS package and binary to v3.6.0

squaremo
squaremo reviewed Aug 17, 2020
View reviewed changes
pkg/cluster/kubernetes/resource/load.go Outdated
@@ -207,7 +208,7 @@ func loadFile(path string, sopsEnabled bool) ([]byte, error) {
if err != nil {
return nil, err
}
if sopsEnabled {
if sopsEnabled && strings.Contains(string(bytes), "sops:") {
Copy link
Member

@squaremo squaremo Aug 17, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bytes.Contains(bytes, []byte("sops:"))

Copy link
Member

@squaremo squaremo Aug 17, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(you'll have to rename the variable of course)

@stefanprodan stefanprodan force-pushed the filter-sops branch 2 times, most recently from 436abc6 to a9cd969 Compare August 17, 2020 11:52
@stefanprodan
Copy link
Member Author

/rebase

@stefanprodan
Filter files before SOPS decryption
f465d00 
Decrypt YAMLs with SOPS only if the file has a 'sops' field, this should speed up the apply time for large repositories.
@stefanprodan
Update sops to v3.6.0
59fcadd
squaremo
squaremo approved these changes Aug 17, 2020
View reviewed changes
Copy link
Member

@squaremo squaremo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might allow some false positives (e.g., keys ending in sops:), but that won't matter, since SOPS will figure that out.

@stefanprodan stefanprodan merged commit ba54af3 into master Aug 17, 2020
@stefanprodan stefanprodan deleted the filter-sops branch August 17, 2020 12:05
This was referenced Aug 17, 2020
Closed
Closed
@fmotrifork fmotrifork mentioned this pull request Aug 21, 2020
Merged
redbaron
redbaron reviewed Sep 3, 2020
View reviewed changes
pkg/cluster/kubernetes/resource/load.go
if err != nil {
return nil, err
}
if sopsEnabled {
return softDecrypt(bytes)
if sopsEnabled && bytes.Contains(fileBytes, []byte("sops:")) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unlikely to be triggered IRL, but this disables sops for JSON-like content of yaml files

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@redbaron redbaron redbaron left review comments

@squaremo squaremo squaremo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@stefanprodan @redbaron @squaremo