Publishing improvements: directory walking; prevent Vault unneeded version increment

[mmorev]

Hello.
This PR contains 3 changes in 3 corresponding commits:

• implement -recurse cmd option for directory walking for publish command, so you can publish a bunch of files, preserving structure;
• implement -omit-extensions cmd option to omit file extension in destination secret path. Can be specified in .sops.yaml;
• implement pre-check for already existing Vault secret, to avoid version increment if data not changed.

[codecov-io]

Codecov Report

Merging #602 into develop will increase coverage by 0.02%.
The diff coverage is 100%.

@@             Coverage Diff             @@
##           develop     #602      +/-   ##
===========================================
+ Coverage    37.11%   37.13%   +0.02%     
===========================================
  Files           21       21              
  Lines         2891     2892       +1     
===========================================
+ Hits          1073     1074       +1     
  Misses        1724     1724              
  Partials        94       94

Impacted Files	Coverage Δ
config/config.go	71.64% <100%> (+0.21%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 53c6470...0c26330. Read the comment docs.

[autrilla]

Looks good overall, just a few comments

[autrilla]

Out of curiosity, what's your use case for this?

[mmorev]

Thanks for this question!
The goal is to use Vault as secrets source for several applications in different environments. As soon as it is a team work, we want to view diffs and approve/reject changes just like code changes in any Git platform (github, bitbucket) we do.
Vault has no option to stage changes like this (the only option in Enterprise edition is to approve the fact of write access, without seeing what data will be modified) and no diffs between versions or something. So we decided to store some info in Git/Sops and publish it to Vault in a batch triggered by repository change, and then lock down Vault to read-only mode by policies.
So in Vault we have some secrets schema, extensions are not needed there.

[autrilla]

Thanks for explaining, it's always good to see how people use sops :)

[autrilla]

Please change all mentions of this to recursive

[mmorev]

fixed in 3ab2d41

[autrilla]

I'd nest this,

if info.IsDir() {
  if !opts.Recursive {
    return fmt.Errorf("can't operate on a directory")
  } 
   err = filepath.Walk(opts.InputPat...
}

[mmorev]

Made some rework in 3ab2d41. See below.

[autrilla]

You should handle the error passed into the function

[mmorev]

fixed in 3ab2d41

[autrilla]

Could subAbsPath != path ever be false? path is the original input path, and by the mere fact that we got to this code path, we've already established it's a directory, so !info.,IsDir() would be false anyway and it would short-circuit. Am I missing something?

[mmorev]

Thanks for this comment. I just found out I had abused filepath.Walk function by using additional recursion inside it. So i moved out Walk call, IsDir check and store type detection to main.go: https://github.com/mozilla/sops/blob/3ab2d41c2f596e1fe5fa59c72a559514bcc91080/cmd/sops/main.go#L253

[autrilla]

LGTM, but I have one comment because this might break some people's use case.

[autrilla]

I think it might be good to keep going regardless (after printing a warning) if there's an error reading the secret. I'm imagining a situation where someone has given SOPS permission to only write to Vault.

[mmorev]

Good idea. Fixed this behavior in 01b5fb6: log warn when no read access, log info when data not changed

[ajvb]

LGTM! Just left one small grammar tweak comment.

[mmorev]

Added another one improvement in the last commit - make use of relative paths for recursive publish, so the destination path is: vault_kv_mount_name + vault_path + path under the directory passed to sops publish --recursive