New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publishing improvements: directory walking; prevent Vault unneeded version increment #602
Conversation
in order to avoid version increment
Codecov Report
@@ Coverage Diff @@
## develop #602 +/- ##
===========================================
+ Coverage 37.11% 37.13% +0.02%
===========================================
Files 21 21
Lines 2891 2892 +1
===========================================
+ Hits 1073 1074 +1
Misses 1724 1724
Partials 94 94
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall, just a few comments
@@ -968,6 +968,7 @@ This command requires a ``.sops.yaml`` configuration file. Below is an example: | |||
vault_kv_mount_name: "secret/" # default | |||
vault_kv_version: 2 # default | |||
path_regex: vault/* | |||
omit_extensions: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of curiosity, what's your use case for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this question!
The goal is to use Vault as secrets source for several applications in different environments. As soon as it is a team work, we want to view diffs and approve/reject changes just like code changes in any Git platform (github, bitbucket) we do.
Vault has no option to stage changes like this (the only option in Enterprise edition is to approve the fact of write access, without seeing what data will be modified) and no diffs between versions or something. So we decided to store some info in Git/Sops and publish it to Vault in a batch triggered by repository change, and then lock down Vault to read-only mode by policies.
So in Vault we have some secrets schema, extensions are not needed there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for explaining, it's always good to see how people use sops :)
cmd/sops/main.go
Outdated
Usage: "Omit file extensions in destination path when publishing sops file to configured destinations", | ||
}, | ||
cli.BoolFlag{ | ||
Name: "recurse", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please change all mentions of this to recursive
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in 3ab2d41
@@ -46,10 +49,27 @@ func Run(opts Opts) error { | |||
if err != nil { | |||
return err | |||
} | |||
if info.IsDir() { | |||
if info.IsDir() && !opts.Recurse { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd nest this,
if info.IsDir() {
if !opts.Recursive {
return fmt.Errorf("can't operate on a directory")
}
err = filepath.Walk(opts.InputPat...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made some rework in 3ab2d41. See below.
return fmt.Errorf("can't operate on a directory") | ||
} else if info.IsDir() && opts.Recurse { | ||
err = filepath.Walk(opts.InputPath, func(subPath string, info os.FileInfo, err error) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should handle the error passed into the function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in 3ab2d41
} else if info.IsDir() && opts.Recurse { | ||
err = filepath.Walk(opts.InputPath, func(subPath string, info os.FileInfo, err error) error { | ||
subAbsPath, _ := filepath.Abs(subPath) | ||
if !info.IsDir() && subAbsPath != path { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could subAbsPath != path
ever be false? path
is the original input path, and by the mere fact that we got to this code path, we've already established it's a directory, so !info.,IsDir()
would be false anyway and it would short-circuit. Am I missing something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this comment. I just found out I had abused filepath.Walk function by using additional recursion inside it. So i moved out Walk call, IsDir check and store type detection to main.go: https://github.com/mozilla/sops/blob/3ab2d41c2f596e1fe5fa59c72a559514bcc91080/cmd/sops/main.go#L253
fix filepath.Walk abuse; rename recursive flag; minor fixes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but I have one comment because this might break some people's use case.
publish/vault.go
Outdated
@@ -65,6 +66,17 @@ func (vaultd *VaultDestination) UploadUnencrypted(data map[string]interface{}, f | |||
} | |||
} | |||
|
|||
existingSecret, err := client.Logical().Read(vaultd.secretsPath(fileName)) | |||
if err != nil { | |||
return err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it might be good to keep going regardless (after printing a warning) if there's an error reading the secret. I'm imagining a situation where someone has given SOPS permission to only write to Vault.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea. Fixed this behavior in 01b5fb6: log warn when no read access, log info when data not changed
Dont fail Vault publish with write-only access; improve vault publish logging
Fix destination path on single file publish
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Just left one small grammar tweak comment.
Co-Authored-By: AJ Bahnken <1144310+ajvb@users.noreply.github.com>
Recursive publish - use relative paths
Added another one improvement in the last commit - make use of relative paths for recursive publish, so the destination path is: |
Hello.
This PR contains 3 changes in 3 corresponding commits: