Skip to content

Latest commit

 

History

History
72 lines (52 loc) · 2.2 KB

sops_decrypt.md

File metadata and controls

72 lines (52 loc) · 2.2 KB

sops_decrypt

sops_decrypt(name, srcs, sops_yaml)

Decrypt secrets using sops

To load the rule use:

load("//sops:defs.bzl", "sops_decrypt")

You can decrypt as many secrets as you want using sops_decrypt rule. Use the rule attribute src to provide the encrypted secrets that you want to decrypt. The rule also needs the sops config file with the keyring id in order to decrypt files (.sops.yaml). You can provide it using the sops_yaml rule attribute. If no sops_yaml config is provided, the rule will try to locate a .sops.yaml file by default in the same directory where the target is placed.

Example of use:

# explicit .sops.yaml config
load("//sops:defs.bzl", "sops_decrypt")

sops_decrypt(
    name = "decrypt_secret_files",
    srcs = [":secrets.yaml"]
    sops_yaml = ":.sops.yaml"
)
# implicit .sops.yaml config
load("//sops:defs.bzl", "sops_decrypt")

sops_decrypt(
    name = "decrypt_secret_files",
    srcs = [":secrets.yaml"]
)

The outputs of the rule are the decrypted secrets that you can later provide to other rules, as for example to helm_release:

sops_decrypt(
    name = "decrypt_secret_files",
    srcs = [":secrets.yaml"]
)

helm_release(
    name = "chart_install",
    chart = ":chart",
    namespace = "myapp",
    release_name = "release-name",
    values = glob(["charts/myapp/values.yaml"]) + [":decrypt_secret_files"],
)

ATTRIBUTES

Name Description Type Mandatory Default
name A unique name for this target. Name required
srcs - List of labels required
sops_yaml - Label required