sops_decrypt(name, srcs, sops_yaml)
Decrypt secrets using sops
To load the rule use:
load("//sops:defs.bzl", "sops_decrypt")
You can decrypt as many secrets as you want using sops_decrypt
rule. Use the rule attribute src
to provide the encrypted secrets that you want to decrypt.
The rule also needs the sops config file with the keyring id in order to decrypt files (.sops.yaml
). You can provide it using the sops_yaml
rule attribute.
If no sops_yaml config is provided, the rule will try to locate a .sops.yaml
file by default in the same directory where the target is placed.
Example of use:
# explicit .sops.yaml config
load("//sops:defs.bzl", "sops_decrypt")
sops_decrypt(
name = "decrypt_secret_files",
srcs = [":secrets.yaml"]
sops_yaml = ":.sops.yaml"
)
# implicit .sops.yaml config
load("//sops:defs.bzl", "sops_decrypt")
sops_decrypt(
name = "decrypt_secret_files",
srcs = [":secrets.yaml"]
)
The outputs of the rule are the decrypted secrets that you can later provide to other rules, as for example to helm_release
:
sops_decrypt(
name = "decrypt_secret_files",
srcs = [":secrets.yaml"]
)
helm_release(
name = "chart_install",
chart = ":chart",
namespace = "myapp",
release_name = "release-name",
values = glob(["charts/myapp/values.yaml"]) + [":decrypt_secret_files"],
)
ATTRIBUTES
Name | Description | Type | Mandatory | Default |
---|---|---|---|---|
name | A unique name for this target. | Name | required | |
srcs | - | List of labels | required | |
sops_yaml | - | Label | required |