How to share sops-encrypted secrets between services without duplication, while maintaining least privilege? #647
-
|
I'm a bit confused around the sops implementation. I created an age key and gave it to the doco-cd container. Now, how would I use that so that I ideally only need to mange one sops-file, but can share secrets selectively between services in a docker-compose.yaml? Example: |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
You can encrypt as many files as you want with your AGE secret key. Doco-cd checks all files in the cloned repository if they are encrypted via SOPS and decrypts them if necessary before starting the deployment. So for example with a global .env file and one for each service: # .env
DB_PASSWORD=foo# app.env
SOME_APP_SECRET=xyz# db.env
DB_USER=postgresThen encrypt the .env files and use them in your services. # docker-compose.yml
services:
app:
env_file:
- .env
- app.env
db:
env_file:
- .env
- db.envYou can also check out the example in my test repo: https://github.com/kimdre/doco-cd_tests/blob/main/docker-compose.yml |
Beta Was this translation helpful? Give feedback.
-
|
aaaah yes, thank you! I totally forgot |
Beta Was this translation helpful? Give feedback.
You can encrypt as many files as you want with your AGE secret key.
So you can either write your secrets in .env files for each service and encrypt the entire .env files or directly in the docker compose file and encrypt the specific lines (See SOPS docs on how to do that).
Doco-cd checks all files in the cloned repository if they are encrypted via SOPS and decrypts them if necessary before starting the deployment.
So for example with a global .env file and one for each service:
Then encrypt the .env files and use them in your services.