SOPS Tasks (sops:)¶
Secrets management using SOPS (Secrets Operations).
Overview¶
The sops: namespace provides tools for managing encrypted secrets using SOPS. These tasks handle secret file generation, encryption, and decryption for the current Windsor context.
Task Reference¶
| Task | Description |
|---|---|
generate-secrets-file |
Generate a new secrets file template for the current context |
encrypt-secrets-file |
Encrypt the secrets file using SOPS |
decrypt-secrets-file |
Decrypt the secrets file using SOPS |
SOPS Operations¶
generate-secrets-file¶
Generate a new secrets file template for the current context.
Usage:
task sops:generate-secrets-file
Environment Variables:
WINDSOR_PROJECT_ROOT: Windsor project root directory (auto-detected)WINDSOR_CONTEXT: Current Windsor context (auto-detected)
What it does:
- Creates directory:
contexts/<context>/if needed - Generates
secrets.yamlwith a sampleTEST_ENV_VAR
Example:
task sops:generate-secrets-file
Output: Creates contexts/<context>/secrets.yaml with template content.
Note: Edit this file to add your actual secrets before encrypting.
encrypt-secrets-file¶
Encrypt the secrets file using SOPS.
Usage:
task sops:encrypt-secrets-file
Environment Variables:
WINDSOR_PROJECT_ROOT: Windsor project root directory (auto-detected)WINDSOR_CONTEXT: Current Windsor context (auto-detected)
Prerequisites:
secrets.yamlfile exists incontexts/<context>/- SOPS configured with appropriate encryption keys (e.g., AWS KMS)
- AWS credentials configured with access to KMS key (when using KMS)
What it does:
- Reads
contexts/<context>/secrets.yaml - Encrypts it using SOPS
- Writes encrypted content to
contexts/<context>/secrets.enc.yaml
Example:
task sops:encrypt-secrets-file
Output: Creates contexts/<context>/secrets.enc.yaml with encrypted content.
Note: The encrypted file can be safely committed to version control.
decrypt-secrets-file¶
Decrypt the secrets file using SOPS.
Usage:
task sops:decrypt-secrets-file
Environment Variables:
WINDSOR_PROJECT_ROOT: Windsor project root directory (auto-detected)WINDSOR_CONTEXT: Current Windsor context (auto-detected)
Prerequisites:
secrets.enc.yamlfile exists incontexts/<context>/- SOPS configured with decryption keys
- AWS credentials configured with access to KMS key (when using KMS)
What it does:
- Reads
contexts/<context>/secrets.enc.yaml - Decrypts it using SOPS
- Writes decrypted content to
contexts/<context>/secrets.yaml
Example:
task sops:decrypt-secrets-file
Warning: Do not commit decrypted secrets.yaml to version control.
Environment Variables¶
The following environment variables are used:
WINDSOR_PROJECT_ROOT: Windsor project root directory (auto-detected)WINDSOR_CONTEXT: Current Windsor context (auto-detected viawindsor context get)
Workflow Example¶
Secrets management workflow:
# 1. Generate secrets file template
task sops:generate-secrets-file
# 2. Edit secrets.yaml with your actual secrets
vim contexts/<context>/secrets.yaml
# 3. Encrypt the secrets file
task sops:encrypt-secrets-file
# 4. Commit encrypted file to version control
git add contexts/<context>/secrets.enc.yaml
git commit -m "Add encrypted secrets"
# 5. When you need to decrypt (e.g., for local use)
task sops:decrypt-secrets-file
Prerequisites¶
- SOPS installed
- Windsor CLI configured
- Encryption keys configured (e.g., AWS KMS with credentials when using KMS)
Help¶
View all available SOPS commands:
task sops:help
Taskfile Location¶
Task definitions are located in tasks/sops/Taskfile.yaml.