Skip to content

Allow nested secrets in secrets.json #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Allow nested secrets in secrets.json #328

wants to merge 3 commits into from

Conversation

@srid
Copy link

@srid srid commented May 8, 2023

Prior to this change, if secrets.json had nested secrets (example) we would see this error:

sops-install-secrets: Manifest is not valid: secret jenkins-nix-ci/cachix-auth-token/description in /nix/store/wxm763za3rbrpiijfbgss9g5ll0sd29z-secrets.json is not valid: Key 'jenkins-nix-ci' does not refer to a dictionary

The reason happens to be that introspecting the map key to be interface fails, when it is in fact a string. This PR makes it so that we always expect the key to be a string (what else could it be?). It also improves the error message, by telling the user what the actual value type is.

@srid
Allow nested secrets in secrets.json
2bac628 
Prior to this change, if secrets.json had nested secrets we would see
this error (example):

```
sops-install-secrets: Manifest is not valid: secret jenkins-nix-ci/cachix-auth-token/description in /nix/store/wxm763za3rbrpiijfbgss9g5ll0sd29z-secrets.json is not valid: Key 'jenkins-nix-ci' does not refer to a dictionary
```

The reason is that introspecting the map key to be `interface` fails,
when it is in fact a string.
@srid srid changed the title Allow nested secrets in secrets.json Allow nested secrets in secrets.json May 8, 2023
@srid srid mentioned this pull request May 8, 2023
Closed
@srid

This comment was marked as resolved.

Sign in to view
@srid srid mentioned this pull request May 8, 2023
Merged
Mic92
Mic92 reviewed May 9, 2023
View reviewed changes
pkgs/sops-install-secrets/main.go
currentData[key.(string)] = value
// The 'if' here is to deal with key type discrepancy between YAML and
// JSON. With YAML, it is 'interface {}'; with JSON, it is 'string'.
if format == Json {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Can you also extend one of our tests to have a nested key?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mic92 What's the best way to do that? I don't really understand the test infrastructure in this repo. Especially what's going on with the Go tests. nixos-tests.nix seems more pratical; but how do you edit secrets.json? Running nix run . pkgs/sops-install-secrets/test-assets/secrets.json throws:

fingerprint: 26F82B82FDFFA024E08B9C8B67936C83AAC837D4
mv: cannot stat '/root/.gnupg': Permission denied

@shivaraj-bh
Copy link

I am trying to write the test for this. Here's how the nixos-test.nix looks:

nested-json = makeTest {
    name = "sops-nested-json-secrets";
    nodes.server = {
      imports = [ ../../modules/sops ];
      sops = {
        age.keyFile = ./test-assets/age-keys.txt;
        defaultSopsFile = ./test-assets/secrets.json;
        secrets."nested/test/file" = { };
      };
    };

    testScript = ''
      start_all()
      server.succeed("cat /run/secrets/nested/test/file | grep -q 'another value'")
    '';
  } {
    inherit pkgs;
    inherit (pkgs) system;
  };

Expected: testScript should fail with Key 'nested' does not refer to a dictionary
Actual: Test passes
On the other hand, if I try to run nix build .#nixosConfigurations.actual.config.system.build.toplevel on @srid 's nixos-config with sops-nix.url pointing to github:Mic92/sops-nix, I am able to reproduce the same error.
@Mic92 Is there something that's happening under-the-hood in nixos-test.nix that I might be missing?

@Bert-Proesmans Bert-Proesmans mentioned this pull request Aug 5, 2024
Open
@OsiPog
Copy link

OsiPog commented Aug 25, 2025

How is the state on this PR? I would like to use nested JSON for my secrets. Can I help out here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mic92 Mic92 Mic92 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@srid @shivaraj-bh @OsiPog @Mic92