flowctl: don't require sops unless we actually need it

The `runtime::unseal` module was a little aggressive about checking to make sure `sops` and `jq` are both on the path. This would cause errors, even in cases where the connector configuration wasn't actually sops-enctypted. This moves those checks to be performed only after it's determined that the config needs to be decrypted.
estuary · Oct 30, 2023 · 3b1c0b1 · 3b1c0b1
1 parent 0e1db44
commit 3b1c0b1
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/crates/runtime/src/unseal/mod.rs b/crates/runtime/src/unseal/mod.rs
@@ -3,9 +3,6 @@ use zeroize::Zeroizing;
 
 /// Decrypt a `sops`-protected document using `sops` and application default credentials.
 pub async fn decrypt_sops(config: &models::RawValue) -> anyhow::Result<models::RawValue> {
-    let jq = locate_bin::locate("jq").context("failed to locate sops")?;
-    let sops = locate_bin::locate("sops").context("failed to locate sops")?;
-
     // Only objects can be `sops` documents.
     let dom = config.to_value();
     if !dom.is_object() {
@@ -31,6 +28,9 @@ pub async fn decrypt_sops(config: &models::RawValue) -> anyhow::Result<models::R
         return Ok(config.to_owned())
     };
 
+    let jq = locate_bin::locate("jq").context("failed to locate jq")?;
+    let sops = locate_bin::locate("sops").context("failed to locate sops")?;
+
     // Note that input_output() pre-allocates an output buffer as large as its input buffer,
     // and our decrypted result will never be larger than its input.
     let async_process::Output {