SOPS can't fine configuration file if it's not in the current working directory

[pvanderlinden]

If I put the .sops.yaml file in any other directory then the current working directory, like suggested in the README.md, sops won't pick it up. It will give the following error: config file not found and no keys provided through command line options. Are the docs incorrect, or am I missing something, e.g.:

$ find . -name '.sops.yaml'
./helm-values/.sops.yaml
$ helm secrets enc helm-values/secrets.yaml 
Encrypting helm-values/secrets.yaml
config file not found and no keys provided through command line options
Error: plugin "secrets" exited with error

[mhyllander]

https://github.com/mozilla/sops/#29using-sopsyaml-conf-to-select-kmspgp-for-new-files

According to the documentation, sops will search recursively upwards in the directory hierarchy until it finds a .sops.yaml file. It could be that sops is searching upwards from the current working directory, and not upwards from the folder secrets.yaml is in. The documentation isn't clear on that point.

[pvanderlinden]

I'm following the example directory tree from the readme in the plugin GitHub though. Where it looks like it would pick up the yaml file if it is in the same directory or in one upwards. So far it's only picking it up if it is the working directory. Your comment might explain that, but it means the readme in this plugin is not correct or missing information.

[mhyllander]

I tested the different scenarios. It looks like sops is searching upwards from the directory of the secrets file (as it should, anything else would have given unpredictable behavior).

.sop.yaml in parent directory (current working directory):

$ find . -name .sops.yaml
./.sops.yaml
$ cp platform/values.yaml platform/secrets.issue.yaml
$ helm secrets enc platform/secrets.issue.yaml
Encrypting platform/secrets.issue.yaml
Encrypted secrets.issue.yaml

.sops.yaml in secret file directory (./platform):

$ mv .sops.yaml platform/
$ find . -name .sops.yaml
./platform/.sops.yaml
$ cp platform/values.yaml platform/secrets.issue.yaml
$ helm secrets enc platform/secrets.issue.yaml
Encrypting platform/secrets.issue.yaml
Encrypted secrets.issue.yaml

.sops.yaml in other sibling directory (./yaml):

$ mv platform/.sops.yaml yaml/
$ find . -name .sops.yaml
./yaml/.sops.yaml
$ cp platform/values.yaml platform/secrets.issue.yaml
$ helm secrets enc platform/secrets.issue.yaml
Encrypting platform/secrets.issue.yaml
config file not found and no keys provided through command line options
Error: plugin "secrets" exited with error

So for me it works as expected. Could something else be causing the problem you're having?

[pvanderlinden]

The first and third works like my install, the second doesn't. Maybe a different version of sops? I'm using 3.3.0

[pvanderlinden]

Or a different version of helm:

Client: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.0", GitCommit:"05811b84a3f93603dd6c2fcfe57944dfa7ab7fd0", GitTreeState:"clean"}

For the rest there isn't much special, it's a clean project I started the other day.

[jacobsvante]

This is a regression that was introduced in helm-secrets 2.0 (nice improvements otherwise, @mhyllander!). The current readme shows examples of putting the sops config at helm_vars/.sops.yaml, but that no longer works in 2.0.

So if you have helm-secrets 2.0 or higher you can:

1. Install helm-secrets 1.3.1 by running helm plugin remove secrets && helm plugin install --version=1.3.1 https://github.com/futuresimple/helm-secrets
2. Keep 2.0 and move the SOPS config to the project directory mv helm_vars/.sops.yaml . I previously had creation_rules.path_regex: secrets.yaml$ set in the SOPS config but I had to change this value to secrets.yaml.dec$ for it to work.

[pvanderlinden]

I changed my project structure a bit due some other issues with Helm, which solves this issue for me as a side effect. But the bug will probably affect others as well

[mhyllander]

I believe this is a regression caused by #117. The original encrypt_helper would cd to the directory before running sops (https://github.com/futuresimple/helm-secrets/pull/117/files#diff-60baae393acfb88c61e9d2e0d7eea239L249), now it doesn't.

[mhyllander]

When I did my testing above I got a bit confused regarding the default sops behavior. Sops actually does search for the config file to use starting from the current working directory and upwards:

$ mv .sops.yaml platform/
$ cp platform/values.yaml platform/secrets.foo.yaml
$ sops -e -i platform/secrets.foo.yaml
config file not found and no keys provided through command line options
$ (cd platform; sops -e -i secrets.foo.yaml)

The original version 1.3.1 code did its own search for the sops config file, starting from the current working directory and downwards, until it found the one nearest the secrets file. Then it set the config file explicitly on the sops command line. (This approach assumes that the secrets file is in a subdir of the cwd, and also that the config file is not above the cwd.)

When I rewrote the function I simplified this by doing a "cd" to the secret file's directory and letting sops find the closest config file above. This seems like the correct thing to do, to me. For some reason this has been changed now by issue #92 and PR #117. I think the usage of path_regex in that issue may be incorrect, compared to the examples in the sops documentation: https://github.com/mozilla/sops/blob/master/README.rst#29using-sopsyaml-conf-to-select-kmspgp-for-new-files

Update: I think sops 3.3.1 has changed the path_regex behavior so that it fixes the problem in #92. If so #117 was not needed and should be reverted.

[jdamata]

I still have the issue above with these versions:

$ sops --version
sops 3.5.0 (latest)

$ helm version
version.BuildInfo{Version:"v3.0.0", GitCommit:"e29ce2a54e96cd02ccfce88bee4f58bb6e2a28b6", GitTreeState:"clean", GoVersion:"go1.13.4"}

$ helm plugin list
NAME VERSION DESCRIPTION
secrets 2.0.2 This plugin provides secrets values encryption for Helm charts secure storing

[dcasadevall]

I have published 2.0.1 on a forked version in my personal repo.
This version has been tested to not reproduce the issue.

You should be able to do:
helm plugin remove secrets && helm plugin install --version=2.0.1 https://github.com/dcasadevall/helm-secrets