-
-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Ability to use edit without the private key #231
Comments
+1 for the ability to edit and add new values without the private key. We edit hieradata on our workstations a lot, and the pubkey is in our repos to make this more easy, but obviously the privkey is not. |
Just talking this out to see how it would work. We'll imagine we have an existing hiera file with an encrypted value:
And the goal is to add the key Current functionality, requires private and public key.
Proposed functionality, where no private key is available, suggests that an edit function will not decrypt the key and display 'as is'.
The significant difference is the state of the file after step 1, where the key is not decrypted, and after step 3, where a mix of encrypted and decrypted strings are present. On a subsequent edit, the file would look as it does after step 4, never replacing I just want to make sure that I am accurately understanding the proposal before anyone works on implementing it. |
I cannot speak for anyone else, but that workflow sounds correct to me. |
I've submitted a pull request for a conservative version of this feature - default behavior remains the same, and I've added a flag to skip the decryption step. Let me know if I should make any changes to this, especially if it's more desirable to automatically fall back to this behavior if there is no private key. |
It'd be nice to be able to use
eyaml edit
for adding new values to be encrypted (by adding newDEC::..
items) to a file even when you don't have the private key and won't be able to see the decrypted values that already exist.Alternatively, it'd be useful if there was function that can be run against a file that will encrypt and replace any
DEC::
instances it finds in the file. (My thinking is to make this part of a pre commit hook.)The text was updated successfully, but these errors were encountered: