V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-24 20:40:00 +01:00
parent 559a5a3b88
commit 1453f64a72
7 changed files with 73 additions and 103 deletions
--- a/func/cdi_1250_yaml/1256_secret_parser.sh
+++ b/func/cdi_1250_yaml/1256_secret_parser.sh
@@ -123,7 +123,8 @@ readonly -f ciss_secret_varname_from_path
 #######################################
 yaml_secret() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare     secrets_encrypted="" secrets_privkey="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
+  declare -r  SOPS_AGE_KEY_FILE"/root/.config/sops/age/keys.txt"
+  declare     secrets_encrypted="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
              __path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname="" __yq_expr=""

  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false"
@@ -133,15 +134,11 @@ yaml_secret() {
    if ! command -v sops >/dev/null 2>&1; then

      do_log "fatal" "file_only" "1260() SOPS not found but SECRETS.yaml appears to be SOPS-managed."
-      return "${ERR_MISSING_AGE_KEY}"
+      return "${ERR_MISSING_AGE_BIN}"

    fi

-    secrets_privkey="$(yq -r '.secrets.x_files_key // ""' -- "${secrets_yaml}")" || secrets_privkey=""
-
-    [[ -z "${secrets_privkey}" ]] && return "${ERR_MISSING_AGE_KEY}"
-
-    secrets_privkey="${DIR_CNF}/${secrets_privkey}"
+    [[ -r "${SOPS_AGE_KEY_FILE}" ]] && return "${ERR_MISSING_AGE_KEY}"

  fi

@@ -167,7 +164,7 @@ yaml_secret() {
    ### Decrypt once, stream into yq; avoid storing full doc in memory.
    # shellcheck disable=SC1083,SC2312
    exec {__pipe_fd} < <(
-      SOPS_AGE_KEY_FILE="${secrets_privkey}" sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" -
+      sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -rj "${__yq_expr}" -
    )

  else