From 3361434024cffb140bc47b4e21f697186c751d78 Mon Sep 17 00:00:00 2001 From: David Solc Date: Tue, 3 Feb 2026 13:00:06 +0100 Subject: [PATCH] feat(sops): add SOPS plugin for age key provisioning Add shell plugin for SOPS (Secrets OPerationS) that provisions SOPS_AGE_KEY environment variable from 1Password vault items. Supports: - sops CLI for encrypt/decrypt operations - helm CLI with 'secrets' subcommand (helm-secrets plugin) Credential type: - secret_key: Age secret key (AGE-SECRET-KEY-...) --- plugins/sops/age_secret_key.go | 40 ++++++++++++++++++++++++++++ plugins/sops/age_secret_key_test.go | 41 +++++++++++++++++++++++++++++ plugins/sops/helm.go | 27 +++++++++++++++++++ plugins/sops/plugin.go | 23 ++++++++++++++++ plugins/sops/sops.go | 25 ++++++++++++++++++ 5 files changed, 156 insertions(+) create mode 100644 plugins/sops/age_secret_key.go create mode 100644 plugins/sops/age_secret_key_test.go create mode 100644 plugins/sops/helm.go create mode 100644 plugins/sops/plugin.go create mode 100644 plugins/sops/sops.go diff --git a/plugins/sops/age_secret_key.go b/plugins/sops/age_secret_key.go new file mode 100644 index 00000000..7c755561 --- /dev/null +++ b/plugins/sops/age_secret_key.go @@ -0,0 +1,40 @@ +package sops + +import ( + "github.com/1Password/shell-plugins/sdk" + "github.com/1Password/shell-plugins/sdk/importer" + "github.com/1Password/shell-plugins/sdk/provision" + "github.com/1Password/shell-plugins/sdk/schema" + "github.com/1Password/shell-plugins/sdk/schema/credname" + "github.com/1Password/shell-plugins/sdk/schema/fieldname" +) + +func AgeSecretKey() schema.CredentialType { + return schema.CredentialType{ + Name: credname.SecretKey, + DocsURL: sdk.URL("https://github.com/getsops/sops#encrypting-using-age"), + ManagementURL: nil, + Fields: []schema.CredentialField{ + { + Name: fieldname.PrivateKey, + MarkdownDescription: "Age secret key used by SOPS for encryption and decryption.", + Secret: true, + Composition: &schema.ValueComposition{ + Prefix: "AGE-SECRET-KEY-", + Charset: schema.Charset{ + Uppercase: true, + Digits: true, + }, + }, + }, + }, + DefaultProvisioner: provision.EnvVars(defaultEnvVarMapping), + Importer: importer.TryAll( + importer.TryEnvVarPair(defaultEnvVarMapping), + ), + } +} + +var defaultEnvVarMapping = map[string]sdk.FieldName{ + "SOPS_AGE_KEY": fieldname.PrivateKey, +} diff --git a/plugins/sops/age_secret_key_test.go b/plugins/sops/age_secret_key_test.go new file mode 100644 index 00000000..506aa53e --- /dev/null +++ b/plugins/sops/age_secret_key_test.go @@ -0,0 +1,41 @@ +package sops + +import ( + "testing" + + "github.com/1Password/shell-plugins/sdk" + "github.com/1Password/shell-plugins/sdk/plugintest" + "github.com/1Password/shell-plugins/sdk/schema/fieldname" +) + +func TestAgeSecretKeyImporter(t *testing.T) { + plugintest.TestImporter(t, AgeSecretKey().Importer, map[string]plugintest.ImportCase{ + "environment": { + Environment: map[string]string{ + "SOPS_AGE_KEY": "AGE-SECRET-KEY-1QFWENTHXAAPACFPMXHQCREP64GJE5YTHXLX0RPFSXRSPDJGCR0SSWYNX3D", + }, + ExpectedCandidates: []sdk.ImportCandidate{ + { + Fields: map[sdk.FieldName]string{ + fieldname.PrivateKey: "AGE-SECRET-KEY-1QFWENTHXAAPACFPMXHQCREP64GJE5YTHXLX0RPFSXRSPDJGCR0SSWYNX3D", + }, + }, + }, + }, + }) +} + +func TestAgeSecretKeyProvisioner(t *testing.T) { + plugintest.TestProvisioner(t, AgeSecretKey().DefaultProvisioner, map[string]plugintest.ProvisionCase{ + "default": { + ItemFields: map[sdk.FieldName]string{ + fieldname.PrivateKey: "AGE-SECRET-KEY-1QFWENTHXAAPACFPMXHQCREP64GJE5YTHXLX0RPFSXRSPDJGCR0SSWYNX3D", + }, + ExpectedOutput: sdk.ProvisionOutput{ + Environment: map[string]string{ + "SOPS_AGE_KEY": "AGE-SECRET-KEY-1QFWENTHXAAPACFPMXHQCREP64GJE5YTHXLX0RPFSXRSPDJGCR0SSWYNX3D", + }, + }, + }, + }) +} diff --git a/plugins/sops/helm.go b/plugins/sops/helm.go new file mode 100644 index 00000000..d946cbc5 --- /dev/null +++ b/plugins/sops/helm.go @@ -0,0 +1,27 @@ +package sops + +import ( + "github.com/1Password/shell-plugins/sdk" + "github.com/1Password/shell-plugins/sdk/needsauth" + "github.com/1Password/shell-plugins/sdk/schema" + "github.com/1Password/shell-plugins/sdk/schema/credname" +) + +func HelmCLI() schema.Executable { + return schema.Executable{ + Name: "Helm with SOPS Secrets", + Runs: []string{"helm"}, + DocsURL: sdk.URL("https://github.com/jkroepke/helm-secrets"), + NeedsAuth: needsauth.IfAll( + needsauth.NotForHelpOrVersion(), + needsauth.NotWithoutArgs(), + // Only authenticate when using helm-secrets plugin + needsauth.ForCommand("secrets"), + ), + Uses: []schema.CredentialUsage{ + { + Name: credname.SecretKey, + }, + }, + } +} diff --git a/plugins/sops/plugin.go b/plugins/sops/plugin.go new file mode 100644 index 00000000..525b0373 --- /dev/null +++ b/plugins/sops/plugin.go @@ -0,0 +1,23 @@ +package sops + +import ( + "github.com/1Password/shell-plugins/sdk" + "github.com/1Password/shell-plugins/sdk/schema" +) + +func New() schema.Plugin { + return schema.Plugin{ + Name: "sops", + Platform: schema.PlatformInfo{ + Name: "SOPS", + Homepage: sdk.URL("https://github.com/getsops/sops"), + }, + Credentials: []schema.CredentialType{ + AgeSecretKey(), + }, + Executables: []schema.Executable{ + SOPSCLI(), + HelmCLI(), + }, + } +} diff --git a/plugins/sops/sops.go b/plugins/sops/sops.go new file mode 100644 index 00000000..0a59d5e4 --- /dev/null +++ b/plugins/sops/sops.go @@ -0,0 +1,25 @@ +package sops + +import ( + "github.com/1Password/shell-plugins/sdk" + "github.com/1Password/shell-plugins/sdk/needsauth" + "github.com/1Password/shell-plugins/sdk/schema" + "github.com/1Password/shell-plugins/sdk/schema/credname" +) + +func SOPSCLI() schema.Executable { + return schema.Executable{ + Name: "SOPS CLI", + Runs: []string{"sops"}, + DocsURL: sdk.URL("https://github.com/getsops/sops"), + NeedsAuth: needsauth.IfAll( + needsauth.NotForHelpOrVersion(), + needsauth.NotWithoutArgs(), + ), + Uses: []schema.CredentialUsage{ + { + Name: credname.SecretKey, + }, + }, + } +}