docker/sops-decrypt
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Mark Kaulertz 2025-06-20 09:59:23 +02:00
commit 536831f8d9
2 changed files with 69 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Dockerfile Normal file
View File

@ -0,0 +1,15 @@
# Use a minimal, secure base image
FROM alpine:latest
# Install only the tools we need: SOPS and GnuPG
RUN apk add --no-cache sops gnupg
# Set a working directory
WORKDIR /app
# Copy our decryption script into the container and make it executable
COPY entrypoint.sh .
RUN chmod +x ./entrypoint.sh
# Set the script as the entrypoint
ENTRYPOINT ["./entrypoint.sh"]

54
entrypoint.sh Normal file
View File

@ -0,0 +1,54 @@
#!/bin/sh
# Exit immediately if any command fails
set -e
# --- Configuration (from Environment Variables) ---
# Use ':-' to set a default value if the variable is unset or null.
APP_NAME="${APP_NAME:-sops-init}"
GPG_KEY_PATH="${GPG_KEY_PATH:-/run/secrets/gpg_key}"
# The directory containing encrypted files.
SOPS_INPUT_DIR="${SOPS_INPUT_DIR:-/config_in}"
# The directory where decrypted files will be written.
SOPS_OUTPUT_DIR="${SOPS_OUTPUT_DIR:-/config_out}"
# The suffix of files to search for.
SOPS_FILE_SUFFIX="${SOPS_FILE_SUFFIX:-.sops.yaml}"
# --- Script Logic ---
echo "$APP_NAME: Decryption container started."
echo "➡️ $APP_NAME: Input Dir: '$SOPS_INPUT_DIR', Output Dir: '$SOPS_OUTPUT_DIR', Suffix: '$SOPS_FILE_SUFFIX'"
# Validate that the required files/directories exist
if [ ! -f "$GPG_KEY_PATH" ]; then
echo "$APP_NAME: ERROR: GPG secret key not found at '$GPG_KEY_PATH'"
exit 1
fi
if [ ! -d "$SOPS_INPUT_DIR" ]; then
echo "$APP_NAME: ERROR: Input directory not found at '$SOPS_INPUT_DIR'"
exit 1
fi
# Ensure the output directory exists
mkdir -p "$SOPS_OUTPUT_DIR"
echo "🔐 $APP_NAME: Importing GPG private key..."
gpg --batch --import "$GPG_KEY_PATH"
echo "🔎 $APP_NAME: Searching for files ending in '$SOPS_FILE_SUFFIX'..."
# Use 'find' to locate all target files and loop through them
find "$SOPS_INPUT_DIR" -type f -name "*${SOPS_FILE_SUFFIX}" | while read -r encrypted_file; do
# Get the filename without the full path
base_filename_with_suffix=$(basename "$encrypted_file")
# Remove the suffix to get the clean output filename
output_filename=$(basename "$encrypted_file" "$SOPS_FILE_SUFFIX")
# Construct the full output path
decrypted_file="${SOPS_OUTPUT_DIR}/${output_filename}"
echo " - Decrypting '$base_filename_with_suffix' to '$decrypted_file'"
sops --decrypt "$encrypted_file" > "$decrypted_file"
done
echo "🎉 $APP_NAME: All files decrypted. Exiting."