jesus/provisioning
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
provisioning/schemas/security/sops/defaults.ncl

71 lines
1.9 KiB
Text
Raw Blame History

# SOPS Configuration Defaults - Environment-specific encryption rules
let SopsRule = import "contracts.ncl" in
{
# Development environment: Single Age key, encrypts all YAML files
dev = {
creation_rules = [
{
path_regex = "\.dev\.yaml$",
age = "", # Will be populated by vault-service
encrypted_regex = "^(password|token|key|secret|api_key)$",
key_version = 1,
},
{
# Catchall for dev
age = "",
encrypted_regex = "^(password|token|key|secret|api_key)$",
key_version = 1,
},
],
},
# Staging environment: Single Age key, more restrictive encryption
staging = {
creation_rules = [
{
path_regex = "\.staging\.yaml$",
age = "",
encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
key_version = 1,
},
{
path_regex = "\.stg\.yaml$",
age = "",
encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
key_version = 1,
},
{
# Catchall for staging
age = "",
encrypted_regex = "^(password|token|key|secret|api_key|database_url)$",
key_version = 1,
},
],
},
# Production environment: Single Age key, strictest encryption
prod = {
creation_rules = [
{
path_regex = "\.prod\.yaml$",
age = "",
encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
key_version = 1,
},
{
path_regex = "\.k\.prod\.yaml$",
age = "",
encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
key_version = 1,
},
{
# Catchall for prod
age = "",
encrypted_regex = "^(password|token|key|secret|api_key|database_url|tls_cert|tls_key)$",
key_version = 1,
},
],
},
}
Reference in a new issue View git blame Copy permalink