feat(sops): add SOPS plugin for age key provisioning

solcik · solcik · commit 3361434024cf · 2026-02-03T13:00:06.000+01:00
Add shell plugin for SOPS (Secrets OPerationS) that provisions
SOPS_AGE_KEY environment variable from 1Password vault items.

Supports:
- sops CLI for encrypt/decrypt operations
- helm CLI with 'secrets' subcommand (helm-secrets plugin)

Credential type:
- secret_key: Age secret key (AGE-SECRET-KEY-...)
diff --git a/plugins/sops/age_secret_key.go b/plugins/sops/age_secret_key.go
@@ -0,0 +1,40 @@
+package sops
+
+import (
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/importer"
+	"github.com/1Password/shell-plugins/sdk/provision"
+	"github.com/1Password/shell-plugins/sdk/schema"
+	"github.com/1Password/shell-plugins/sdk/schema/credname"
+	"github.com/1Password/shell-plugins/sdk/schema/fieldname"
+)
+
+func AgeSecretKey() schema.CredentialType {
+	return schema.CredentialType{
+		Name:          credname.SecretKey,
+		DocsURL:       sdk.URL("https://github.com/getsops/sops#encrypting-using-age"),
+		ManagementURL: nil,
+		Fields: []schema.CredentialField{
+			{
+				Name:                fieldname.PrivateKey,
+				MarkdownDescription: "Age secret key used by SOPS for encryption and decryption.",
+				Secret:              true,
+				Composition: &schema.ValueComposition{
+					Prefix: "AGE-SECRET-KEY-",
+					Charset: schema.Charset{
+						Uppercase: true,
+						Digits:    true,
+					},
+				},
+			},
+		},
+		DefaultProvisioner: provision.EnvVars(defaultEnvVarMapping),
+		Importer: importer.TryAll(
+			importer.TryEnvVarPair(defaultEnvVarMapping),
+		),
+	}
+}
+
+var defaultEnvVarMapping = map[string]sdk.FieldName{
+	"SOPS_AGE_KEY": fieldname.PrivateKey,
+}
diff --git a/plugins/sops/age_secret_key_test.go b/plugins/sops/age_secret_key_test.go
@@ -0,0 +1,41 @@
+package sops
+
+import (
+	"testing"
+
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/plugintest"
+	"github.com/1Password/shell-plugins/sdk/schema/fieldname"
+)
+
+func TestAgeSecretKeyImporter(t *testing.T) {
+	plugintest.TestImporter(t, AgeSecretKey().Importer, map[string]plugintest.ImportCase{
+		"environment": {
+			Environment: map[string]string{
+				"SOPS_AGE_KEY": "AGE-SECRET-KEY-1QFWENTHXAAPACFPMXHQCREP64GJE5YTHXLX0RPFSXRSPDJGCR0SSWYNX3D",
+			},
+			ExpectedCandidates: []sdk.ImportCandidate{
+				{
+					Fields: map[sdk.FieldName]string{
+						fieldname.PrivateKey: "AGE-SECRET-KEY-1QFWENTHXAAPACFPMXHQCREP64GJE5YTHXLX0RPFSXRSPDJGCR0SSWYNX3D",
+					},
+				},
+			},
+		},
+	})
+}
+
+func TestAgeSecretKeyProvisioner(t *testing.T) {
+	plugintest.TestProvisioner(t, AgeSecretKey().DefaultProvisioner, map[string]plugintest.ProvisionCase{
+		"default": {
+			ItemFields: map[sdk.FieldName]string{
+				fieldname.PrivateKey: "AGE-SECRET-KEY-1QFWENTHXAAPACFPMXHQCREP64GJE5YTHXLX0RPFSXRSPDJGCR0SSWYNX3D",
+			},
+			ExpectedOutput: sdk.ProvisionOutput{
+				Environment: map[string]string{
+					"SOPS_AGE_KEY": "AGE-SECRET-KEY-1QFWENTHXAAPACFPMXHQCREP64GJE5YTHXLX0RPFSXRSPDJGCR0SSWYNX3D",
+				},
+			},
+		},
+	})
+}
diff --git a/plugins/sops/helm.go b/plugins/sops/helm.go
@@ -0,0 +1,27 @@
+package sops
+
+import (
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/needsauth"
+	"github.com/1Password/shell-plugins/sdk/schema"
+	"github.com/1Password/shell-plugins/sdk/schema/credname"
+)
+
+func HelmCLI() schema.Executable {
+	return schema.Executable{
+		Name:    "Helm with SOPS Secrets",
+		Runs:    []string{"helm"},
+		DocsURL: sdk.URL("https://github.com/jkroepke/helm-secrets"),
+		NeedsAuth: needsauth.IfAll(
+			needsauth.NotForHelpOrVersion(),
+			needsauth.NotWithoutArgs(),
+			// Only authenticate when using helm-secrets plugin
+			needsauth.ForCommand("secrets"),
+		),
+		Uses: []schema.CredentialUsage{
+			{
+				Name: credname.SecretKey,
+			},
+		},
+	}
+}
diff --git a/plugins/sops/plugin.go b/plugins/sops/plugin.go
@@ -0,0 +1,23 @@
+package sops
+
+import (
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/schema"
+)
+
+func New() schema.Plugin {
+	return schema.Plugin{
+		Name: "sops",
+		Platform: schema.PlatformInfo{
+			Name:     "SOPS",
+			Homepage: sdk.URL("https://github.com/getsops/sops"),
+		},
+		Credentials: []schema.CredentialType{
+			AgeSecretKey(),
+		},
+		Executables: []schema.Executable{
+			SOPSCLI(),
+			HelmCLI(),
+		},
+	}
+}
diff --git a/plugins/sops/sops.go b/plugins/sops/sops.go
@@ -0,0 +1,25 @@
+package sops
+
+import (
+	"github.com/1Password/shell-plugins/sdk"
+	"github.com/1Password/shell-plugins/sdk/needsauth"
+	"github.com/1Password/shell-plugins/sdk/schema"
+	"github.com/1Password/shell-plugins/sdk/schema/credname"
+)
+
+func SOPSCLI() schema.Executable {
+	return schema.Executable{
+		Name:    "SOPS CLI",
+		Runs:    []string{"sops"},
+		DocsURL: sdk.URL("https://github.com/getsops/sops"),
+		NeedsAuth: needsauth.IfAll(
+			needsauth.NotForHelpOrVersion(),
+			needsauth.NotWithoutArgs(),
+		),
+		Uses: []schema.CredentialUsage{
+			{
+				Name: credname.SecretKey,
+			},
+		},
+	}
+}
