Extracting secrets from configs during gitops

[zepatrik]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

When getting the full config, it includes secrets and other keys that might not be exposed in a repository directly.

Similarly, the secrets have to be transmitted for updates nested in the config.

Describe your ideal solution

A CLI flag to redact certain keys on get project, and a flag to set keys on update project.

Workarounds or alternatives

Use the surrounding shell for scripting, e.g.

ory get project --format json | jq '.my.secret.a = "<redacted>" | .other.list_of.[].secrets = "<redacted>"' > output.json

jq ".my.secret.a = $SECRET_FROM_ENV" input.json | ory update project --file -

Version

v1.0.0

Additional Context

No response