Allow to set shamir_threshold to 1 or disable it. #878
Description
We manage a lot of secrets in a single repository, which need to be accessible by different groups of people. In order to avoid having to set all keys on each creation_rule we'd like to use YAML anchors and references in order to manage groups of keys. Unfortunately the YAML spec has no way of merging anchors contents into a single list. It's only possible to have objects/maps referenced by an anchor. By using key groups it's possible to just create one entry for each group. See below for an example.
Unfortunately the automatically enabled shamir key exchange when using multiple key groups blocks us from using this. It's also not possible to set the shamir_threshold to 1, as that obviously makes shamir useless.
Being able to disable shamir, e.g. by setting the threshold to 1, would enable an easy way of managing groups of keys.
If there is any other way of achieving this within sops.yaml that I haven't found yet, please let me know.
groups:
groupA: &groupA
age:
- agekey1
- agekey2
groupB: &groupB
age:
- agekey3
- agekey4
creation_rules:
- path_regex: /example/
shamir_threshold: 1
key_groups:
- *groupA
- *groupB
- age:
- agekey5this gets expanded to
creation_rules:
- path_regex: /example/
shamir_threshold: 1
key_groups:
- age:
- agekey1
- agekey2
- age:
- agekey3
- agekey4
- age:
- agekey5CC @MaxRink