diff options
author | Alexandru Avadanii <Alexandru.Avadanii@enea.com> | 2017-10-05 12:24:49 -0400 |
---|---|---|
committer | agardner <agardner@linuxfoundation.org> | 2017-11-17 21:14:13 -0500 |
commit | d2307b5afbf13644bfe6722018ef1975e92680d1 (patch) | |
tree | b90d695395441dbcacda655b0e9293acec29bcba /config/utils/README.eyaml.rst | |
parent | 2c4fac2e41aaca9dd679b200ffc968eeb448b395 (diff) |
generate_config: Use eyaml to decrypt secret values
Note: IDF data encryption is not supported. Supporting that is
trivial, but it leads to slightly more complicated code, plus it
breaks support for multiline scalar encrypted data in the PDF ('>'),
forcing us to define each encrypted value as inline string.
While at it, fix silly limitation of jinja2 path residing in a subdir
of CWD.
Change-Id: I441ec754d8b6e4aad2ed73aba0b9b18ed65f05f4
Signed-off-by: agardner <agardner@linuxfoundation.org>
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Diffstat (limited to 'config/utils/README.eyaml.rst')
-rw-r--r-- | config/utils/README.eyaml.rst | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/config/utils/README.eyaml.rst b/config/utils/README.eyaml.rst new file mode 100644 index 00000000..083d5192 --- /dev/null +++ b/config/utils/README.eyaml.rst @@ -0,0 +1,67 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. SPDX-License-Identifier: CC-BY-4.0 +.. (c) 2017 OPNFV and others. + +Use eyaml to decrypt secret values +================================== + +Prerequisites +------------- + +#. Install eyaml and create keys (All of this should be done on the slave server) + + .. code-block:: bash + + $ sudo yum install ruby-gems || sudo apt-get install ruby + $ sudo gem install hiera-eyaml + $ eyaml createkeys + +#. Move keys to /etc/eyaml_keys + + .. code-block:: bash + + $ sudo mkdir -p /etc/eyaml_keys/ + $ sudo mv ./keys/* /etc/eyaml_keys/ + +#. Set up eyaml config.yaml + + .. code-block:: bash + + $ mkdir ~/.eyaml/ + $ cp config.yaml.example ~/.eyaml/config.yaml + +Encryption +---------- + +#. Copy a PDF (yaml) to current directory (or edit the PDF in-place) + +NOTE: There is a sample encrypted PDF located at `../pdf/pod1.encrypted.yaml`. +Data in that file is only an example and can't be decrypted without the PEM, +which is not provided. + + .. code-block:: bash + + $ cp ~/foo/securedlab/labs/lf/pod2.yaml . + +#. Create some encrypted values + + .. code-block:: bash + + $ eyaml encrypt -s 'opnfv' + +#. Replace values to be encrypted + + .. code-block:: yaml + + type: ipmi + versions: + - 2.0 + user: ENC[PKCS7 ...] + pass: ENC[PKCS7 ...] + +Decryption +---------- + + .. code-block:: bash + + $ ./generate_config.py -y pod2.yaml -j ../installers/apex/pod_config.yaml.j2 |