summaryrefslogtreecommitdiffstats
path: root/config/utils
diff options
context:
space:
mode:
Diffstat (limited to 'config/utils')
-rw-r--r--config/utils/README.eyaml.rst67
-rw-r--r--config/utils/config.example.yaml11
-rwxr-xr-xconfig/utils/generate_config.py27
3 files changed, 101 insertions, 4 deletions
diff --git a/config/utils/README.eyaml.rst b/config/utils/README.eyaml.rst
new file mode 100644
index 00000000..083d5192
--- /dev/null
+++ b/config/utils/README.eyaml.rst
@@ -0,0 +1,67 @@
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. SPDX-License-Identifier: CC-BY-4.0
+.. (c) 2017 OPNFV and others.
+
+Use eyaml to decrypt secret values
+==================================
+
+Prerequisites
+-------------
+
+#. Install eyaml and create keys (All of this should be done on the slave server)
+
+ .. code-block:: bash
+
+ $ sudo yum install ruby-gems || sudo apt-get install ruby
+ $ sudo gem install hiera-eyaml
+ $ eyaml createkeys
+
+#. Move keys to /etc/eyaml_keys
+
+ .. code-block:: bash
+
+ $ sudo mkdir -p /etc/eyaml_keys/
+ $ sudo mv ./keys/* /etc/eyaml_keys/
+
+#. Set up eyaml config.yaml
+
+ .. code-block:: bash
+
+ $ mkdir ~/.eyaml/
+ $ cp config.yaml.example ~/.eyaml/config.yaml
+
+Encryption
+----------
+
+#. Copy a PDF (yaml) to current directory (or edit the PDF in-place)
+
+NOTE: There is a sample encrypted PDF located at `../pdf/pod1.encrypted.yaml`.
+Data in that file is only an example and can't be decrypted without the PEM,
+which is not provided.
+
+ .. code-block:: bash
+
+ $ cp ~/foo/securedlab/labs/lf/pod2.yaml .
+
+#. Create some encrypted values
+
+ .. code-block:: bash
+
+ $ eyaml encrypt -s 'opnfv'
+
+#. Replace values to be encrypted
+
+ .. code-block:: yaml
+
+ type: ipmi
+ versions:
+ - 2.0
+ user: ENC[PKCS7 ...]
+ pass: ENC[PKCS7 ...]
+
+Decryption
+----------
+
+ .. code-block:: bash
+
+ $ ./generate_config.py -y pod2.yaml -j ../installers/apex/pod_config.yaml.j2
diff --git a/config/utils/config.example.yaml b/config/utils/config.example.yaml
new file mode 100644
index 00000000..084d11d2
--- /dev/null
+++ b/config/utils/config.example.yaml
@@ -0,0 +1,11 @@
+##############################################################################
+# Copyright (c) 2017 OPNFV and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+---
+pkcs7_private_key: /etc/eyaml_keys/private_key.pkcs7.pem
+pkcs7_public_key: /etc/eyaml_keys/public_key.pkcs7.pem
diff --git a/config/utils/generate_config.py b/config/utils/generate_config.py
index 18af98db..ba4192cb 100755
--- a/config/utils/generate_config.py
+++ b/config/utils/generate_config.py
@@ -1,10 +1,20 @@
#!/usr/bin/python
+##############################################################################
+# Copyright (c) 2017 OPNFV and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
"""This module does blah blah."""
import argparse
import ipaddress
+import logging
import os
import yaml
from jinja2 import Environment, FileSystemLoader
+from subprocess import CalledProcessError, check_output
PARSER = argparse.ArgumentParser()
PARSER.add_argument("--yaml", "-y", type=str, required=True)
@@ -38,12 +48,20 @@ def dpkg_arch(arch, to_dpkg=True):
else:
return ARCH_DPKG_TABLE[arch]
-ENV = Environment(loader=FileSystemLoader('./'))
+ENV = Environment(loader=FileSystemLoader(os.path.dirname(ARGS.jinja2)))
ENV.filters['ipaddr_index'] = ipaddr_index
ENV.filters['dpkg_arch'] = dpkg_arch
-with open(ARGS.yaml) as _:
- DICT = yaml.safe_load(_)
+# Run `eyaml decrypt` on the whole file, in case any PDF data is encrypted
+# Note: eyaml return code is 0 even if keys are not available
+try:
+ DICT = yaml.safe_load(check_output(['eyaml', 'decrypt', '-f', ARGS.yaml]))
+except CalledProcessError as ex:
+ pass
+if not DICT:
+ logging.warn('PDF decryption failed, fallback to using raw data.')
+ with open(ARGS.yaml) as _:
+ DICT = yaml.safe_load(_)
# If an installer descriptor file (IDF) exists, include it (temporary)
IDF_PATH = '/idf-'.join(os.path.split(ARGS.yaml))
@@ -56,6 +74,7 @@ if os.path.exists(IDF_PATH):
# print(DICT)
# Render template and print generated conf to console
-TEMPLATE = ENV.get_template(ARGS.jinja2)
+TEMPLATE = ENV.get_template(os.path.basename(ARGS.jinja2))
+
#pylint: disable=superfluous-parens
print(TEMPLATE.render(conf=DICT))