summaryrefslogtreecommitdiffstats
path: root/config/utils/README.eyaml.rst
blob: 386a21bb33094e73b32e958b3a6679b15d21334a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. SPDX-License-Identifier: CC-BY-4.0
.. (c) 2017 OPNFV and others.

Use eyaml to decrypt secret values
==================================

Prerequisites
-------------

#. Install eyaml and create keys (All of this should be done on the slave server)

    .. code-block:: bash

        $ sudo yum install rubygems || sudo apt-get install ruby
        $ sudo gem install hiera-eyaml
        $ eyaml createkeys

#. Move keys to /etc/eyaml_keys

    .. code-block:: bash

        $ sudo mkdir -p /etc/eyaml_keys/
        $ sudo mv ./keys/* /etc/eyaml_keys/
        $ sudo rmdir ./keys

#. Set up eyaml config.yaml

    .. code-block:: bash

        $ mkdir ~/.eyaml/
        $ cp config.yaml.example ~/.eyaml/config.yaml

Encryption
----------

#. Copy a PDF (yaml) to current directory (or edit the PDF in-place)

NOTE: There is a sample encrypted PDF located at `../pdf/pod1.encrypted.yaml`.
Data in that file is only an example and can't be decrypted without the PEM,
which is not provided.

    .. code-block:: bash

        $ cp ~/foo/securedlab/labs/lf/pod2.yaml .

#. Create some encrypted values

    .. code-block:: bash

        $ eyaml encrypt -s 'opnfv'

#. Replace values to be encrypted

    .. code-block:: yaml

        type: ipmi
        versions:
          - 2.0
        user: ENC[PKCS7 ...]
        pass: ENC[PKCS7 ...]

Decryption
----------

    .. code-block:: bash

        $ ./generate_config.py -y pod2.yaml -j ../installers/apex/pod_config.yaml.j2