Genesis Bundle Encryption Key source

Previously the site PEGLEG_PASSPHRASE variable was used to encrypt the
genesis bundle. This is not always desired.

This patch:
1. Separates the Pegleg and Promenade encryption credentials
2. Simplifies the bundle code to avoid circular setting of environment
   variables unnecessarily.

Change-Id: I2195cf8df81d3775402299d9a2b0aad4ba483b2c
This commit is contained in:
Alexander Hughes 2019-06-05 17:44:16 +00:00
parent a925c0ddd8
commit 820df6d625
2 changed files with 3 additions and 4 deletions

View File

@ -545,7 +545,7 @@ def wrap_secret_cli(*, site_name, author, file_name, output_path, schema,
def genesis_bundle(*, build_dir, validators, site_name):
passphrase = os.environ.get("PEGLEG_PASSPHRASE")
salt = os.environ.get("PEGLEG_SALT")
encryption_key = passphrase
encryption_key = os.environ.get("PROMENADE_ENCRYPTION_KEY")
if passphrase:
passphrase = passphrase.encode()
if salt:
@ -558,7 +558,8 @@ def genesis_bundle(*, build_dir, validators, site_name):
encryption_key,
validators,
logging.DEBUG == LOG.getEffectiveLevel(),
site_name)
site_name
)
@secrets.command(

View File

@ -78,8 +78,6 @@ def build_genesis(build_path, encryption_key, validators, debug, site_name):
allow_missing_substitutions=False,
leave_kubectl=False)
if c.get_path('EncryptionPolicy:scripts.genesis') and encryption_key:
os.environ['PROMENADE_ENCRYPTION_KEY'] = encryption_key
os.environ['PEGLEG_PASSPHRASE'] = encryption_key
Builder(c, validators=validators).build_all(output_dir=build_path)
else:
raise GenesisBundleEncryptionException()