Browse Source

Re-add secret decrypting docs

These are useful for the times when a secret needs to be decrypted
for debugging but seem to have been deleted when we did the zuulv3
migration removal.

Change-Id: Ib1544d9032df9bd25c50eeca032f643e40f035b0
changes/09/714509/1
Jeremy Stanley Monty Taylor 2 weeks ago
parent
commit
8da233817b
1 changed files with 16 additions and 0 deletions
  1. +16
    -0
      doc/source/zuul.rst

+ 16
- 0
doc/source/zuul.rst View File

@@ -198,6 +198,22 @@ Zuul Web is stateless so is safe to restart, however restarting it will result
in a loss of connection for anyone watching a live-stream of a console log
when the restart happens.

Secrets
-------

In some cases it may be warranted to compare the decrypted plaintext of
a secret from job configuration against a reference value while
troubleshooting, since random padding means encrypting the same
plaintext a second time will result in wholly different ciphertext. In
order to avoid unintentional disclosure this should only be done when
absolutely necessary, but it's possible to decrypt a secret locally on
the scheduler server with a command like the following (just extract the
secret ciphertext from the job configuration first to remove surrounding
YAML, there is no need to recombine split lines)::

cat ciphertext.txt | sed 's/^ *//' | base64 -d | sudo openssl rsautl -decrypt -oaep -inkey \
/var/lib/zuul/keys/secrets/project/gerrit/openstack-infra/project-config/0.pem

.. _zuul_github_projects:

GitHub Projects


Loading…
Cancel
Save