opendev/system-config
Code Issues Proposed changes

Update zuul secrets decryption docs

Browse Source 
Zuul has changed has it stores secret keys and they are in zookeeper
now. This means our old docs on decrypting things are no longer correct.
Update them with a new set of instructions that matches the modern
setup.

Change-Id: I7484a8c02e005fadc41e22a4158b3dcb8434ec5d
This commit is contained in:
Clark Boylan 2021-10-20 11:33:03 -07:00
parent a6d4d81ee2
commit f18e575a50
1 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/source/zuul.rst
View File

@ -219,12 +219,28 @@ troubleshooting, since random padding means encrypting the same
plaintext a second time will result in wholly different ciphertext. In
order to avoid unintentional disclosure this should only be done when
absolutely necessary, but it's possible to decrypt a secret locally on
the scheduler server with a command like the following (just extract the
secret ciphertext from the job configuration first to remove surrounding
YAML, there is no need to recombine split lines)::
the scheduler server. The first step is extracting the key data from
our daily key backups::
root@zuul# jq --raw-output '.keys."/keystorage/gerrit/opendev/opendev%2Fsystem-config".keys[0].private_key' /var/lib/zuul/zuul-keys-backup.json
The name between the double quotes is the path to the project's keys in
ZooKeeper. To construct this you will need to know the Zuul connection name
and full project name. The connection name in the example above is 'gerrit',
replace it with the appropriate connection name for the project you are looking
at. Next is the unique project name. In the example above we start with
`opendev/system-config` and split it on `/`. Everything before the first `/`
is the next component of our name in this case, `opendev`. Then we take the
entire name `opendev/system-config` and URL encode it to get
`opendev%2Fsystem-config` which becomes our last component.
Save the output of this jq command to a file `secret.pem`. Then extract the
secret ciphertext from the job configuration to remove surrounding
YAML (there is no need to recombine split lines) and run the following
command to decrypt::
cat ciphertext.txt | sed 's/^ *//' | base64 -d | sudo openssl rsautl -decrypt -oaep -inkey \
/var/lib/zuul/keys/secrets/project/gerrit/openstack-infra/project-config/0.pem
secret.pem
.. _zuul_github_projects: