Docs addition on decrypting Zuul secrets
As this does come up from time to time, record an example command for decrypting a Zuul secret. Change-Id: I056bb808ecf0f44cfa5b448521e3f28d04eeffcf
This commit is contained in:
Jeremy Stanley
parent
a23cd84a69
commit
7323108d4a
@ -137,3 +137,19 @@ Mergers. These are horizontally scalable components of Zuul which
|
||||
perform git operations for the benefit of jobs. They can be started
|
||||
and stopped at will, and new ones added as necessary to accommodate
|
||||
load.
|
||||
|
||||
Secrets
|
||||
-------
|
||||
|
||||
In some cases it may be warranted to compare the decrypted plaintext of
|
||||
a secret from job configuration against a reference value while
|
||||
troubleshooting, since random padding means encrypting the same
|
||||
plaintext a second time will result in wholly different ciphertext. In
|
||||
order to avoid unintentional disclosure this should only be done when
|
||||
absolutely necessary, but it's possible to decrypt a secret locally on
|
||||
the scheduler server with a command like the following (just extract the
|
||||
secret ciphertext from the job configuration first to remove surrounding
|
||||
YAML, there is no need to dedent nor recombine split lines)::
|
||||
|
||||
cat ciphertext.txt | base64 -d | sudo openssl rsautl -decrypt -oaep -inkey \
|
||||
/var/lib/zuul/keys/secrets/project/gerrit/openstack-infra/project-config/0.pem
|
||||
|
||||
Loading…
Reference in New Issue
Block a user