The configuration in the config.yaml contains secrets and should not be openly accessible. To secure the data contained within it, the values can be encrypted using a tool called sops. This tool will use a key to encrypt the values of the yaml file. Access to the key allows decryption of the values. As long as the key is not compromised, the encrypted file can be shared securely between collaborators.
The process of using sops is described below.
sopsOn OSX, sops can be installed using brew:
brew install sops
Install gpg:
brew install gpg
You might need to add this to your .bashrc or .zshrc to enable sops to work correctly with gpg [1]:
GPG_TTY=$(tty) export GPG_TTY
Create a key by running the following command and following the instructions on the screen:
gpg --gen-key
Run the following command to encode the file:
sops \ --encrypt \ --in-place \ --encrypted-regex '(password|htpasswd|cert|key|apiUrl|caCert|secret|accessToken)$' \ --pgp \ `gpg --fingerprint "$EMAIL" | \ grep pub -A 1 | \ grep -v pub | \ sed s/\ //g` \ $FILE_TO_ENCODE
$EMAIL refers to the email used during the creation of the GPG key.
Alternatively, the gerrit-monitoring.py encrypt-script can be used to encrypt the file:
pipenv run python ./gerrit-monitoring.py \ --config config.yaml \ encrypt \ --enc-method "pgp" \ --pgp-id "abcde1234"
The gpg-key used to encrypt the file can be selected by giving the fingerprint, key ID or part of the unique ID to the --pgp-id-argument. This identifier has to be unique among the keys in the GPG keystore.
For other developers or build servers to be able to decrypt the configuration, the key has to be exported:
gpg --export -a "$EMAIL" > public.key gpg --export-secret-key -a "$EMAIL" > private.key
On the receiving computer the key has to be imported by running:
gpg --import public.key gpg --allow-secret-key-import --import private.key
vault CLI toolOn OSX, vault can be installed using brew:
brew install vault
Use the CLI to log into your vault instance:
vault login -method=<auth-method> -address=https://vault.example.com
To use sops with HashiCorp Vault, a secret engine of type transit containing at least one key has to be created:
vault secrets enable -path=some-engine transit vault write sops/keys/some-key type=rsa-4096
Run the following command to encode the file:
sops \ --encrypt \ --in-place \ --encrypted-regex '(password|htpasswd|cert|key|apiUrl|caCert|secret|accessToken)$' \ --hc-vault-transit https://vault.example.com/v1/some-engine/keys/some-key \ $FILE_TO_ENCODE
Alternatively, the gerrit-monitoring.py encrypt-script can be used to encrypt the file:
pipenv run python ./gerrit-monitoring.py \ --config config.yaml \ encrypt \ --enc-method "vault" \ --vault-url https://vault.example.com \ --vault-engine some-engine \ --vault-key some-key
To decrypt the file, run:
sops --in-place -d $FILE_TO_DECODE