From f18e575a502112bca3b90dffa729568546a14f1f Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 20 Oct 2021 11:33:03 -0700 Subject: [PATCH] Update zuul secrets decryption docs Zuul has changed has it stores secret keys and they are in zookeeper now. This means our old docs on decrypting things are no longer correct. Update them with a new set of instructions that matches the modern setup. Change-Id: I7484a8c02e005fadc41e22a4158b3dcb8434ec5d --- doc/source/zuul.rst | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/doc/source/zuul.rst b/doc/source/zuul.rst index 08d2a63c2e..04c741da07 100644 --- a/doc/source/zuul.rst +++ b/doc/source/zuul.rst @@ -219,12 +219,28 @@ troubleshooting, since random padding means encrypting the same plaintext a second time will result in wholly different ciphertext. In order to avoid unintentional disclosure this should only be done when absolutely necessary, but it's possible to decrypt a secret locally on -the scheduler server with a command like the following (just extract the -secret ciphertext from the job configuration first to remove surrounding -YAML, there is no need to recombine split lines):: +the scheduler server. The first step is extracting the key data from +our daily key backups:: + + root@zuul# jq --raw-output '.keys."/keystorage/gerrit/opendev/opendev%2Fsystem-config".keys[0].private_key' /var/lib/zuul/zuul-keys-backup.json + +The name between the double quotes is the path to the project's keys in +ZooKeeper. To construct this you will need to know the Zuul connection name +and full project name. The connection name in the example above is 'gerrit', +replace it with the appropriate connection name for the project you are looking +at. Next is the unique project name. In the example above we start with +`opendev/system-config` and split it on `/`. Everything before the first `/` +is the next component of our name in this case, `opendev`. Then we take the +entire name `opendev/system-config` and URL encode it to get +`opendev%2Fsystem-config` which becomes our last component. + +Save the output of this jq command to a file `secret.pem`. Then extract the +secret ciphertext from the job configuration to remove surrounding +YAML (there is no need to recombine split lines) and run the following +command to decrypt:: cat ciphertext.txt | sed 's/^ *//' | base64 -d | sudo openssl rsautl -decrypt -oaep -inkey \ - /var/lib/zuul/keys/secrets/project/gerrit/openstack-infra/project-config/0.pem + secret.pem .. _zuul_github_projects: