Add hiera-gpg for storing secrets used in templates.

edit-secrets

@@ -0,0 +1,148 @@
+#!/bin/bash
+
+set -e
+umask 077
+
+LAST_OUTPUT_FILENAME="/root/.last_edit-secrets_output"
+
+if [ "x$1" = "x" ]; then
+    echo "Syntax: $0 -l OR fqdn"
+    exit 1
+fi
+
+if [ "x$1" != "x-l" ]; then
+    host=$1
+
+    if [ ! -d $host ]; then
+	echo "$0: No host-directory for '$host' found - execute in top-level cosmos dir"
+	exit 1
+    fi
+
+    # Execute this very script, on a remote host
+    TMPFILE=$(mktemp)
+    if [ ! -f $TMPFILE ]; then
+	echo "$0: Failed creating temporary file"
+	exit 1
+    fi
+    TMPFILE2=$(mktemp)
+    if [ ! -f $TMPFILE2 ]; then
+	echo "$0: Failed creating temporary file"
+	exit 1
+    fi
+
+    trap "rm -f $TMPFILE $TMPFILE2" EXIT
+
+    ssh -t $host /var/cache/cosmos/repo/edit-secrets -l
+    scp -q $host:$LAST_OUTPUT_FILENAME $TMPFILE
+
+    if grep ^"STATUS=UPDATED" $TMPFILE > /dev/null; then
+	# extract the path of the file that should be updated in the Cosmos repo
+        save_to=$(grep ^"SAVE_TO=" $TMPFILE | cut -d = -f 2-)
+	if [ ! -f $save_to ]; then
+	    echo "$0: Output file $save_to doesn't exist"
+	    echo "    (leaving output in $TMPFILE)"
+	    rm $TMPFILE2
+	    trap EXIT  # clear trap command to preserve $TMPFILE
+	    exit 1
+	fi
+	# extract the GPG output
+	perl -e '$a = 0; while (<>) { $a = 1 if ($_ =~ /-+BEGIN PGP MESSAGE-+/);
+                 print $_ if $a; $a = 0 if ($_ =~ /-+END PGP MESSAGE-+/); }' < $TMPFILE > $TMPFILE2
+
+	if ! grep "END PGP MESSAGE" $TMPFILE2 > /dev/null; then
+	    echo "$0: Failed extracting PGP output from file $TMPFILE into $TMPFILE2"
+	    exit 1
+	fi
+	# use cat to preserve permissions etc.
+	cat $TMPFILE > $save_to
+	git add $save_to
+
+	echo ""
+	echo "$save_to updated"
+	echo ""
+    else
+	echo ""
+	echo "Not updated"
+	echo ""
+    fi
+
+    rm $TMPFILE $TMPFILE2
+
+    exit 0
+fi
+
+#
+# Local execution on a host
+#
+
+SECRETFILE=/etc/hiera/data/secrets.yaml.asc
+GNUPGHOME=/etc/hiera/gpg/
+export GNUPGHOME
+
+GPG=`which gpg2 || true`
+if [ ! -x "$GPG" ]; then
+    GPG=`which gpg || true`
+    if [ ! -x "$GPG" ]; then
+	echo "$0: gpg2 or gpg not found"
+	exit 1
+    fi
+fi
+
+TMPFILE=$(mktemp --tmpdir=/dev/shm)
+TMPFILE2=$(mktemp --tmpdir=/dev/shm)
+
+if [ ! -f $TMPFILE ]; then
+    echo "$TMPFILE"
+    echo "$0: Failed creating temporary file"
+    exit 1
+fi
+if [ ! -f $TMPFILE2 ]; then
+    echo "$TMPFILE2"
+    echo "$0: Failed creating temporary file 2"
+    exit 1
+fi
+
+trap "rm -f $TMPFILE $TMPFILE2" EXIT
+
+if [ ! -f "$GNUPGHOME/secring.gpg" ]; then
+    echo "$0: Secret keyring $GNUPGHOME/secring.gpg does not exist."
+    exit 1
+fi
+
+if [ -s $SECRETFILE ]; then
+    $GPG -d $SECRETFILE > $TMPFILE
+fi
+
+cp $TMPFILE $TMPFILE2
+sensible-editor $TMPFILE
+rm -f ${TMPFILE}~ ${TMPFILE2}~
+
+echo ""
+echo ""
+
+status=0
+cmp -s $TMPFILE $TMPFILE2 || status=1
+if [ $status -eq 0 ]; then
+    (
+	echo "STATUS=NOT_CHANGED"
+    )  > $LAST_OUTPUT_FILENAME
+    echo ""
+    echo "$0: No changes detected"
+else
+    # figure out this hosts gpg key id
+    recipient=$($GPG --list-secret-key | grep ^sec | head -1 | awk '{print $2}' | cut -d / -f 2)
+
+    save_to="`hostname --fqdn`/overlay${SECRETFILE}"
+    echo ""
+    (
+	echo "STATUS=UPDATED"
+	echo "SAVE_TO=$save_to"
+	echo ""
+    ) > $LAST_OUTPUT_FILENAME
+    $GPG --output - --armor --recipient $recipient --sign --encrypt $TMPFILE >> $LAST_OUTPUT_FILENAME
+    echo ""
+    echo "GPG output saved in $LAST_OUTPUT_FILENAME - save it in Cosmos as"
+    echo ""
+    echo "  $save_to"
+    echo ""
+fi

global/overlay/etc/puppet/cosmos-modules.conf

@@ -10,3 +10,4 @@ vcsrepo puppetlabs/vcsrepo no
 xinetd puppetlabs/xinetd no
 #golang elithrar/golang yes
 #python git://github.com/stankevich/puppet-python.git yes
+hiera-gpg git://github.com/SUNET/hiera-gpg.git no

global/overlay/etc/puppet/hiera.yaml

@@ -0,0 +1,18 @@
+---
+:backends: - yaml
+           - gpg
+
+:logger: console
+
+:hierarchy: - %{env}/%{location}/%{calling_module}
+            - %{env}/%{calling_module}
+            - secrets.yaml
+            - common
+
+
+:yaml:
+   :datadir: /etc/hiera/data
+
+:gpg:
+   :datadir: /etc/hiera/data
+   :key_dir: /etc/hiera/gpg

global/pre-tasks.d/040hiera-gpg

@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# Set up a keyring for Hiera GPG
+#   https://github.com/crayfishx/hiera-gpg
+#
+
+set -e
+
+GNUPGHOME=/etc/hiera/gpg
+export GNUPGHOME
+
+if [ ! -f /usr/lib/ruby/vendor_ruby/gpgme.rb ]; then
+    apt-get update
+    apt-get -y install ruby-gpgme
+fi
+
+
+if [ ! -s $GNUPGHOME/secring.gpg ]; then
+
+    if [ "x$1" != "x--force" ]; then
+	echo ""
+	echo "Automatic Hiera-GPG key generation DISABLED (to not block on missing entropy)"
+	echo ""
+	echo "  Run \`$0 --force' manually"
+	echo ""
+	exit 0
+    fi
+
+    if [ ! -f /usr/bin/gpg2 ]; then
+	apt-get update
+	apt-get -y install gnupg2
+    fi
+
+    mkdir -p $GNUPGHOME
+    chmod 700 $GNUPGHOME
+
+    TMPFILE=$(mktemp /tmp/hiera-gpg.XXXXXX)
+    cat > $TMPFILE <<EOF
+%echo Generating a default key
+Key-Type: default
+Subkey-Type: default
+Name-Real: Cosmos Puppet
+Name-Comment: Hiera GPG key
+Name-Email: root@`hostname --fqdn`
+Expire-Date: 0
+# Do a commit here, so that we can later print "done" :-)
+%commit
+%echo done
+EOF
+    gpg2 --batch --gen-key $TMPFILE
+    rm -f $TMPFILE
+fi