Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3296

New function: cf_secret to return everything we know about a secret as a data container

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open
    • Priority: (None)
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Built-in functions
    • Labels:
      None

      Description

      Add a policy function for getting secrets from cf-secret-encrypted files and make sure variables used for storing such values are tagged with _cf-secret.

      • Function should return a data container having 2 keys, headers and data.
      • The headers key should include the information from cf-secret print-headers
      • The data key should include the decrypted data.
      • Function should take full path to encrypted file as parameter
      • Function should have optional parameter containing full path to private key, defaulting to the hosts private key
      bundle agent __main__
      {
        vars:
            # might be useful to have this info from cf-secret print-headers
            "secret" data => '{
        "headers": {
          "Version": "1.0",
          "Encrypted-for": [
            "SHA=4327...",
            "MD5=1234"
          ]
        },
      "data": "blob"
            }';
      
            "secret"
              data => cf_secret( "/path/to/secret.cfsecret" ),
              meta => { "cf-secret" }; # This tag should be /automatically/ added when this function is used in a promise.
      
            # Optional path to private key, default to =$(sys.workdir)/ppkeys/localhost.pub=
            "secret" data => cf_secret( "/path/to/secret.cfsecret", "/var/cfengine/ppkeys/some-key.priv" ),
              meta => { "cf-secret" }; # This tag should be /automatically/ added when this function is used in a promise.
      
      }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                vpodzime Vratislav Podzimek
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Summary Panel