commit 089fb4f658bc43d59bb07960dd485b7947ea3d97
author Dmitry Pyzhov <dpyzhov@mirantis.com> Tue Dec 11 16:58:00 2018 +0300
committer Dmitry Pyzhov <dpyzhov@mirantis.com> Fri Dec 14 17:32:01 2018 +0300
tree 243b3ca1606299bc74c5f0346a374b5df29319c2
parent 6f27d1b48489950e22e9e73a66110def3c511b3c

Option for encryption of secrets.yml with gpg

Change-Id: I69da488b5ac9872a92d59d859033026c995f6fca
Related-PROD: PROD-23609 (PROD:23609)
Related-PROD: PROD-23610 (PROD:23610)

generate-cookiecutter-products.groovy

diff --git a/generate-cookiecutter-products.groovy b/generate-cookiecutter-products.groovy
index 33a3f60..c56f1a1 100644
--- a/generate-cookiecutter-products.groovy
+++ b/generate-cookiecutter-products.groovy
@@ -132,10 +132,35 @@
             }
 
             stage('Generate model') {
-                python.setupCookiecutterVirtualenv(cutterEnv)
-                // FIXME refactor generateModel
-                python.generateModel(common2.dumpYAML(['default_context': context]), 'default_context', context['salt_master_hostname'], cutterEnv, modelEnv, templateEnv, false)
-                git.commitGitChanges(modelEnv, "Create model ${context['cluster_name']}", "${user}@localhost", "${user}")
+                // GNUPGHOME environment variable is required for all gpg commands
+                // and for python.generateModel execution
+                withEnv(["GNUPGHOME=${env.WORKSPACE}/gpghome"]) {
+                    if (context['secrets_encryption_enabled'] == 'True') {
+                        sh "mkdir gpghome; chmod 700 gpghome"
+                        def secretKeyID = RequesterEmail
+                        if (!context.get('secrets_encryption_private_key')) {
+                            def batchData = """
+                                Key-Type: 1
+                                Key-Length: 4096
+                                Expire-Date: 0
+                                Name-Real: ${context['salt_master_hostname']}.${context['cluster_domain']}
+                                Name-Email: ${secretKeyID}
+                            """.stripIndent()
+                            writeFile file:'gpg-batch.txt', text:batchData
+                            sh "gpg --gen-key --batch < gpg-batch.txt"
+                            sh "gpg --export-secret-key -a ${secretKeyID} > gpgkey.asc"
+                        } else {
+                            writeFile file:'gpgkey.asc', text:context['secrets_encryption_private_key']
+                            sh "gpg --import gpgkey.asc"
+                            secretKeyID = sh(returnStdout: true, script: 'gpg --list-secret-keys --with-colons | awk -F: -e "/^sec/{print \\$5; exit}"').trim()
+                        }
+                        context['secrets_encryption_key_id'] = secretKeyID
+                    }
+                    python.setupCookiecutterVirtualenv(cutterEnv)
+                    // FIXME refactor generateModel
+                    python.generateModel(common2.dumpYAML(['default_context': context]), 'default_context', context['salt_master_hostname'], cutterEnv, modelEnv, templateEnv, false)
+                    git.commitGitChanges(modelEnv, "Create model ${context['cluster_name']}", "${user}@localhost", "${user}")
+                }
             }
 
             stage("Test") {
@@ -183,6 +208,9 @@
                 sh "git clone --mirror https://github.com/Mirantis/mk-pipelines.git ${pipelineEnv}/mk-pipelines"
                 sh "git clone --mirror https://github.com/Mirantis/pipeline-library.git ${pipelineEnv}/pipeline-library"
                 args = "--user-data user_data --hostname ${context['salt_master_hostname']} --model ${modelEnv} --mk-pipelines ${pipelineEnv}/mk-pipelines/ --pipeline-library ${pipelineEnv}/pipeline-library/ ${context['salt_master_hostname']}.${context['cluster_domain']}-config.iso"
+                if (context['secrets_encryption_enabled'] == 'True') {
+                    args = "--gpg-key gpgkey.asc " + args
+                }
 
                 // load data from model
                 def smc = [:]