Encryption
Zuul supports storing encrypted data directly in the git repositories of projects it operates on. If you have a job which requires private information in order to run (e.g., credentials to interact with a third-party service) those credentials can be stored along with the job definition.
Each project in Zuul has its own automatically generated RSA keypair
which can be used by anyone to encrypt a secret and only Zuul is able
to decrypt it. Zuul serves each project’s public key using its
build-in webserver. They can be fetched at the path
/api/tenant/<tenant>/key/<project>.pub
where <project>
is the
canonical name of a project and <tenant>
is the name of a tenant
with that project.
Zuul currently supports one encryption scheme, PKCS#1 with OAEP, which can not store secrets longer than the 3760 bits (derived from the key length of 4096 bits minus 336 bits of overhead). The padding used by this scheme ensures that someone examining the encrypted data can not determine the length of the plaintext version of the data, except to know that it is not longer than 3760 bits (or some multiple thereof).
In the config files themselves, Zuul uses an extensible method of
specifying the encryption scheme used for a secret so that other
schemes may be added later. To specify a secret, use the
!encrypted/pkcs1-oaep
YAML tag along with the base64 encoded
value. For example:
- secret:
name: test_secret
data:
password: !encrypted/pkcs1-oaep |
BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi
...
To support secrets longer than 3760 bits, the value after the encryption tag may be a list rather than a scalar. For example:
- secret:
name: long_secret
data:
password: !encrypted/pkcs1-oaep
- er1UXNOD3OqtsRJaP0Wvaqiqx0ZY2zzRt6V9vqIsRaz1R5C4/AEtIad/DERZHwk3Nk+KV
...
- HdWDS9lCBaBJnhMsm/O9tpzCq+GKRELpRzUwVgU5k822uBwhZemeSrUOLQ8hQ7q/vVHln
...
The zuul-client utility <https://zuul-ci.org/docs/zuul-client/>`_ provides a simple way to encrypt secrets for a Zuul project:
usage: zuul-client encrypt [-h] [--public-key /path/to/pubkey]
[--tenant TENANT] [--project PROJECT] [--no-strip]
[--secret-name SECRET_NAME]
[--field-name FIELD_NAME] [--infile INFILE]
[--outfile OUTFILE]
optional arguments:
-h, --help show this help message and exit
--public-key /path/to/pubkey
path to project public key (bypass API call)
--tenant TENANT tenant name
--project PROJECT project name
--no-strip Do not strip whitespace from beginning or end of
input.
--secret-name SECRET_NAME
How the secret should be named. If not supplied, a
placeholder will be used.
--field-name FIELD_NAME
How the name of the secret variable. If not supplied,
a placeholder will be used.
--infile INFILE A filename whose contents will be encrypted. If not
supplied, the value will be read from standard input.
If entering the secret manually, press Ctrl+d when
finished to process the secret.
--outfile OUTFILE A filename to which the encrypted value will be
written. If not supplied, the value will be written to
standard output.