From 820df6d625ed97f346c3b52c8f1bc4d1cc24f569 Mon Sep 17 00:00:00 2001 From: Alexander Hughes Date: Wed, 5 Jun 2019 17:44:16 +0000 Subject: [PATCH] Genesis Bundle Encryption Key source Previously the site PEGLEG_PASSPHRASE variable was used to encrypt the genesis bundle. This is not always desired. This patch: 1. Separates the Pegleg and Promenade encryption credentials 2. Simplifies the bundle code to avoid circular setting of environment variables unnecessarily. Change-Id: I2195cf8df81d3775402299d9a2b0aad4ba483b2c --- pegleg/cli.py | 5 +++-- pegleg/engine/bundle.py | 2 -- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/pegleg/cli.py b/pegleg/cli.py index 0aac9f6a..557654e3 100644 --- a/pegleg/cli.py +++ b/pegleg/cli.py @@ -545,7 +545,7 @@ def wrap_secret_cli(*, site_name, author, file_name, output_path, schema, def genesis_bundle(*, build_dir, validators, site_name): passphrase = os.environ.get("PEGLEG_PASSPHRASE") salt = os.environ.get("PEGLEG_SALT") - encryption_key = passphrase + encryption_key = os.environ.get("PROMENADE_ENCRYPTION_KEY") if passphrase: passphrase = passphrase.encode() if salt: @@ -558,7 +558,8 @@ def genesis_bundle(*, build_dir, validators, site_name): encryption_key, validators, logging.DEBUG == LOG.getEffectiveLevel(), - site_name) + site_name + ) @secrets.command( diff --git a/pegleg/engine/bundle.py b/pegleg/engine/bundle.py index c498298e..665c1b76 100644 --- a/pegleg/engine/bundle.py +++ b/pegleg/engine/bundle.py @@ -78,8 +78,6 @@ def build_genesis(build_path, encryption_key, validators, debug, site_name): allow_missing_substitutions=False, leave_kubectl=False) if c.get_path('EncryptionPolicy:scripts.genesis') and encryption_key: - os.environ['PROMENADE_ENCRYPTION_KEY'] = encryption_key - os.environ['PEGLEG_PASSPHRASE'] = encryption_key Builder(c, validators=validators).build_all(output_dir=build_path) else: raise GenesisBundleEncryptionException()