https://blog.edlitmus.info/generate-secure-pillar/
generate-secure-pillar [command] [flags]
Ed Silva ed.silva@everbridge.com
brew tap esilva-everbridge/homebrew-generate-secure-pillar
brew install generate-secure-pillarA config file can be used to set default values, and an example file is created if there isn't one already, with commented out values. The file location defaults to ~/.config/generate-secure-pillar/config.yaml.
Profiles can be specified and selected via a command line option.
profiles:
- name: dev
default: true
default_key: Dev Salt Master
gnupg_home: ~/.gnupg
- name: prod
default: false
default_key: Prod Salt Master
gnupg_home: ~/.gnupg
...The PGP keys you import for use with this tool need to be 'trusted' keys. An easy way to do this is, after importing a key, run the following commands:
expect -c "spawn gpg --edit-key '<the PGP key id here>' trust quit; send \"5\ry\r\"; expect eof"(found here: https://gist.github.com/chrisroos/1205934#gistcomment-2203760)
completion Generate the autocompletion script for the specified shell
create create a new sls file
decrypt perform decryption operations
encrypt perform encryption operations
help Help about any command
keys show PGP key IDs used
rotate decrypt existing files and re-encrypt with a new key
update update the value of the given key in the given file
--config stringconfig file (default is $HOME/.config/generate-secure-pillar/config.yaml)--profile stringprofile name from profile specified in the config file--pubring stringPGP public keyring (default is $HOME/.gnupg/pubring.gpg)--secring stringPGP private keyring (default is $HOME/.gnupg/secring.gpg)-k, --pgp_key stringPGP key name, email, or ID to use for encryption-e, --element stringName of the top level element under which encrypted key/value pairs are kept-h, --helphelp for generate-secure-pillar--versionprint the version
(c) 2018 Everbridge, Inc.
CAVEAT: YAML files with include statements are not handled properly, so we skip them.
$ generate-secure-pillar --profile dev create -n secret_name1 -s secret_value1 -n secret_name2 -s secret_value2 -o new.sls$ generate-secure-pillar -k "Salt Master" create -n secret_name1 -s secret_value1 -n secret_name2 -s secret_value2 -o new.sls$ generate-secure-pillar -k "Salt Master" update -n new_secret_name -s new_secret_value -f new.sls$ generate-secure-pillar -k "Salt Master" update -n secret_name -s secret_value3 -f new.sls$ generate-secure-pillar -k "Salt Master" encrypt all -f us1.sls -o us1.sls$ generate-secure-pillar -k "Salt Master" encrypt all -f us1.sls --update$ generate-secure-pillar -k "Salt Master" --element secret_stuff encrypt all -f us1.sls -o us1.sls$ generate-secure-pillar -k "Salt Master" encrypt recurse -d /path/to/pillar/secure/stuff$ generate-secure-pillar decrypt recurse -d /path/to/pillar/secure/stuff$ generate-secure-pillar decrypt path --path "some:yaml:path" -f new.sls$ generate-secure-pillar -k "New Salt Master Key" rotate -d /path/to/pillar/secure/stuff$ generate-secure-pillar keys all -f us1.sls$ generate-secure-pillar keys recurse -d /path/to/pillar/secure/stuff$ generate-secure-pillar keys path --path "some:yaml:path" -f new.sls