From 3ab141801a10254b237e1412c3ddb0dd75e95e45 Mon Sep 17 00:00:00 2001
From: Theo Chatzimichos <tampakrap@opensuse.org>
Date: Oct 31 2017 15:29:37 +0000
Subject: Merge branch 'tampakrap_gpg' into 'production'


add wrapper script to encrypt a string that we can use as secret pillar

See merge request infra/salt!72
---

diff --git a/bin/encrypt_pillar.sh b/bin/encrypt_pillar.sh
new file mode 100755
index 0000000..35d0d84
--- /dev/null
+++ b/bin/encrypt_pillar.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+help() {
+    echo "Encrypt a given string and print out the output. This output can be"
+    echo "then used as encrypted pillar"
+    echo
+}
+
+[[ $1 == '--help' ]] && help && exit
+
+while getopts s:v:h arg; do
+    case ${arg} in
+        h) help && exit ;;
+        *) help && exit 1 ;;
+    esac
+done
+
+echo "Please type the string that you want to encrypt"
+read STRING
+
+[[ -z $STRING ]] && help && exit 1
+
+RECIPIENTS=$(egrep '^\s*0x' encrypted_pillar_recipients | while read i; do echo "-r $i"; done | xargs)
+echo -n "${STRING}" | gpg --armor --batch --trust-model always --encrypt ${RECIPIENTS}
diff --git a/encrypted_pillar_recipients b/encrypted_pillar_recipients
new file mode 100644
index 0000000..9cc37e6
--- /dev/null
+++ b/encrypted_pillar_recipients
@@ -0,0 +1,16 @@
+# Christian Boltz <cboltz@opensuse.org>
+0xC6A682EA63C82F1C
+# Lars Vogdt <lrupp@suse.de>
+0xCE054B2AF62B7584
+# Martin Caj <mcaj@suse.com>
+0x2E77A13011F5D3C2
+# Sarah Julia Kriesch <sarah.kriesch@opensuse.org>
+0x6F5CA277DDA33BB5
+# Theo Chatzimichos <tampakrap@opensuse.org>
+0x9640E4FA29485B97
+# Thorsten Bro <tbro@suse.de>
+0x433A21C2C930E5E6
+
+## saltmasters
+# minnie.infra.opensuse.org
+0xF1C33B7A1346F48E
diff --git a/salt/profile/salt/master.sls b/salt/profile/salt/master.sls
index 44df3f7..3db317b 100644
--- a/salt/profile/salt/master.sls
+++ b/salt/profile/salt/master.sls
@@ -11,6 +11,17 @@ remove-etc-salt-master:
     - listen_in:
         - service: salt-master
 
+/etc/salt/gpgkeys:
+  file.directory:
+    - user: salt
+    - group: salt
+    - dir_mode: 700
+    - file_mode: 600
+    - recurse:
+        - user
+        - group
+        - mode
+
 /srv/reactor:
   file.recurse:
     - source: salt://profile/salt/files/reactor