Skip to main content
Version: 2.2.x

Opscotch Packager Tool

Opscotch is secure by design: configurations are deployed to the agent encrypted.

The opscotch packager is used to encrypt the following data:

  1. Bootstrap configurations
  2. Workflow configurations
  3. Authentication data

All packaging operations accept data through stdin and emit packaged data on stdout.

Packaging configuration

All opscotch-packager operations require the packaging configuration.

The packaging configurations defines resources for compiling and signing workflow configurations, encrypting and license information.

The packaging configuration has the following items:

  • resources: Workflow configurations can refer to external resource files which are included when packaging. They are referred to as "resources". Resources can be supplied from multiple resource directories. This field is only required when packaging workflows.
  • agent public key: The files supplied to the agent are encrypted using public key encryption. Use the public key that matches the private key the agent is configured with.
  • opscotch license: all packaging activities require a valid opscotch license. See here for details on licensing

The above information is written into a json file such as package.json:

{
    "license" : "license.txt",
    "agentPublicKey" : "configs/agent.public.key", // or the base64 contents of the key file
    "resourceDirs" : ["."] // only required for workflow packaging
}

Bootstrap encryption

Bootstrap files can be encrypted. see Securing

To encrypt a bootstrap, pipe the raw bootstrap into the the opscotch packager, using the bootstrap mode and provide the packaging configuration. The encrypted file will be emitted to stdout where you can redirected it to a file.

cat bootstrap.json | opscotch-packager bootstrap package.json > bootstrap.packaged

Loading an encrypted bootstrap file in the agent requires that you provide the decryption key as the second argument when starting the agent:

opscotch-agent bootstrap.packaged <path to decryption key or base64 endcoded key>

Authentication property encryption

Authentication host properties can be encrypted, see Securing.

Encrypted authentication host properties are useful when the bootstrap source is stored in plain text, you can still have the credentials encrypted. Additionally, if you use environment variables to load credentials into authentication hosts, the environment variable values can be encrypted.

To encrypt a value, pipe the raw value into the the opscotch packager, using the encrypt mode and provide the packaging configuration. The encrypted value will be emitted to stdout where it can be copied and pasted into the bootstrap file authentication host properties.

echo "encrypt me" | opscotch-packager encrypt package.json

Workflow packaging and encryption

Workflow configurations are compiled, signed and encrypted, see Securing.

Workflow packaging requires the resources property set in the packaging configuration.

To package a workflow file, pipe the raw workflow into the the opscotch packager, using the workflow mode and provide the packaging configuration. The encrypted file will be emitted to stdout where you can redirected it to a file.

cat workflow.json | opscotch-packager workflow package.json > workflow.packaged