Add ability to encrypt/decrypt NTP keys

Signed-off-by: Yevhen Fastiuk <[email protected]>

Author: fastiuk

files/image_config/ntp/ntp.keys.j2

@@ -13,5 +13,6 @@
 {# Define authentication keys inventory -#}
 {% set trusted_str = ' ' ~ trusted_arr|join(',') -%}
 {% for keyid in NTP_KEY if NTP_KEY[keyid].type and NTP_KEY[keyid].value %}
-{{ keyid }} {{ NTP_KEY[keyid].type }} {{ NTP_KEY[keyid].value }}{{trusted_str}}
+{% set keyval = NTP_KEY[keyid].value | b64decode %}
+{{ keyid }} {{ NTP_KEY[keyid].type }} {{ keyval }}{{trusted_str}}
 {% endfor -%}

src/sonic-config-engine/sonic-cfggen

@@ -25,6 +25,7 @@ import netaddr
 import os
 import sys
 import yaml
+import base64
 
 from collections import OrderedDict
 from config_samples import generate_sample_config, get_available_config
@@ -137,6 +138,31 @@ def ip_network(value):
         return "Invalid ip address %s" % value
     return r_v.network
 
+
+def b64encode(value):
+    """Base64 encoder
+    Return:
+        encoded string or the same value in case of error
+    """
+    try:
+        ret = base64.b64encode(value.encode()).decode()
+    except:
+        return value
+    return ret
+
+
+def b64decode(value):
+    """Base64 decoder
+    Return:
+        decoded string or the same value in case of error
+    """
+    try:
+        ret = base64.b64decode(value.encode()).decode()
+    except:
+        return value
+    return ret
+
+
 def load_namespace_config(asic_name):
     if not SonicDBConfig.isInit():
         if is_multi_asic():
@@ -250,6 +276,10 @@ def _get_jinja2_env(paths):
     for attr in ['ip', 'network', 'prefixlen', 'netmask', 'broadcast']:
         env.filters[attr] = partial(prefix_attr, attr)
 
+    # Base64 encoder/decoder
+    env.filters['b64encode'] = b64encode
+    env.filters['b64decode'] = b64decode
+
     return env
 
 def main():