cloud-init Support encrypted and signed user data

Proposed Commit Message

feat: Support encrypted and signed user data

Cloud-init user data often contains user secrets including passwords
and private keys. This data has always been submitted in plain text.
To protect this data's confidentiality and guarantee its authenticity,
add the ability to have this data encrypted and signed.

A new user data format is added allowing for an ASCII armored PGP
MESSAGE. If detected, cloud-init will import into a temporary keyring
any keys provided in /etc/cloud/keys and use these keys to decrypt
and/or verify the provided data.

After decryption, the resulting message will be treated as user data
as before.

Fixes GH-4943

Additional Context

The squash: commits are just to make reviewing easier. I plan to squash them before merging.

Test Steps

Merge type

[ ] Squash merge using "Proposed Commit Message"
[x] Rebase and merge unique commits. Requires commit messages per-commit each referencing the pull request number (#<PR_NUM>)

Aug 08 '24 20:08 TheRealFalcon

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)

Aug 30 '24 00:08 github-actions[bot]

@holmanb , I have rebased the branch (only minor format.rst conflicts). It should be ready for review again.

Sep 12 '24 19:09 TheRealFalcon

Rebased away the conflict.

@holmanb , can I get priority on this review? We're getting close to the end of the cycle and I'd like to get this one done so I can focus on my other items with less context switching.

Sep 26 '24 20:09 TheRealFalcon

@holmanb , thanks for the comment. I have updated the PR accordingly.

Oct 15 '24 17:10 TheRealFalcon

https://github.com/canonical/cloud-init/pull/5599#discussion_r1765328968

My "fix" to this comment broke things. I think I had initially seen this which is why I relied on stderr in the first place but then forget in the time between adding it and seeing your comment. I found a better alternative to stderr and pushed it.

I updated an integration test accordingly and the tutorial should be working again.

Oct 21 '24 14:10 TheRealFalcon

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)

Nov 05 '24 00:11 github-actions[bot]

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)

Nov 21 '24 00:11 github-actions[bot]

@holmanb , no rush, but reminder that this PR is ready for review.

Dec 03 '24 21:12 TheRealFalcon

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)

Dec 18 '24 00:12 github-actions[bot]

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)

Jan 08 '25 00:01 github-actions[bot]

I stumbled upon this PR while researching how to pass secrets to an EC2 instance via user data. Some people recommend to resolve secrets at the later provisioning state, however cloud init itself works with the secrets at early provisioning state. Examples include repositories, SSHD configuration etc. This PR would help to solve this problem. I would be nice if it made its way into the main branch. Thanks.

Jan 09 '25 14:01 akuzminsky

Hello! Thank you for this proposed change to cloud-init. This pull request is now marked as stale as it has not seen any activity in 14 days. If no activity occurs within the next 7 days, this pull request will automatically close.

If you are waiting for code review and you are seeing this message, apologies! Please reply, tagging TheRealFalcon, and he will ensure that someone takes a look soon.

(If the pull request is closed and you would like to continue working on it, please do tag TheRealFalcon to reopen it.)

Jan 31 '25 00:01 github-actions[bot]