Add secret top-level config object

This adds secrets as a top-level config object, including a new
custom YAML tag to indicate encrypted data.

It also adds a script which encrypts data for use in tests.

Change-Id: I92a6bc048874f8aa4ebe0dd27180b253bede7370
diff --git a/tests/encrypt_secret.py b/tests/encrypt_secret.py
new file mode 100644
index 0000000..ab45018
--- /dev/null
+++ b/tests/encrypt_secret.py
@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import sys
+import os
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import hashes
+
+FIXTURE_DIR = os.path.join(os.path.dirname(__file__),
+                           'fixtures')
+
+
+def main():
+    private_key_file = os.path.join(FIXTURE_DIR, 'private.pem')
+    with open(private_key_file, "rb") as f:
+        private_key = serialization.load_pem_private_key(
+            f.read(),
+            password=None,
+            backend=default_backend()
+        )
+
+    # Extract public key from private
+    public_key = private_key.public_key()
+
+    # https://cryptography.io/en/stable/hazmat/primitives/asymmetric/rsa/#encryption
+    ciphertext = public_key.encrypt(
+        sys.argv[1],
+        padding.OAEP(
+            mgf=padding.MGF1(algorithm=hashes.SHA1()),
+            algorithm=hashes.SHA1(),
+            label=None
+        )
+    )
+    print(ciphertext.encode('base64'))
+
+if __name__ == '__main__':
+    main()