From 2e38fee74fc1123cd6eacadb30d3822c5cd0c05b Mon Sep 17 00:00:00 2001 From: LeeW Date: Thu, 6 Mar 2025 16:28:49 +0100 Subject: [PATCH] ADP-216: updates README from UAT feedback for step2 - make procedural --- README.md | 50 +++++++++++++++++--------------------------------- 1 file changed, 17 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index a40c2ca..054ce51 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ Procedure: - file format: `@netgo.de.gpg.pub` - **Example**: `max.musterman@netgo.de.gpg.pub` 1. git: commit the new file, push -1. open a MergeRequest +1. gitlab: open a MergeRequest 1. Hand-Off: Assign the MR to an Existing User in your Team to have your key added. - Hint: Look up all Existing Users in the comments at: [verify/.sops.yaml](verify/.sops.yaml) @@ -50,20 +50,12 @@ Procedure: Create a symlink from the group-directory back to the keyfile 1. `cd groups/` + - **Example**: `cd groups/devnso-adp-argocd` - Explanation: Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`) - Explanation: Most of the groups correspond directly to git repository names, aka "project name" - - **Example**: `cd groups/devnso-adp-argocd` 2. `ln -s ../../` - **Example**: `ln -s ../../max.musterman@netgo.de.gpg.pub` -### Example -Add "Max Musterman" to the group for `devnso-adp-argocd`: - -```shell -cd groups/devnso-adp-argocd -ln -s ../../max.musterman@netgo.de.gpg.pub -``` - ## 2. Onboarding: [Existing User]: Configure sops config Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`) @@ -72,12 +64,11 @@ For verification purposes, this repo also contains a _sample_ `.sops.yaml` to wh ### Update Verification SOPS Config -Follow the interactive prompts: -```shell -./verify/usr_confirm_keycfg.sh -``` - -Now the sample secrets file _in this repo_ has been updated, and the New User should be able to decrypt it! +1. Checkout the New User's branch titled `add_pubkey_[firstname]-[lastname]`. + - CLI: e.g. `git branch add_pubkey_Max-Musterman` +1. Run `./verify/usr_confirm_keycfg.sh` +1. git: commit the new file, push +1. **Status**: Now the sample secrets file _in this repo_ has been updated, and the New User should be able to decrypt it! ### Update Project SOPS Config @@ -123,26 +114,19 @@ devnso-adp-argocd ... # SUCCESS: all users with keys in this dir should have functional keys ``` +% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd $(find . -name secrets.yaml) **Commit the changes, Create Change Request (PR/MR)** -```shell -# commit the changes to any .sops.yaml or secrets files, e.g. with -## OPINIONATED GIT - use preferred method -% git add -p -# 1. review changes to the .sops.yaml -# 2. press 'y' to accept the changes -y -% git commit -m "adds . to sops config" -% git push -``` - -Open an MR and Merge the changes back into the trunk branch (e.g. `main`) - -At this point, the New User has been configured - -Hand Off to New User - +1. git: commit the changes to `.sops.yaml` and secrets files (`secrets.yaml`) files + - CLI: **e.g.** `git add .sops.yaml $(find . -name secrets.yaml)` + - **CAVEAT**: check for other changes with `git status` ! The files do not always follow consistent conventions. + - CLI: **e.g.** `git commit -m "adds . to sops config` +1. git: push branch + - CLI: **e.g.**: `git push -u origin add_pubkey_[firstname]-[lastname]` +1. gitlab: open a MergeRequest, Review, Merge +1. **Status**: New User has access to SOPS-Encrypted Secrets within Project Repo +1. **Hand-Off**: Proceed to next steps; Instruct New User to verify access to secrets ## 3. Onboarding: [New User] Configure SOPS