gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ADP-216: updates README from UAT feedback for step2 - make procedural

Browse Source
ADP-216-uat-sops-step2_002
LeeW 10 months ago
parent 0abcb3e868
commit 2e38fee74f
1 changed files with 17 additions and 33 deletions
Show Stats Download Patch File Download Diff File

50
README.md
Unescape Escape View File

@ -37,7 +37,7 @@ Procedure:
- file format: `<email>@netgo.de.gpg.pub`
- **Example**: `max.musterman@netgo.de.gpg.pub`
1. git: commit the new file, push
1. open a MergeRequest
1. gitlab: open a MergeRequest
1. Hand-Off: Assign the MR to an Existing User in your Team to have your key added.
- Hint: Look up all Existing Users in the comments at: [verify/.sops.yaml](verify/.sops.yaml)
@ -50,20 +50,12 @@ Procedure:
Create a symlink from the group-directory back to the keyfile
1. `cd groups/<project_name>`
- **Example**: `cd groups/devnso-adp-argocd`
- Explanation: Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`)
- Explanation: Most of the groups correspond directly to git repository names, aka "project name"
- **Example**: `cd groups/devnso-adp-argocd`
2. `ln -s ../../<path_to_key.gpg.pub>`
- **Example**: `ln -s ../../max.musterman@netgo.de.gpg.pub`
### Example
Add "Max Musterman" to the group for `devnso-adp-argocd`:
```shell
cd groups/devnso-adp-argocd
ln -s ../../max.musterman@netgo.de.gpg.pub
```
## 2. Onboarding: [Existing User]: Configure sops config
Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`)
@ -72,12 +64,11 @@ For verification purposes, this repo also contains a _sample_ `.sops.yaml` to wh
### Update Verification SOPS Config
Follow the interactive prompts:
```shell
./verify/usr_confirm_keycfg.sh
```
Now the sample secrets file _in this repo_ has been updated, and the New User should be able to decrypt it!
1. Checkout the New User's branch titled `add_pubkey_[firstname]-[lastname]`.
- CLI: e.g. `git branch add_pubkey_Max-Musterman`
1. Run `./verify/usr_confirm_keycfg.sh`
1. git: commit the new file, push
1. **Status**: Now the sample secrets file _in this repo_ has been updated, and the New User should be able to decrypt it!
### Update Project SOPS Config
@ -123,26 +114,19 @@ devnso-adp-argocd
...
# SUCCESS: all users with keys in this dir should have functional keys
```
% ${PATH_TO_COMMUNICATION_KEYS_REPO}/bin/update_sops.sh -g devnso-adp-argocd $(find . -name secrets.yaml)
**Commit the changes, Create Change Request (PR/MR)**
```shell
# commit the changes to any .sops.yaml or secrets files, e.g. with
## OPINIONATED GIT - use preferred method
% git add -p
# 1. review changes to the .sops.yaml
# 2. press 'y' to accept the changes
y
% git commit -m "adds <firstname>.<lastname> to sops config"
% git push
```
Open an MR and Merge the changes back into the trunk branch (e.g. `main`)
At this point, the New User has been configured
Hand Off to New User
1. git: commit the changes to `.sops.yaml` and secrets files (`secrets.yaml`) files
- CLI: **e.g.** `git add .sops.yaml $(find . -name secrets.yaml)`
- **CAVEAT**: check for other changes with `git status` ! The files do not always follow consistent conventions.
- CLI: **e.g.** `git commit -m "adds <firstname>.<lastname> to sops config`
1. git: push branch
- CLI: **e.g.**: `git push -u origin add_pubkey_[firstname]-[lastname]`
1. gitlab: open a MergeRequest, Review, Merge
1. **Status**: New User has access to SOPS-Encrypted Secrets within Project Repo
1. **Hand-Off**: Proceed to next steps; Instruct New User to verify access to secrets
## 3. Onboarding: [New User] Configure SOPS

Write Preview
Loading…
Cancel
Save