From a3d428a5893635299eafb6ead7c74860cee57fbf Mon Sep 17 00:00:00 2001 From: LeeW Date: Wed, 26 Feb 2025 17:25:56 +0100 Subject: [PATCH] updates instructions - order rearrange --- README.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 3861a07..bace21b 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Roles: * E.g. look up in the [groups](/groups/) dir * E.g. look up in in [verify/.sops.yaml](verify/.sops.yaml) -## 1. Onboarding: [New User]: create and add a gpg key +## 1a. Onboarding: [New User]: create and add a gpg key - create a branch titled `add_pubkey_-` - e.g. `git branch add_pubkey_test-user` - Note: no strict naming convention for the branch, it's strictly a Human-in-the-Loop process @@ -24,7 +24,7 @@ Roles: - open a MergeRequest/PullRequest - hand-off to an Existing User of the repo. -### 1b. Onboarding: [Existing User|New User]: Add new user to groups +## 1b. Onboarding: [Existing User|New User]: Add new user to groups Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`) @@ -37,15 +37,7 @@ ln -s ../../ Note: this step can be performed by anyone (either new user or existing user), but it makes the most sense for an existing user to configure the groups since this is domain-specific knowledge (i.e. new users won't typically know the grups) -## 2. Offboarding: [Existing User]: Archive Expired Keys (EOL) - -To mark a key as expired, move it to the `archive/` dir as follows: - -```bash -mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive" -``` - -## 3. [Existing User]: Configure sops config +## 3. Onboarding: [Existing User]: Configure sops config Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`) @@ -96,7 +88,7 @@ devnso-adp-argocd At this point, the New User has been configured and can grant themselves access to any of the secrets files in this project. -# 4. Onboarding: [New User] Configure SOPS +## 4. Onboarding: [New User] Configure SOPS SOPS is used for encrypting secrets, e.g. credentials for various systems @@ -120,6 +112,14 @@ Note: The `GPG_TTY` is necessary to have the password prompt appear. src: https: Note: `secrets.yaml` is just an example; the file can have any name +## 5. Offboarding: [Existing User]: Archive Expired Keys (EOL) + +To mark a key as expired, move it to the `archive/` dir as follows: + +```bash +mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive" +``` + # Advanced # Reference: Commands for gpg keys