gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

updates instructions - remove "any user", simply make explicit

Browse Source
ADP-216_sops_automation
LeeW 10 months ago
parent dfb4d0b53e
commit dd7c5faa08
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File

11
README.md
Unescape Escape View File

@ -11,9 +11,8 @@ Roles:
* Existing User: user who already has access to the appropriate project * Existing User: user who already has access to the appropriate project
* E.g. look up in the [groups](/groups/) dir * E.g. look up in the [groups](/groups/) dir
* E.g. look up in in [verify/.sops.yaml](verify/.sops.yaml) * E.g. look up in in [verify/.sops.yaml](verify/.sops.yaml)
* Any User: either New User or Existing User
## 1. Onboarding: New User: create and add a gpg key ## 1. Onboarding: [New User]: create and add a gpg key
- create a branch titled `add_pubkey_<firstname>-<lastname>` - create a branch titled `add_pubkey_<firstname>-<lastname>`
- e.g. `git branch add_pubkey_test-user` - e.g. `git branch add_pubkey_test-user`
- Note: no strict naming convention for the branch, it's strictly a Human-in-the-Loop process - Note: no strict naming convention for the branch, it's strictly a Human-in-the-Loop process
@ -23,9 +22,9 @@ Roles:
- file format: `<email>@netgo.de.gpg.pub` - file format: `<email>@netgo.de.gpg.pub`
- git: commit the new file, push - git: commit the new file, push
- open a MergeRequest/PullRequest - open a MergeRequest/PullRequest
- hand-off to an Existing User for approval and further configuration - hand-off to an Existing User of the repo.
### 1b. Onboarding: Any User: Add new user to groups ### 1b. Onboarding: [Existing User|New User]: Add new user to groups
Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`) Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`)
@ -38,7 +37,7 @@ ln -s ../../<path_to_key.gpg.pub>
Note: this step can be performed by anyone (either new user or existing user), but it makes the most sense for an existing user to configure the groups since this is domain-specific knowledge (i.e. new users won't typically know the grups) Note: this step can be performed by anyone (either new user or existing user), but it makes the most sense for an existing user to configure the groups since this is domain-specific knowledge (i.e. new users won't typically know the grups)
## 2. Offboarding: Any User: Archive Expired Keys (EOL) ## 2. Offboarding: [Existing User]: Archive Expired Keys (EOL)
To mark a key as expired, move it to the `archive/` dir as follows: To mark a key as expired, move it to the `archive/` dir as follows:
@ -46,7 +45,7 @@ To mark a key as expired, move it to the `archive/` dir as follows:
mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive" mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive"
``` ```
## 3. Existing User: Configure sops config ## 3. [Existing User]: Configure sops config
Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`) Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`)

Write Preview
Loading…
Cancel
Save