gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

updates instructions

Browse Source
ADP-216_sops_automation
LeeW 10 months ago
parent 29ea1992e9
commit fef5b081b4
1 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File

20
README.md
Unescape Escape View File

@ -5,11 +5,19 @@ Purpose: Manage gpg keys for:
# Key Management # Key Management
## 1. Onboarding: howto create and add a gpg key Roles:
* New User: new key to be added; can be a new employee being added for first time, existing employee getting access to a new repo, key rotation, etc
* Existing User: user who already has access to the appropriate project
* Any User: either New User or Existing User
## 1. Onboarding: New User: create and add a gpg key
- please follow instruction on following link: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key - please follow instruction on following link: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
- add ONLY the _PUBLIC_ part of your gpg key!!! - add ONLY the _PUBLIC_ part of your gpg key!!!
- checkin via MergeRequest/PullRequest - checkin via MergeRequest/PullRequest
# TODO
## Reference: Manual Steps
### import gpg keys ### import gpg keys
```shell ```shell
gpg --import /path/to/keys/*.gpg.pub gpg --import /path/to/keys/*.gpg.pub
@ -21,16 +29,20 @@ gpg --list-keys --keyid-format=long
``` ```
### groups ### 1b. Onboarding: Any User: Add new user to groups
Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`) Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`)
Most of the groups correspond directly to git repository names, aka "project name"
```bash ```bash
cd groups/<project_name> cd groups/<project_name>
ln -s ../../<path_to_key.gpg.pub> ln -s ../../<path_to_key.gpg.pub>
``` ```
## 2. Offboarding: Archive Expired Keys (EOL) Note: this step can be performed by anyone (either new user or existing user), but it makes the most sense for an existing user to configure the groups since this is domain-specific knowledge (i.e. new users won't typically know the grups)
## 2. Offboarding: Any User: Archive Expired Keys (EOL)
To mark a key as expired, move it to the `archive/` dir as follows: To mark a key as expired, move it to the `archive/` dir as follows:
@ -38,7 +50,7 @@ To mark a key as expired, move it to the `archive/` dir as follows:
mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive" mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive"
``` ```
## 3. Configure sops config ## 3. Existing User: Configure sops config
Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`) Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`)

Write Preview
Loading…
Cancel
Save