gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
add_pubkey_Andreas_Rother
key_change
add_pubkey_Christos-Adalis
add_pubkey_Daryl-SauerNeumann
ADP-231_group_argocd-os-nso-adp-dev
ADP-216-wrapup
ADP-216-uat-sops-step2_003
ADP-216-uat-sops-step2_002
ADP-216-uat-sops-step1
ADP-216-uat-sops-step2
ADP-216-uat-sops-onboarding
ADP-216_sops_automation
ADP-179_doc_sops
ADP-179_sops_manage_keys
gpg-key-peichhorn
feature/gpg_key_tobias_Stroehl
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4076e9ee15'
${ noResults }
communication-keys/README.md

3.0 KiB
Raw Blame History

GPG Key Repo

Purpose: Manage gpg keys for:

  • SOPS

Key Management

1. Onboarding: howto create and add a gpg key

import gpg keys

gpg --import /path/to/keys/*.gpg.pub

list imported gpg keys

gpg --list-keys --keyid-format=long

groups

Access for each repo is tracked using the ./groups/ directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. admin)

cd groups/<project_name>
ln -s ../../<path_to_key.gpg.pub>

2. Offboarding: Archive Expired Keys (EOL)

To mark a key as expired, move it to the archive/ dir as follows:

mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive"

3. Configure sops config

Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config .sops.yaml which manages access to the encrypted files (e.g. secrets.yaml)

The following commands explain how to update the .sops.yaml for a repository:

# E.g. update sops config for DevNSO
% git clone git@git.dev-at.de:cloud-solutions/nso/devnso-adp-argocd.git
% cd devnso-adp-argocd/

# List available groups
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh --list_groups
# INFO: listing groups
admin
automation
devnso-adp-argocd

# For a given group, update sops config and specified secrets file
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -r devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml
% git diff

Configure SOPS

SOPS is used for encrypting secrets, e.g. credentials for various systems

Install

https://github.com/getsops/sops

Note:

Usage

Decrypt and Display Secrets in Terminal:

GPG_TTY=$(tty) sops secrets.yaml

Note: The GPG_TTY is necessary to have the password prompt appear. src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/

Note: secrets.yaml is just an example; the file can have any name

Example - Manual

The steps in the following example can be run locally in order to:

  • create a sample secrets file
  • encrypt the file
  • decrypt the file

If these steps work, sops configured correctly - on your machine ;-)

#!/usr/bin/env bash
set -ueo pipefail
# demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321
yq -n '.demo.credentials.secret = "hunter2"' > secrets.yaml
# encrypt
sops -e -i secrets.yaml

# decript, print to console
sops -d secrets.yaml

Example - Automation

cd example/
./cmd_sops.sh