gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
add_pubkey_Andreas_Rother
key_change
add_pubkey_Christos-Adalis
add_pubkey_Daryl-SauerNeumann
ADP-231_group_argocd-os-nso-adp-dev
ADP-216-wrapup
ADP-216-uat-sops-step2_003
ADP-216-uat-sops-step2_002
ADP-216-uat-sops-step1
ADP-216-uat-sops-step2
ADP-216-uat-sops-onboarding
ADP-216_sops_automation
ADP-179_doc_sops
ADP-179_sops_manage_keys
gpg-key-peichhorn
feature/gpg_key_tobias_Stroehl
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fef5b081b4'
${ noResults }
communication-keys/README.md

136 lines
4.0 KiB
Markdown
Raw Blame History

# GPG Key Repo
Purpose: Manage gpg keys for:
* SOPS
# Key Management
Roles:
* New User: new key to be added; can be a new employee being added for first time, existing employee getting access to a new repo, key rotation, etc
* Existing User: user who already has access to the appropriate project
* Any User: either New User or Existing User
## 1. Onboarding: New User: create and add a gpg key
- please follow instruction on following link: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key
- add ONLY the _PUBLIC_ part of your gpg key!!!
- checkin via MergeRequest/PullRequest
# TODO
## Reference: Manual Steps
### import gpg keys
```shell
gpg --import /path/to/keys/*.gpg.pub
```
### list imported gpg keys
```shell
gpg --list-keys --keyid-format=long
```
### 1b. Onboarding: Any User: Add new user to groups
Access for each repo is tracked using the `./groups/` directory; each sub-directory represents a "group" (Note: some "groups" are also "roles", e.g. `admin`)
Most of the groups correspond directly to git repository names, aka "project name"
```bash
cd groups/<project_name>
ln -s ../../<path_to_key.gpg.pub>
```
Note: this step can be performed by anyone (either new user or existing user), but it makes the most sense for an existing user to configure the groups since this is domain-specific knowledge (i.e. new users won't typically know the grups)
## 2. Offboarding: Any User: Archive Expired Keys (EOL)
To mark a key as expired, move it to the `archive/` dir as follows:
```bash
mv ${keyname} "archive/${keyname}_$(date '+%Y-%m-%d').archive"
```
## 3. Existing User: Configure sops config
Context: This repo stores the keys used to encrypt secrets in other repos; these "consumer" repos each contain a sops config `.sops.yaml` which manages access to the encrypted files (e.g. `secrets.yaml`)
The following commands explain how to update the `.sops.yaml` for a repository:
```bash
# E.g. update sops config for DevNSO
% git clone git@git.dev-at.de:cloud-solutions/nso/devnso-adp-argocd.git
% cd devnso-adp-argocd/
# List available groups
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh --list_groups
# INFO: listing groups
admin
automation
devnso-adp-argocd
# For a given group, update sops config and specified secrets file
% ${PATH_TO_THIS_REPO}/bin/update_sops.sh -r devnso-adp-argocd -s ./adp-api-devs/adp-api-devs/secrets.yaml
% git diff
```
# Configure SOPS
SOPS is used for encrypting secrets, e.g. credentials for various systems
## Install
https://github.com/getsops/sops
Note:
* MacOS: If desired, one can also use brew to install sops: `brew install sops`; although this is not officially maintained, [the formula is essentially the same as the official installation instructions](https://github.com/Homebrew/homebrew-core/blob/4496ce5131bc09e7065fa0aa8fb96366a3df6477/Formula/s/sops.rb)
## Usage
Decrypt and Display Secrets in Terminal:
```bash
GPG_TTY=$(tty) sops secrets.yaml
```
Note: The `GPG_TTY` is necessary to have the password prompt appear. src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
Note: `secrets.yaml` is just an example; the file can have any name
## Example - Manual
The steps in the following example can be run locally in order to:
* create a sample secrets file
* encrypt the file
* decrypt the file
If these steps work, sops configured correctly - on your machine ;-)
```bash
#!/usr/bin/env bash
set -ueo pipefail
# demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321
# PREREQUISITE: valid sops config, i.e. .sops.yaml - Note: most repos already have one
# further reading: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
yq -n '.demo.credentials.secret = "hunter2"' > secrets.yaml
# encrypt
sops -e -i secrets.yaml
# decript, print to console
sops -d secrets.yaml
```
## Example - Automation
```shell
cd verify/
./usr_confirm_keycfg.sh
```
# Contributing
Tests: `./verify/test.sh`
Caveat: requires working SOPS config,pgp key, etc
Reference in New Issue View Git Blame Copy Permalink