Fork 0
Commit Graph

14 Commits (master)

Author SHA1 Message Date
q3k f97c9688d5 tools/secretstore: fix gpg encryption for expired key
We also set --trust-model=always, as we explicitly ship GPG
fingerprints, so there's no need to rely on GPG's web of trust

Change-Id: If2976130315c044f1d1727c61a6f6d489c876a52
2021-07-10 16:53:59 +00:00
q3k 6c1a712522 secretstore: fix decryption in sync
Change-Id: If5be7679e9e0b6e0acf78ffd871adb1f9af8d7f4
2020-07-30 20:55:54 +00:00
q3k 7371b7288b tools/secretstore: add sync command, re-encrypt
This kills two birds with one stone:

 - update the secretstore tool to be slightly smarter about secrets, to
   the point where we can now just point it at a secret directory and
   ask it to 'sync' all secrets in there
 - runs the new fancy sync command on all keys to update them, which
   is a follow up to gerrit/328.

Change-Id: I0eec4a3e8afcd9481b0b248154983aac25657c40
2020-06-04 19:25:07 +00:00
patryk d600ebb5c8 Re-enable cz2 gpg key in secretstore.py
Change-Id: Iccefecccafe3748c310e5922f366c86d5f2cf11d
2020-05-31 16:46:58 +00:00
q3k 02aae3628c hswaw/kube: encrypt keys, update expired keys
cz2's key has expired. Removing it for now as there's no easy way to
force gpg to encrypt content for expired keys.

Change-Id: Ib27b9a09385fcead1ba2d48ebf45426038d8b647
2020-02-18 23:28:14 +01:00
q3k d493ab66ca *: add dcr01s{22,24}
Change-Id: I072e825e2e1d199d9da50b9d38a9ffba68e61182
2019-10-31 17:07:50 +01:00
q3k 29afb4cc51 secretstore: restore implr 2019-05-19 03:10:25 +02:00
q3k a9bb1d5b5b tools/secretstore: fix decryption of updated secrets 2019-04-28 17:13:12 +02:00
informatic c10f00b7da tools/secretstore: decrypt secrets when requesting plaintext path 2019-04-09 13:29:33 +02:00
q3k 73cef11c85 *: rejigger tls certs and more
This pretty large change does the following:

 - moves nix from bootstrap.hswaw.net to nix/
 - changes clustercfg to use cfssl and moves it to cluster/clustercfg
 - changes clustercfg to source information about target location of
   certs from nix
 - changes clustercfg to push nix config
 - changes tls certs to have more than one CA
 - recalculates all TLS certs
   (it keeps the old serviceaccoutns key, otherwise we end up with
   invalid serviceaccounts - the cert doesn't match, but who cares,
   it's not used anyway)
2019-04-07 00:06:23 +02:00
q3k 41bd2b52c2 cluster/secrets: add implr 2019-01-17 23:37:36 +01:00
q3k f3010ee1cb cluster/secrets: add cz2 2019-01-17 21:35:52 +01:00
q3k de061801db *: k0.hswaw.net somewhat working 2019-01-13 21:14:02 +01:00
q3k f2a812b9fd *: bazelify 2019-01-13 17:51:34 +01:00