Closed rabernat closed 6 months ago
tracetechnical
commented
3 years ago @rabernat I am still considering the above RE: frequency et al. We should dig out and follow industry best practise regarding this. @cisaacstern I agree, we should link to some documentation (preferably someone else's to save duplication of effort) around good password hygiene and how to make strong passwords. Preferably with a few horror stories to push the point home.
rabernat
commented
3 years ago One challenge I see around secret rotation is the fact that encrypted secrets will get checked into the feedstocks once and potentially stay there for years! Should we expect receipe maintainers to periodically re-encrypt their credentials after we rotate keys? Or would it be okay to keep using the old keys to for those old secrets?
cisaacstern
commented
3 years ago and potentially stay there for years!
This should only become relevant if the feedstock is re-run (i.e., if it's tagged with a new version), correct? In which case we could add a GitHub workflow to the feedstock template repository that checks if the gpg key used is up-to-date? This would require adding a field for gpg key to the meta.yaml, I guess. (Which maybe isn't such a bad idea anyway?) I'm assuming here there is no way to recover a public key directly from an encrypted file
cisaacstern
commented
2 years ago Just learned about https://github.com/mozilla/sops via @yuvipanda's tweet. Seems like another useful option to consider re: secret handling.
yuvipanda
commented
2 years ago Yeah, sops is amazing and much more user friendly than gpg. Highly recommend. You can use gpg with it too if you like.
tracetechnical
commented
2 years ago SOPS is 100% where its at. I have deployed this into production at a few places now.
abarciauskas-bgse
commented
6 months ago closing as stale
This is a potential solution to handling of secrets in Pangeo Forge.