helm-taller
Introducción a Helm
Links de interés
Secrets Management
git-crypt
This repo contains sensitive secrets that are encrypted using git-crypt.
Encrypting files is done using git filters via a .gitattributes
file in the directory containing
the sensitive files.
*.secrets.tf filter=git-crypt diff=git-crypt
If a file matching the .gitattributes
glob is added to git afterwards, it will be encrypted.
repo-setup (one time)
git-crypt init
Add a new user via local keychain
If your local GPG keychain already trusts a user, we can add a user using an existing uid.
# See all keys in the local keychain
gpg --list-keys
# Add a user by uid
git-crypt add-gpg-user --trusted [email protected]
Add a new engineer
The user needs to already have or create a new GPG key.
Cloudkite recommends using Keybase for ease of use.
# Admin imports new user's GPG key
curl https://keybase.io/<KEYBASE ID>/pgp_keys.asc | gpg --import
# Or, if passed via file
gpg --import /path/to/gpg/file
# Add key to git-crypt
git-crypt add-gpg-user --trusted [email protected]
# Push git-crypt to master
git push origin
Removing a user
# See GPG file for all users
cd root/of/infrastructure/repo/
cd .git-crypt/keys/default/0
for file in *.gpg; do echo \"${file} : \" && git log -- ${file} | sed -n 9p; done;
git rm <GPG ID>.gpg
git commit -m 'Removing user <user>'
git push origin
As a user, unlocking a repo
Once your key has been added to the repo, clone it locally and unlock it using the following command:
git clone [...]
cd <new repo>
git-crypt unlock
It will prompt for your passphrase and once unlocked you can modify and commit secrets without needing to worry about manually encrypting and decrypting.