Move highly sensitive secrets to new "super" vault
The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's.
Merge request reports
Activity
To view the contents of re-encrypted vaults:
git grep -l 'AES256;super$' | parallel 'echo -e "\n\n###" {} && ansible-vault view {}'
The rest of the vaults seem fine to continue using the default password:
git grep -l 'AES256$' | grep -v vault_wireguard | parallel 'echo -e "\n\n###" {} && ansible-vault view {}'
Edited by Evangelos Foutras- Resolved by Evangelos Foutras
We must remember to change the password in
vault-default-password.gpg
and reencrypt all the default vaults, so people with access to only the default vaults, can't decrypt vaults encrypted before the split (ex: older revision of the Hetzner vault).
added 1 commit
- 99c1dd89 - hcloud_inventory: use read-only API key for hcloud
added 1 commit
- f6de5b8f - Improve vault key docs and consolidate related tasks
added 4 commits
-
cbb3838a...b0f0e2ec - 2 commits from branch
master
- ef4e97cf - Place more sensitive secrets into a separate vault
- 72f9dc07 - hcloud_inventory: use read-only API key for hcloud
-
cbb3838a...b0f0e2ec - 2 commits from branch
mentioned in merge request !567 (merged)