the-distro/gerrit-monitoring
0
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
gerrit-monitoring/documentation/config-management.md
Thomas Draebing be862d863e Move internal project to open source 
This change adds the current status of a project that aims to create
a simple monitoring setup to monitor Gerrit servers, which was developed
internally at SAP.

The project provides an opinionated and basic configuration for helm
charts that can be used to install Loki, Prometheus and Grafana on a
Kubernetes cluster. Scripts to easily apply the configuration and
install the whole setup are provided as well.

The contributions so far were done by (with number of commits)

  80  Thomas Draebing
  11  Matthias Sohn
   2  Saša Živkov

Change-Id: I8045780446edfb3c0dc8287b8f494505e338e066
2020-03-11 15:23:19 +01:00

2.3 KiB
Raw Blame History

Config Management

The configuration in the config.yaml contains secrets and should not be openly accessible. To secure the data contained within it, the values can be encrypted using a tool called sops. This tool will use a GPG-key to encrypt the values of the yaml file. Having the PGP-key also allows to decrypt the values and work with the file. As long as the key is not compromised, the encrypted file can be shared securly between collaborators.

The process of using sops is described below.

Install sops

On OSX, sops can be installed using brew:

brew install sops

Install gpg:

brew install gpg

You might need to add this to your .bashrc or .zshrc to enable sops to work correctly with gpg [1]:

GPG_TTY=$(tty)
export GPG_TTY

Create GPG-key (first time only)

Create a key by running the following command and following the instructions on the screen:

gpg --gen-key

Encrypt the config-file

Run the following command to encode the file:

sops \
  --encrypt \
  --in-place \
  --encrypted-regex '(password|htpasswd|cert|key|apiUrl|caCert)$' \
  --pgp \
    `gpg --fingerprint "$EMAIL" | \
     grep pub -A 1 | \
     grep -v pub | \
     sed s/\ //g` \
  $FILE_TO_ENCODE

$EMAIL refers to the email used during the creation of the GPG key.

Alternatively, the ./encrypt.sh-script can be used to encrypt the file:

./encrypt.sh \
  [--email $EMAIL] \
  [--fingerprint $FINGERPRINT] \
  $FILE_TO_ENCODE

The gpg-key used to encrypt the file can be selected by directly giving the key's fingerprint using the --fingerprint option or giving the email used to identify the key using the --email option. The --fingerprint option will have preference. At least one of these options has to be set.

Decrypt file

To decrypt the file, run:

sops --in-place -d $FILE_TO_DECODE

Export GPG-key

For other developers or build servers to be able to decrypt the configuration, the key has to be exported:

gpg --export -a "$EMAIL" > public.key
gpg --export-secret-key -a "$EMAIL" > private.key

On the receiving computer the key has to be imported by running:

gpg --import public.key
gpg --allow-secret-key-import --import private.key

Links

[1] https://github.com/mozilla/sops/issues/304