2024-10-18 13:55:32 +00:00
|
|
|
# Credential Rotation
|
|
|
|
|
2024-12-11 10:16:06 +00:00
|
|
|
## change password step
|
|
|
|
|
|
|
|
```mermaid
|
|
|
|
stateDiagram-v2
|
|
|
|
noAction: no-pwd-change-needed
|
|
|
|
wait: wait-for-new-pwd
|
2024-12-14 17:26:09 +00:00
|
|
|
new: change-pwd
|
|
|
|
finished: pwd-change-finished
|
2024-12-11 10:16:06 +00:00
|
|
|
state configExist? <<choice>>
|
|
|
|
state valid? <<choice>>
|
|
|
|
state finished? <<choice>>
|
|
|
|
|
|
|
|
[*] --> configExist?
|
|
|
|
configExist? --> valid?: new-password-config-exist?
|
|
|
|
configExist? --> noAction
|
|
|
|
valid? --> finished?: valid-from > now?
|
|
|
|
valid? --> wait
|
|
|
|
finished? --> finished: current > valid-from?
|
|
|
|
finished? --> new
|
2024-12-14 17:26:09 +00:00
|
|
|
new --> [*]
|
2024-12-11 10:16:06 +00:00
|
|
|
finished --> [*]
|
|
|
|
noAction --> [*]
|
|
|
|
wait --> [*]
|
|
|
|
```
|
|
|
|
|
2024-10-18 13:55:32 +00:00
|
|
|
## Example Data
|
|
|
|
|
|
|
|
Default
|
|
|
|
|
|
|
|
```json
|
|
|
|
[{
|
|
|
|
"current": true,
|
|
|
|
"id": "521e0760",
|
|
|
|
"userName": "root",
|
|
|
|
"hostName": "backup-restore-65bd9b6ff5-z69sn",
|
|
|
|
"created": "2024-10-18 13:08:16"
|
|
|
|
}]
|
|
|
|
```
|
|
|
|
|
|
|
|
Add another password
|
|
|
|
|
|
|
|
```json
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"current": true,
|
|
|
|
"id": "521e0760",
|
|
|
|
"userName": "root",
|
|
|
|
"hostName": "backup-restore-65bd9b6ff5-z69sn",
|
|
|
|
"created": "2024-10-18 13:08:16"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"current": false,
|
|
|
|
"id": "b67161fb",
|
|
|
|
"userName": "root",
|
|
|
|
"hostName": "backup-restore-65bd9b6ff5-z69sn",
|
|
|
|
"created": "2024-10-18 13:16:54"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
```
|
|
|
|
|
|
|
|
Change current password
|
|
|
|
|
|
|
|
```json
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"current": false,
|
|
|
|
"id": "521e0760",
|
|
|
|
"userName": "root",
|
|
|
|
"hostName": "backup-restore-65bd9b6ff5-z69sn",
|
|
|
|
"created": "2024-10-18 13:08:16"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"current": true,
|
|
|
|
"id": "b67161fb",
|
|
|
|
"userName": "root",
|
|
|
|
"hostName": "backup-restore-65bd9b6ff5-z69sn",
|
|
|
|
"created": "2024-10-18 13:16:54"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
```
|
|
|
|
|
|
|
|
Remove old password
|
|
|
|
|
|
|
|
```json
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"current": true,
|
|
|
|
"id": "b67161fb",
|
|
|
|
"userName": "root",
|
|
|
|
"hostName": "backup-restore-65bd9b6ff5-z69sn",
|
|
|
|
"created": "2024-10-18 13:16:54"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
```
|
|
|
|
|
|
|
|
## Steps
|
|
|
|
|
|
|
|
Steps need to be validated and performed seperately and work independently of each other.
|
|
|
|
To avoid problems where the program is shut down mid-transition.
|
|
|
|
|
|
|
|
### Stages
|
|
|
|
|
|
|
|
#### Initial State
|
|
|
|
|
|
|
|
Validation:
|
|
|
|
|
|
|
|
- Detect change requested: new password file environment is set
|
|
|
|
|
|
|
|
Steps to perform:
|
|
|
|
|
|
|
|
- Add new password
|
2024-12-14 17:26:09 +00:00
|
|
|
- `restic -r <repo> --new-password-file <file> key passwd`
|
2024-10-18 13:55:32 +00:00
|
|
|
|
|
|
|
#### New password has been added
|
|
|
|
|
|
|
|
Validation:
|
|
|
|
|
|
|
|
- List of passwords has 2 entries
|
|
|
|
- The password with the newer timestamp is not set as "current"
|
|
|
|
|
|
|
|
Steps to perform:
|
|
|
|
|
|
|
|
- Extract id of new password
|
|
|
|
- Extract id of old password
|
|
|
|
- Remove old password in favour of new one
|
|
|
|
- `restic -r <repo> key remove --key-hint <new-id> <old-id>`
|
|
|
|
- Unset new password file environment
|