From 7076f440149d5a6ab9a5264c290b0bed2fca3f9d Mon Sep 17 00:00:00 2001
From: bom <mattis.boeckle@meissa-gmbh.de>
Date: Fri, 18 Oct 2024 15:55:32 +0200
Subject: [PATCH] Add plan for live credential rotation

---
 docs/CredentialRotation.md | 104 +++++++++++++++++++++++++++++++++++++
 1 file changed, 104 insertions(+)
 create mode 100644 docs/CredentialRotation.md

diff --git a/docs/CredentialRotation.md b/docs/CredentialRotation.md
new file mode 100644
index 0000000..fb66135
--- /dev/null
+++ b/docs/CredentialRotation.md
@@ -0,0 +1,104 @@
+# Credential Rotation
+
+## Example Data
+
+Default
+
+```json
+[{
+    "current": true,
+    "id": "521e0760",
+    "userName": "root",
+    "hostName": "backup-restore-65bd9b6ff5-z69sn",
+    "created": "2024-10-18 13:08:16"
+}]
+```
+
+Add another password
+
+```json
+[
+  {
+    "current": true,
+    "id": "521e0760",
+    "userName": "root",
+    "hostName": "backup-restore-65bd9b6ff5-z69sn",
+    "created": "2024-10-18 13:08:16"
+  },
+  {
+    "current": false,
+    "id": "b67161fb",
+    "userName": "root",
+    "hostName": "backup-restore-65bd9b6ff5-z69sn",
+    "created": "2024-10-18 13:16:54"
+  }
+]
+```
+
+Change current password
+
+```json
+[
+  {
+    "current": false,
+    "id": "521e0760",
+    "userName": "root",
+    "hostName": "backup-restore-65bd9b6ff5-z69sn",
+    "created": "2024-10-18 13:08:16"
+  },
+  {
+    "current": true,
+    "id": "b67161fb",
+    "userName": "root",
+    "hostName": "backup-restore-65bd9b6ff5-z69sn",
+    "created": "2024-10-18 13:16:54"
+  }
+]
+```
+
+Remove old password
+
+```json
+[
+  {
+    "current": true,
+    "id": "b67161fb",
+    "userName": "root",
+    "hostName": "backup-restore-65bd9b6ff5-z69sn",
+    "created": "2024-10-18 13:16:54"
+  }
+]
+```
+
+## Steps
+
+Steps need to be validated and performed seperately and work independently of each other.
+To avoid problems where the program is shut down mid-transition.
+
+### Stages
+
+#### Initial State
+
+Validation:
+
+- Detect change requested: new password file environment is set
+
+Steps to perform:
+
+- Add new password
+- `restic -r <repo> key add --new-password-file <file>`
+
+#### New password has been added
+
+Validation:
+
+- List of passwords has 2 entries
+- The password with the newer timestamp is not set as "current"
+
+Steps to perform:
+
+- Extract id of new password
+- Extract id of old password
+- Remove old password in favour of new one
+- `restic -r <repo> key remove --key-hint <new-id> <old-id>`
+- Unset new password file environment