Add plan for live credential rotation

This commit is contained in:
bom 2024-10-18 15:55:32 +02:00
parent 1dac340644
commit 7076f44014

104
docs/CredentialRotation.md Normal file
View file

@ -0,0 +1,104 @@
# Credential Rotation
## Example Data
Default
```json
[{
"current": true,
"id": "521e0760",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:08:16"
}]
```
Add another password
```json
[
{
"current": true,
"id": "521e0760",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:08:16"
},
{
"current": false,
"id": "b67161fb",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:16:54"
}
]
```
Change current password
```json
[
{
"current": false,
"id": "521e0760",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:08:16"
},
{
"current": true,
"id": "b67161fb",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:16:54"
}
]
```
Remove old password
```json
[
{
"current": true,
"id": "b67161fb",
"userName": "root",
"hostName": "backup-restore-65bd9b6ff5-z69sn",
"created": "2024-10-18 13:16:54"
}
]
```
## Steps
Steps need to be validated and performed seperately and work independently of each other.
To avoid problems where the program is shut down mid-transition.
### Stages
#### Initial State
Validation:
- Detect change requested: new password file environment is set
Steps to perform:
- Add new password
- `restic -r <repo> key add --new-password-file <file>`
#### New password has been added
Validation:
- List of passwords has 2 entries
- The password with the newer timestamp is not set as "current"
Steps to perform:
- Extract id of new password
- Extract id of old password
- Remove old password in favour of new one
- `restic -r <repo> key remove --key-hint <new-id> <old-id>`
- Unset new password file environment