mirror of
https://github.com/cisagov/manage.get.gov.git
synced 2025-05-23 21:09:22 +02:00
508e5384cb
* Add templates, scripts, and process documentation for creating and destroying developer sandboxes * Create developer sandbox 'lmm' infrastructure * fix up newlines * fix action syntax pull_request * add a line about the public.crt to developer docs * add docs about branch conventions * add new developer sandbox 'ik' infrastructure * Add new developer sandbox 'nmb' infrastructure * Add new developer sandbox 'sspj' infrastructure * Add new developer sandbox 'mr' infrastructure * make github actions dynamic by environment * trying something out with dynamic github action for dev sandbox * consolidate github actions to dynamic action * try out run name * combo run name and name * respond to comments
59 lines
1.9 KiB
Markdown
59 lines
1.9 KiB
Markdown
# HOWTO Rotate the Application's Secrets
|
|
========================
|
|
|
|
Secrets are read from the running environment.
|
|
|
|
Secrets were originally created with:
|
|
|
|
```sh
|
|
cf cups getgov-credentials -p credentials-<ENVIRONMENT>.json
|
|
```
|
|
|
|
Where `credentials-<ENVIRONMENT>.json` looks like:
|
|
|
|
```json
|
|
{
|
|
"DJANGO_SECRET_KEY": "EXAMPLE",
|
|
"DJANGO_SECRET_LOGIN_KEY": "EXAMPLE",
|
|
...
|
|
}
|
|
```
|
|
|
|
(Specific credentials are mentioned below.)
|
|
|
|
You can see the current environment with `cf env <APP>`, for example `cf env getgov-stable`.
|
|
|
|
The commands `cups` and `uups` stand for [`create user provided service`](https://docs.cloudfoundry.org/devguide/services/user-provided.html) and `update user provided service`. User provided services are the way currently recommended by Cloud.gov for deploying secrets. The user provided service is bound to the application in `manifest-<ENVIRONMENT>.json`.
|
|
|
|
To rotate secrets, create a new `credentials-<ENVIRONMENT>.json` file, upload it, then restage the app.
|
|
|
|
Example:
|
|
|
|
```bash
|
|
cf update-user-provided-service getgov-credentials -p credentials-stable.json
|
|
cf restage getgov-stable --strategy rolling
|
|
```
|
|
|
|
Non-secret environment variables can be declared in `manifest-<ENVIRONMENT>.json` directly.
|
|
|
|
## DJANGO_SECRET_KEY
|
|
|
|
This is a standard Django secret key. See Django documentation for tips on generating a new one.
|
|
|
|
## DJANGO_SECRET_LOGIN_KEY
|
|
|
|
This is the base64 encoded private key used in the OpenID Connect authentication flow with Login.gov. It is used to sign a token during user login; the signature is examined by Login.gov before their API grants access to user data.
|
|
|
|
Generate a new key using this command (or whatever is most recently recommended by Login.gov):
|
|
|
|
```bash
|
|
openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt
|
|
```
|
|
|
|
Encode it using:
|
|
|
|
```bash
|
|
base64 private.pem
|
|
```
|
|
|
|
You also need to upload the `public.crt` key if recently created to the login.gov identity sandbox: https://dashboard.int.identitysandbox.gov/
|