Git Crypt

We use git-crypt to store the proxy secret tokens for each hub. Note that secrets requires for GitHub Actions are stored in the Settings section in repository as per the Actions docs <https://docs.github.com/en/actions/reference/encrypted-secrets>_.

Setup git-crypt

The files in secrets/ are encrypted with git-crypt. git-crypt allows us to store sensitive information in the repository “in plain sight”.

  1. To begin, install git-crypt. On OSX use:

brew install git-crypt

Alternatively, follow the instructions on https://www.agwa.name/projects/git-crypt/

  1. Obtain a copy of hub-ops.gitcrypt.key. You can ask Leah Wasser, Karen Cranston, or Max Joseph for a copy. Copy the file into your checkout of hub-ops

  2. From the checkout directory run:

cat hub-ops.gitcrypt.key | git-crypt unlock -

or

git-crypt unlock hub-ops.gitcrypt.key

You should now be able to see plain text files in secrets/.

  1. Add your name to the list of people to contact in step 2.

Working With Encrypted Files

Once you have setup git-crypt and unlocked the files locally, you will be able to see all of the secret keys and edit things as need be. When you commit and push, git-crypt will re-encrypt the files so that nothing secret is pushed in plain text to GitHub.

Setting up ingress and HTTPS Grafana and Prometheus