Enhanced OpenShift CLI: Team Sharing
The enhanced OpenShift CLI can help you manage a large amount of OpenShift clusters securely and efficiently. It is an open source project I created on GitHub.
As the fourth post of enhanced oc series, in this post, I will show you how to share the cluster access information saved in your local secret store with your team members.
It is very convenient after you have the secret store shared across the team. Any time when you add a new cluster access information into your local store after run oc login
, the same set of access information will be synchronized automatically to all team members’ local stores, so that they can use the same context alias to login the same cluster that you are working without knowing the detailed login credential.
Share Your Secret Store
If you want to share your cluster access information saved in your local secret store to your team members. Add git remote and push local secret store to the remote:
$ gopass git remote add origin git@github.example.com:william/team-clusters.git
$ gopass git push origin master
Although you can use HTTPS when connect to the remote git server such as GitHub, it is recommended to use SSH. With SSH keys, you can connect to the remote repository without supplying username and personal access token at each visit. For how to connect to GitHub with SSH, please refer to the GitHub documentation.
Help Onboard Your Team Members
In order to get your team members onboard. Please ask them to install all needed programs such as gpg, git, gopass, oc. Then generate the private and public key pair using below command:
$ gpg --full-generate-key
Choose RSA and RSA
as key type, keysize to be 2048
, key does not expire
, input your team member’s user name, email address, and passphrase.
Then ask them to export the public key and send to you. To find the public key ID:
$ gpg --list-keys --keyid-format LONG
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/93E7B0300BB9C91B 2021-03-17
uid Nicole <nicole@example.com>
sub 2048R/3AE8C980579D103C 2021-03-17
Pick the one that matches your team member’s name and email address, copy the key ID in pub
section, in this case it is 93E7B0300BB9C91B
. Then export the public key to a file using the key ID:
$ gpg --armor --export 93E7B0300BB9C91B > nicole_pub.gpg
After you receive the public key from your team member, import it into your local machine:
$ gpg --import nicole_pub.gpg
Add it as recipient into the secret store:
$ gopass recipients add 93E7B0300BB9C91B
Then sign the public key using your own private key and trust it:
$ gpg --edit-key 93E7B0300BB9C91B
lsign
trust
save
Re-add it as recipient to trigger the secrets re-encryption in your local store:
$ gopass recipients rm 93E7B0300BB9C91B
$ gopass recipients add 93E7B0300BB9C91B
All the above changes that you made locally will be auto-synced to the remote store.
Clone Remote Secret Store
Now you can ask your team members to clone the remote store to their local machines. Make sure your team members have been invited as collaborators to your remote store (the GitHub repository). Your team members can clone the store from GitHub:
$ gopass --yes setup --remote git@github.example.com:william/team-clusters.git --alias team-clusters --name Nicole --email "nicole@example.com"
For --name
and --email
, input the values used by your team members when they generate the private and public key pair. Then they can run oc login
and use the alias defined by you to login clusters.
The below diagram depicts the whole flow from end to end:
Summary
In this post, you learned how to share the cluster access information saved in your local secret store with your team members.
The enhanced OpenShift CLI is an open source project I created on GitHub. If you like it, you can consider to give star to it. You can also learn more on this project by reading its online documents. Any contributions such as bug report and code submission are very welcome.