| # Store Gerrit Secrets to AWS Secret Manager |
| |
| [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) is a secure way of |
| storing and managing secrets. These scripts make use of it to retrieve sensitive information |
| required to run gerrit, such as private keys and passwords. |
| |
| In order to do that, such secrets must be previously uploaded to the secret manager, so that |
| they can be found and used during deployment. |
| |
| To store the secret you can run the relevant [script](../gerrit/add_secrets_aws_secrets_manager.sh) to |
| upload them to AWS Secret Manager: |
| `./add_secrets_aws_secrets_manager.sh /path/to/your/keys/directory secret_prefix aws-region-id` |
| |
| for example: |
| |
| ```bash |
| ./add_secrets_aws_secrets_manager.sh /tmp/secrets secret_prefix us-east-1` |
| ``` |
| |
| When `secret_prefix` is omitted, it is set to `gerrit_secret` by default. |
| |
| The [script](../gerrit/add_secrets_aws_secrets_manager.sh) expects secrets to be available in a |
| specified directory (e.g. `/tmp/secrets`). |
| |
| The expected secrets are the following. |
| |
| ### SSH Host Keys |
| |
| The SSH keys you will need to add are the one usually created and used by Gerrit: |
| * ssh_host_ecdsa_384_key |
| * ssh_host_ecdsa_384_key.pub |
| * ssh_host_ecdsa_521_key |
| * ssh_host_ecdsa_521_key.pub |
| * ssh_host_ecdsa_key |
| * ssh_host_ecdsa_key.pub |
| * ssh_host_ed25519_key |
| * ssh_host_ed25519_key.pub |
| * ssh_host_rsa_key |
| * ssh_host_rsa_key.pub |
| |
| You will have to create the keys and place them for example in `/tmp/secrets` directory, |
| which you can then feed to the `add_secrets_aws_secrets_manager.sh` script. |
| These SSH host keys are generated by gerrit during the init script, so you could copy them |
| from a previous installation (`etc/*key*` files), if you have one. |
| |
| ```bash |
| cp <previous_installation>/etc/*key* /tmp/secrets |
| ``` |
| |
| If you don't have a previous installation of gerrit you can initialize a new gerrit and copy the |
| generated ones, as follows: |
| |
| ```bash |
| cd /tmp/ |
| wget https://gerrit-releases.storage.googleapis.com/gerrit-3.2.2.war |
| java -jar gerrit-3.2.2.war init -d /tmp/foobar --dev --batch --no-auto-start |
| cp /tmp/foobar/etc/*key* /tmp/secrets |
| ``` |
| |
| ### Email Private Key |
| |
| You will need to create a secret and put it in a file called `registerEmailPrivateKey` |
| in the same directory of the SSH keys (e.g. `/tmp/secrets`). |
| |
| ### LDAP Password |
| |
| You will need to put the admin LDAP password in a file called `ldapPassword` |
| in the same directory of the SSH keys (e.g. `/tmp/secrets`). |
| |
| ### SMTP Password |
| |
| You will need to put the SMTP password in a file called `smtpPassword` |
| in the same directory of the SSH keys (e.g. `/tmp/secrets`). |
| |
| ### Prometheus Bearer Token |
| |
| Generate a bearer token to be used for monitoring with Prometheus: |
| |
| ```bash |
| openssl rand -hex 20 > /tmp/secrets/prometheus_bearer_token |
| ``` |
| |
| ### Private/public SSH key for replication (required only for recipes involving replicas) |
| |
| You will also need to create private and public SSH keys used by the replication plugin to replicate |
| from primaries to replicas, for example: |
| |
| ```bash |
| ssh-keygen -b 2048 -m PEM -t rsa -f /tmp/secrets/replication_user_id_rsa -q -N "" |
| ``` |
| |
| * replication_user_id_rsa |
| * replication_user_id_rsa.pub |
