Secret Rotation

This document lists every secret KubeArchive uses in its processes that requires rotation.

Secrets should be rotated each twice a year (each 6 months):

January
July

KubeArchive Organization

Organization Secrets

OCI_PASSWORD: password for the robot account named after the variable OCI_USERNAME. Go to the KubeArchive’s Quay Organization and regenerate the token for the appropiate robot.
KUBEARCHIVE_BOT_SECRET: to be done.
KUBEARCHIVE_RENOVATE_PRIVATE_KEY: private key for the bot named kubearchive-renovate. Go to the kubearchive-renovate app page and generate a new client secret.

KubeArchive Repository

PUSH_TO_MAIN_DEPLOY_KEY: SSH private key used to push to the default branch from the release workflow. See KubeArchive’s Release Keys and KubeArchive’s Rulesets for more information. Generate a new SSH key, add it to Deploy Keys, and then replace the secret value.