Task: add documentation for metadata update
MVrachev opened this issue · comments
What is the task about?
Describe how our users can do a successful metadata update.
We want to cover in the doc:
- what can be updated from the metadata update RSTUF CLI command
- explaining how offline keys can be updated
- explaining the process of how to correctly update the online key
Code of Conduct
- I agree to follow this project's Code of Conduct
https://repository-service-tuf.readthedocs.io/en/stable/guide/general/usage.html#metadata-update
I think we can improve it.
I think it's really important to describe well as an algorithm how to update the online key.
I think this should happen as follows:
- Append a new keyid to the
RSTUF_*_KEYVAULT_KEYS
env variable - Finish a successful metadata update ceremony from the RSTUF CLI.
- Call
POST /api/v1/metadata
with the new payload. - Restart your container
It's important that you do steps 1
to 3
before you restart your container so that the new root.json
has the new keyid otherwise you will end up with an invalid repository that cannot sign.
If you forgot to do step 1
you will end up with a new root with a new online key id which doesn't match the key used by your signer.
If you forgot to do steps 2
or 3
you won't have a new root.json
and you will continue using the old signer based on the old online key.
After a conversation with @kairoaraujo we came up with the following steps for AWS KeyVault online key rotation
- Create AWS key
- Update env variable
- Restart containers
- Init all possible signers
- Do a "metadata update" ceremony
- Publish new root version