From b46d2adf8009cdf503adf1a7913021d1d3e3b49d Mon Sep 17 00:00:00 2001 From: genwhittTTD Date: Mon, 17 Nov 2025 15:06:36 -0500 Subject: [PATCH 1/2] Private Operator docs, add info re rotating the keys --- docs/guides/integration-options-private-operator.md | 5 +++++ docs/guides/operator-guide-aks-enclave.md | 5 +++++ docs/guides/operator-guide-aws-marketplace.md | 4 ++++ docs/guides/operator-guide-azure-enclave.md | 5 +++++ docs/guides/operator-private-gcp-confidential-space.md | 5 +++++ docs/snippets/_private-operator-rotating-the-keys.mdx | 7 +++++++ 6 files changed, 31 insertions(+) create mode 100644 docs/snippets/_private-operator-rotating-the-keys.mdx diff --git a/docs/guides/integration-options-private-operator.md b/docs/guides/integration-options-private-operator.md index 40020fcb0..47ed5932a 100644 --- a/docs/guides/integration-options-private-operator.md +++ b/docs/guides/integration-options-private-operator.md @@ -7,6 +7,7 @@ displayed_sidebar: docs import Link from '@docusaurus/Link'; import UpgradePolicy from '../snippets/_private-operator-upgrade-policy.mdx'; +import SnptRotatingTheKeys from '../snippets/_private-operator-rotating-the-keys.mdx'; # UID2 Private Operator Integration Overview @@ -93,6 +94,10 @@ For information about supported versions and deprecation dates, see [Private Ope +## Rotating the Keys + + + ## Getting Started To get started as a Private Operator, follow these steps: diff --git a/docs/guides/operator-guide-aks-enclave.md b/docs/guides/operator-guide-aks-enclave.md index 66d1a20a0..4a260b78b 100644 --- a/docs/guides/operator-guide-aks-enclave.md +++ b/docs/guides/operator-guide-aks-enclave.md @@ -10,6 +10,7 @@ displayed_sidebar: docs import Link from '@docusaurus/Link'; import UpgradePolicy from '../snippets/_private-operator-upgrade-policy.mdx'; +import SnptRotatingTheKeys from '../snippets/_private-operator-rotating-the-keys.mdx'; # UID2 Private Operator for AKS Integration Guide @@ -471,3 +472,7 @@ To upgrade, complete the following steps: ``` kubectl get pods ``` + +## Rotating the Keys + + diff --git a/docs/guides/operator-guide-aws-marketplace.md b/docs/guides/operator-guide-aws-marketplace.md index 10a03096d..1103755da 100644 --- a/docs/guides/operator-guide-aws-marketplace.md +++ b/docs/guides/operator-guide-aws-marketplace.md @@ -11,6 +11,7 @@ displayed_sidebar: docs import Link from '@docusaurus/Link'; import UpgradePolicy from '../snippets/_private-operator-upgrade-policy.mdx'; import AttestFailure from '../snippets/_private-operator-attest-failure.mdx'; +import SnptRotatingTheKeys from '../snippets/_private-operator-rotating-the-keys.mdx'; # UID2 Private Operator for AWS Integration Guide @@ -359,6 +360,9 @@ The following table includes some additional commands that might help you manage | Runs one iteration of `logrotate` manually, without changing the scheduled interval. | `sudo logrotate -f /etc/logrotate.conf --force` | | Reloads `syslog-ng`. | `sudo /usr/sbin/syslog-ng-ctl reload` | +## Rotating the Keys + + ## UID2 Operator Error Codes diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 4a521197f..9118270a7 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -10,6 +10,7 @@ displayed_sidebar: docs import Link from '@docusaurus/Link'; import UpgradePolicy from '../snippets/_private-operator-upgrade-policy.mdx'; +import SnptRotatingTheKeys from '../snippets/_private-operator-rotating-the-keys.mdx'; # UID2 Private Operator for Azure Integration Guide @@ -336,6 +337,10 @@ To upgrade, complete the following steps: for i in {0..COUNT}; az container delete --name uid-operator-OLD-VERSION-$i --resource-group {RESOURCE_GROUP} --yes ``` +## Rotating the Keys + + + ## UID2 Operator Error Codes The following table lists errors that might occur during a Private Operator's startup sequence. diff --git a/docs/guides/operator-private-gcp-confidential-space.md b/docs/guides/operator-private-gcp-confidential-space.md index bd5bb78fe..a0683892d 100644 --- a/docs/guides/operator-private-gcp-confidential-space.md +++ b/docs/guides/operator-private-gcp-confidential-space.md @@ -10,6 +10,7 @@ displayed_sidebar: docs import Link from '@docusaurus/Link'; import UpgradePolicy from '../snippets/_private-operator-upgrade-policy.mdx'; +import SnptRotatingTheKeys from '../snippets/_private-operator-rotating-the-keys.mdx'; # UID2 Private Operator for GCP Integration Guide @@ -532,6 +533,10 @@ If you previously set up a load balancer manually, you'll also need to update th ## Scraping Metrics The Private Operator for GCP exposes [Prometheus-formatted metrics](https://prometheus.io/docs/concepts/data_model/) on port 9080 through the /metrics endpoint. You can use a Prometheus-compatible scraper to collect and aggregate these metrics for your own needs. +## Rotating the Keys + + + ## UID2 Operator Error Codes The following table lists errors that might occur during a Private Operator's startup sequence. diff --git a/docs/snippets/_private-operator-rotating-the-keys.mdx b/docs/snippets/_private-operator-rotating-the-keys.mdx new file mode 100644 index 000000000..652bb6cc1 --- /dev/null +++ b/docs/snippets/_private-operator-rotating-the-keys.mdx @@ -0,0 +1,7 @@ + + +It's a good security practice to rotate the keys on a regular cadence. + +[**GWH__SW question. In this doc (AWS) we mention: KMSKey, SSMKeyAlias, "the operator key", SSH key, the key store, OPERATOR_KEY, EC2 key pair. I'd like to be clear about naming and I'm frankly not sure... is it the operator key? Just need to be a bit clearer than "rotate the keys"**] + +For specific recommendations, see [Security of API Key and Client Secret](../getting-started/gs-credentials.md#security-of-api-key-and-client-secret). From 848eb6282e4469beefbcaf3c57c266011a23e957 Mon Sep 17 00:00:00 2001 From: genwhittTTD Date: Tue, 18 Nov 2025 13:27:59 -0500 Subject: [PATCH 2/2] edits from SW --- docs/guides/integration-options-private-operator.md | 2 +- docs/guides/operator-guide-aks-enclave.md | 2 +- docs/guides/operator-guide-aws-marketplace.md | 2 +- docs/guides/operator-guide-azure-enclave.md | 2 +- docs/guides/operator-private-gcp-confidential-space.md | 2 +- docs/snippets/_private-operator-rotating-the-keys.mdx | 9 +++++---- 6 files changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/guides/integration-options-private-operator.md b/docs/guides/integration-options-private-operator.md index 47ed5932a..19a616a53 100644 --- a/docs/guides/integration-options-private-operator.md +++ b/docs/guides/integration-options-private-operator.md @@ -94,7 +94,7 @@ For information about supported versions and deprecation dates, see [Private Ope -## Rotating the Keys +## Keeping the Operator Key Secure diff --git a/docs/guides/operator-guide-aks-enclave.md b/docs/guides/operator-guide-aks-enclave.md index 4a260b78b..f0180f206 100644 --- a/docs/guides/operator-guide-aks-enclave.md +++ b/docs/guides/operator-guide-aks-enclave.md @@ -473,6 +473,6 @@ To upgrade, complete the following steps: kubectl get pods ``` -## Rotating the Keys +## Keeping the Operator Key Secure diff --git a/docs/guides/operator-guide-aws-marketplace.md b/docs/guides/operator-guide-aws-marketplace.md index 1103755da..4ab284755 100644 --- a/docs/guides/operator-guide-aws-marketplace.md +++ b/docs/guides/operator-guide-aws-marketplace.md @@ -360,7 +360,7 @@ The following table includes some additional commands that might help you manage | Runs one iteration of `logrotate` manually, without changing the scheduled interval. | `sudo logrotate -f /etc/logrotate.conf --force` | | Reloads `syslog-ng`. | `sudo /usr/sbin/syslog-ng-ctl reload` | -## Rotating the Keys +## Keeping the Operator Key Secure diff --git a/docs/guides/operator-guide-azure-enclave.md b/docs/guides/operator-guide-azure-enclave.md index 9118270a7..141dd6b83 100644 --- a/docs/guides/operator-guide-azure-enclave.md +++ b/docs/guides/operator-guide-azure-enclave.md @@ -337,7 +337,7 @@ To upgrade, complete the following steps: for i in {0..COUNT}; az container delete --name uid-operator-OLD-VERSION-$i --resource-group {RESOURCE_GROUP} --yes ``` -## Rotating the Keys +## Keeping the Operator Key Secure diff --git a/docs/guides/operator-private-gcp-confidential-space.md b/docs/guides/operator-private-gcp-confidential-space.md index a0683892d..6d88d33d7 100644 --- a/docs/guides/operator-private-gcp-confidential-space.md +++ b/docs/guides/operator-private-gcp-confidential-space.md @@ -533,7 +533,7 @@ If you previously set up a load balancer manually, you'll also need to update th ## Scraping Metrics The Private Operator for GCP exposes [Prometheus-formatted metrics](https://prometheus.io/docs/concepts/data_model/) on port 9080 through the /metrics endpoint. You can use a Prometheus-compatible scraper to collect and aggregate these metrics for your own needs. -## Rotating the Keys +## Keeping the Operator Key Secure diff --git a/docs/snippets/_private-operator-rotating-the-keys.mdx b/docs/snippets/_private-operator-rotating-the-keys.mdx index 652bb6cc1..c6b1dc3e0 100644 --- a/docs/snippets/_private-operator-rotating-the-keys.mdx +++ b/docs/snippets/_private-operator-rotating-the-keys.mdx @@ -1,7 +1,8 @@ -It's a good security practice to rotate the keys on a regular cadence. +Here are some guidelines for keeping your operator key secure: -[**GWH__SW question. In this doc (AWS) we mention: KMSKey, SSMKeyAlias, "the operator key", SSH key, the key store, OPERATOR_KEY, EC2 key pair. I'd like to be clear about naming and I'm frankly not sure... is it the operator key? Just need to be a bit clearer than "rotate the keys"**] - -For specific recommendations, see [Security of API Key and Client Secret](../getting-started/gs-credentials.md#security-of-api-key-and-client-secret). +- When you receive your operator key, store it in a secure location. +- Keep track of all places where the key is used, so that if you need to rotate it you can do so quickly. +- Establish a process for replacing the existing value with a new one if the key is compromised. +- Rotate it on a regular cadence—for example, yearly—to help reduce the risk of the key being compromised.