docs(migrating secrets): rewrite (#30302)

9817dde9 · HonkingGoose · GitHub · 3a353759 · 9817dde9
Unverified Commit 9817dde9 authored 8 months ago by HonkingGoose Committed by GitHub 8 months ago
--- a/docs/usage/getting-started/migrating-secrets.md
+++ b/docs/usage/getting-started/migrating-secrets.md
@@ -2,10 +2,15 @@

 On 01-Oct-2024 the Mend Renovate cloud apps will stop reading any encrypted secrets from the Renovate configuration file on your repository.
 Previously, you could encrypt a secret with the [Renovate encryption tool](https://app.renovatebot.com/encrypt) and then put it in your Renovate config file.
+
 Going forward, all secrets must be stored in the App settings on the cloud.
 They can be referenced from the Renovate config files inside the repo using `{{ secrets.SECRET_NAME }}` notation.

-```json title "Deprecated: example of encrypted secrets in Renovate config"
+## Old method
+
+This method will stop working on 01-Oct-2024:
+
+```json title="Put encrypted secret in Renovate config"
 {
  "hostRules": [
    {
@@ -18,7 +23,11 @@ They can be referenced from the Renovate config files inside the repo using `{{
 }
 ```

-```json "Correct method: reference app secrets in the Renovate config"
+## New method
+
+This is the new method, that you should start using:
+
+```json title="Reference the app secret in the Renovate config"
 {
  "hostRules": [
    {
@@ -29,63 +38,68 @@ They can be referenced from the Renovate config files inside the repo using `{{
 }
 ```

-<!-- prettier-ignore -->
-!!! tip "Migrate your secrets in encrypted form"
-    Mend recommends that you copy your secrets in their _encrypted_ form when you migrate.
-    The web UI will decrypt and store the value securely.
-    Do not change the secret during the migration, as this introduces an extra point of failure.
-    After the migration you can of course change/rotate the secret.
-
-## Migrating encrypted secrets using the encrypted value
+## Tips

-1. Copy the encrypted secret from your Renovate config file.
+### Migrate your secrets in encrypted form

-2. Go to the correct settings page for your organization or repository in the web UI at [developer.mend.io](https://developer.mend.io).
+Mend recommends that you copy your secrets in their _encrypted_ form when you migrate.
+The web UI will decrypt and store the value securely.

-3. On the **Credentials** page, select `ADD SECRET` to add the encrypted secret.
+### Do not change the secret during migration

-4. Give a value for `Secret name`, paste the encrypted secret into the `Secret Value` field, and select `SAVE`.
+Mend also recommends that you do _not_ change the secret during the migration, as this introduces an extra point of failure.
+After the migration you can of course change/rotate the secret.

-   > [!NOTE]
-   >
-   > When you migrate a secret from a repository, make sure you are adding the secret to the _same_ organization or repository for which you generated the secret!
-   >
-   > - A secret generated for a specific repository can only be added to that _same_ repository.
-   >   - A secret generated for a specific repository can only be added to the repository settings for the matching repository. This secret can _not_ be added to the organization's settings.
-   >   - A secret generated without a specific repository _can_ be added into the organization _or_ into the repository settings under that organization.
+## Two ways to migrate

-   When you try to add a secret in the wrong place, the settings UI will help you:
+There are two ways to migrate your secrets:

-   ![Migrating secrets error](../assets/images/app-settings/encrypted-secrets-error.png)
+1. Migrate encrypted secrets using the encrypted value
+2. Migrate encrypted secrets using the plain text value

-5. When you see the confirmation box with the text: **“Successfully migrated secret”**, your secret is now stored in the correct organization or repository.
+Mend recommends the first way.

-![Successfully migrated secret](../assets/images/app-settings/stored-secret-encrypted.png)
+### Migrate encrypted secrets using the encrypted value

-> [!IMPORTANT]
->
-> If the confirmation box does _not_ say **“Successfully migrated secret”**, but says: **“Successfully stored secret”** then the secret was not detected as a Renovate encrypted secret, and the value was treated as plaintext.
-> If you were expecting to import a secret originally encrypted by Renovate:
->
-> - Make sure you are pasting the secret into the correct organization or repository
-> - Check that you copied the encrypted secret correctly, and try again.
+1. Copy the encrypted secret from your Renovate config file.
+2. Go to the correct settings page for your organization or repository in the web UI at [developer.mend.io](https://developer.mend.io).
+3. On the **Credentials** page, select `ADD SECRET` to add the encrypted secret.
+4. Give a value for `Secret name`, paste the encrypted secret into the `Secret Value` field, and select `SAVE`.
+5. When you migrate a secret from a repository, make sure you are adding the secret to the _same_ organization or repository for which you generated the secret!
+   - A secret generated for a specific repository can only be added to that _same_ repository.
+   - A secret generated for a specific repository can only be added to the repository settings for the matching repository. This secret can _not_ be added to the organization's settings.
+   - A secret generated without a specific repository _can_ be added into the organization _or_ into the repository settings under that organization.
+6. If you see the confirmation box with the text: **“Successfully migrated secret”**, your secret is now stored in the correct organization or repository.
+   ![Successfully migrated secret](../assets/images/app-settings/stored-secret-encrypted.png)

-## To migrate encrypted secrets using the plain text value
+### Migrate encrypted secrets using the plain text value

 1. Go to the settings for the correct organization or repository in the web UI at [developer.mend.io](https://developer.mend.io).
-
 2. On the **Credentials** page, select `ADD SECRET` to add the plaintext secret.
-
   ![Add repo secret](../assets/images/app-settings/add-repo-secret.png)
-
 3. Give a value for `Secret name`, paste the plaintext secret into the `Secret Value` field, and select `SAVE`.
-
   ![Add a Secret dialog box](../assets/images/app-settings/add-a-secret.png)
-
 4. Wait for the confirmation dialog: **“Successfully stored secret”**.
-
   ![Successfully stored secret](../assets/images/app-settings/stored-secret-plaintext.png)

+## Troubleshooting
+
+### Are you trying to add the secret to the wrong place?
+
+If you accidentally end up in the wrong place, the settings UI will help you:
+
+![Migrating secrets error](../assets/images/app-settings/encrypted-secrets-error.png)
+
+## The confirmation box says "Successfully store secret", what does this mean?
+
+If the confirmation box says: **“Successfully stored secret”** then the secret was not detected as a Renovate encrypted secret.
+This means the value was treated as plaintext.
+
+If you were expecting to import a secret originally encrypted by Renovate:
+
+1. Make sure you are pasting the secret into the correct organization or repository
+2. Check that you copied the encrypted secret correctly, and try again.
+
 ## Related links

 - [Using Secrets with Mend Cloud Apps](app-secrets.md)