Add generate-pki command as deprecated

In [0] the secrets generate-pki command was moved to secrets generate certificates. While release notes were added, this change impacts automation set up for users of Pegleg. This change adds back the generate-pki command but marks it as deprecated. [0] https://review.opendev.org/#/c/694810/ Change-Id: I6a3841e5f5313511ec2afd8340bcae5857cd81fa
2019-12-06 10:13:22 -06:00 · 2019-12-06 10:13:22 -06:00 · 1a1c31b5a7
commit 1a1c31b5a7
parent 2e0e9eab8c
2 changed files with 117 additions and 0 deletions
--- a/doc/source/cli/cli.rst
+++ b/doc/source/cli/cli.rst
@ -484,6 +484,72 @@ level operations for secrets documents of a site.
  ./pegleg.sh site -r <site_repo> -e <extra_repo> secrets <command> <options>


+  Generate PKI (deprecated)
+  ^^^^^^^^^^^^^^^^^^^^^^^^^
+
+  Generate certificates and keys according to all PKICatalog documents in the
+  site using the :ref:`pki` module. The default behavior is to generate all
+  certificates that are not yet present. For example, the first time generate PKI
+  is run or when new entries are added to the PKICatalogue, only those new
+  entries will be generated on subsequent runs.
+
+  Pegleg also supports a full regeneration of all certificates at any time, by
+  using the --regenerate-all flag.
+
+  Pegleg places generated document files in ``<site>/secrets/passphrases``,
+  ``<site>/secrets/certificates``, or ``<site>/secrets/keypairs`` as
+  appropriate:
+
+  * The generated filenames for passphrases will follow the pattern
+    :file:`<passphrase-doc-name>.yaml`.
+  * The generated filenames for certificate authorities will follow the pattern
+    :file:`<ca-name>_ca.yaml`.
+  * The generated filenames for certificates will follow the pattern
+    :file:`<ca-name>_<certificate-doc-name>_certificate.yaml`.
+  * The generated filenames for certificate keys will follow the pattern
+    :file:`<ca-name>_<certificate-doc-name>_key.yaml`.
+  * The generated filenames for keypairs will follow the pattern
+    :file:`<keypair-doc-name>.yaml`.
+
+  Dashes in the document names will be converted to underscores for consistency.
+
+  **site_name** (Required).
+
+  Name of site.
+
+  **-a / --author** (Optional).
+
+  Identifying name of the author generating new certificates. Used for tracking
+  provenance information in the PeglegManagedDocuments. An attempt is made to
+  automatically determine this value, but should be provided.
+
+  **-d / --days** (Optional, Default=365).
+
+  Duration (in days) certificates should be valid.
+  Minimum=0, no maximum.  Values less than 0 will raise an exception.
+
+  NOTE: A generated certificate where days = 0 should only be used for testing.
+  A certificate generated in such a way will be valid for 0 seconds.
+
+  **--regenerate-all** (Optional, Default=False).
+
+  Force Pegleg to regenerate all PKI items.
+
+  Examples
+  """"""""
+
+  ::
+
+    ./pegleg.sh site -r <site_repo> -e <extra_repo> \
+      secrets generate-pki \
+      <site_name> \
+      -a <author> \
+      -d <days> \
+      --regenerate-all
+
+  .. _command-line-repository-overrides:
+
+
 Check PKI Certs
 ---------------

--- a/pegleg/cli.py
+++ b/pegleg/cli.py
@ -15,6 +15,7 @@
 import functools
 import logging
 import os
+import warnings

 import click

@ -430,6 +431,56 @@ def secrets():
    pass


+@secrets.command(
+    'generate-pki',
+    short_help='[DEPRECATED - Use secrets generate certificates] \n'
+    'Generate certs and keys according to the site PKICatalog',
+    help='[DEPRECATED - Use secrets generate certificates]\n'
+    'Generate certificates and keys according to all PKICatalog '
+    'documents in the site using the PKI module. The default behavior is '
+    'to generate all certificates that are not yet present. For example, '
+    'the first time generate PKI is run or when new entries are added '
+    'to the PKICatalogue, only those new entries will be generated on '
+    'subsequent runs.')
+@click.option(
+    '-a',
+    '--author',
+    'author',
+    help='Identifying name of the author generating new certificates. Used'
+    'for tracking provenance information in the PeglegManagedDocuments. '
+    'An attempt is made to automatically determine this value, '
+    'but should be provided.')
+@click.option(
+    '-d',
+    '--days',
+    'days',
+    default=365,
+    show_default=True,
+    help='Duration in days generated certificates should be valid.')
+@click.option(
+    '--regenerate-all',
+    'regenerate_all',
+    is_flag=True,
+    default=False,
+    show_default=True,
+    help='Force Pegleg to regenerate all PKI items.')
+@click.argument('site_name')
+def generate_pki_deprecated(site_name, author, days, regenerate_all):
+    """Generate certificates, certificate authorities and keypairs for a given
+    site.
+
+    """
+    warnings.warn(
+        "DEPRECATED - Use secrets generate certificates", DeprecationWarning)
+    engine.repository.process_repositories(site_name, overwrite_existing=True)
+    config.set_global_enc_keys(site_name)
+    pkigenerator = catalog.pki_generator.PKIGenerator(
+        site_name, author=author, duration=days, regenerate_all=regenerate_all)
+    output_paths = pkigenerator.generate()
+
+    click.echo("Generated PKI files written to:\n%s" % '\n'.join(output_paths))
+
+
@secrets.command(
    'wrap',
    help='Wrap bare files (e.g. pem or crt) in a PeglegManagedDocument '