airship/pegleg
Code Issues Proposed changes

Move generate-pki under generate sub-command

Browse Source 
Change-Id: I83b078d27eb2c07c3be7eb6543de85ce32fb2a6e
This commit is contained in:
Ian H. Pittwood 2019-11-18 10:57:19 -06:00 committed by Ian Pittwood
parent 980de8fd30
commit 7306c3af9b
5 changed files with 128 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
doc/source/cli/cli.rst
View File

@ -465,8 +465,8 @@ level operations for secrets documents of a site.
.. note:: .. note::
For the CLI commands ``encrypt``, ``decrypt``, ``generate-pki``, and ``wrap`` For the CLI commands ``encrypt``, ``decrypt``, ``generate certificates``
in the ``secrets`` command and ``wrap`` in the ``secrets`` command
group, which encrypt or decrypt site secrets, two environment variables, group, which encrypt or decrypt site secrets, two environment variables,
``PEGLEG_PASSPHRASE``, and ``PEGLEG_SALT``, are used to capture the ``PEGLEG_PASSPHRASE``, and ``PEGLEG_SALT``, are used to capture the
master passphrase, and the salt needed for encryption and decryption of the master passphrase, and the salt needed for encryption and decryption of the
@ -484,72 +484,6 @@ level operations for secrets documents of a site.
./pegleg.sh site -r <site_repo> -e <extra_repo> secrets <command> <options> ./pegleg.sh site -r <site_repo> -e <extra_repo> secrets <command> <options>
Generate PKI
^^^^^^^^^^^^
Generate certificates and keys according to all PKICatalog documents in the
site using the :ref:`pki` module. The default behavior is to generate all
certificates that are not yet present. For example, the first time generate PKI
is run or when new entries are added to the PKICatalogue, only those new
entries will be generated on subsequent runs.
Pegleg also supports a full regeneration of all certificates at any time, by
using the --regenerate-all flag.
Pegleg places generated document files in ``<site>/secrets/passphrases``,
``<site>/secrets/certificates``, or ``<site>/secrets/keypairs`` as
appropriate:
* The generated filenames for passphrases will follow the pattern
:file:`<passphrase-doc-name>.yaml`.
* The generated filenames for certificate authorities will follow the pattern
:file:`<ca-name>_ca.yaml`.
* The generated filenames for certificates will follow the pattern
:file:`<ca-name>_<certificate-doc-name>_certificate.yaml`.
* The generated filenames for certificate keys will follow the pattern
:file:`<ca-name>_<certificate-doc-name>_key.yaml`.
* The generated filenames for keypairs will follow the pattern
:file:`<keypair-doc-name>.yaml`.
Dashes in the document names will be converted to underscores for consistency.
**site_name** (Required).
Name of site.
**-a / --author** (Optional).
Identifying name of the author generating new certificates. Used for tracking
provenance information in the PeglegManagedDocuments. An attempt is made to
automatically determine this value, but should be provided.
**-d / --days** (Optional, Default=365).
Duration (in days) certificates should be valid.
Minimum=0, no maximum. Values less than 0 will raise an exception.
NOTE: A generated certificate where days = 0 should only be used for testing.
A certificate generated in such a way will be valid for 0 seconds.
**--regenerate-all** (Optional, Default=False).
Force Pegleg to regenerate all PKI items.
Examples
""""""""
::
./pegleg.sh site -r <site_repo> -e <extra_repo> \
secrets generate-pki \
<site_name> \
-a <author> \
-d <days> \
--regenerate-all
.. _command-line-repository-overrides:
Check PKI Certs Check PKI Certs
--------------- ---------------
@ -856,6 +790,72 @@ secrets documents of a site.
./pegleg.sh site -r <site_repo> -e <extra_repo> secrets generate <command> <options> ./pegleg.sh site -r <site_repo> -e <extra_repo> secrets generate <command> <options>
certificates
^^^^^^^^^^^^
Generate certificates and keys according to all PKICatalog documents in the
site using the :ref:`pki` module. The default behavior is to generate all
certificates that are not yet present. For example, the first time generate PKI
is run or when new entries are added to the PKICatalogue, only those new
entries will be generated on subsequent runs.
Pegleg also supports a full regeneration of all certificates at any time, by
using the --regenerate-all flag.
Pegleg places generated document files in ``<site>/secrets/passphrases``,
``<site>/secrets/certificates``, or ``<site>/secrets/keypairs`` as
appropriate:
* The generated filenames for passphrases will follow the pattern
:file:`<passphrase-doc-name>.yaml`.
* The generated filenames for certificate authorities will follow the pattern
:file:`<ca-name>_ca.yaml`.
* The generated filenames for certificates will follow the pattern
:file:`<ca-name>_<certificate-doc-name>_certificate.yaml`.
* The generated filenames for certificate keys will follow the pattern
:file:`<ca-name>_<certificate-doc-name>_key.yaml`.
* The generated filenames for keypairs will follow the pattern
:file:`<keypair-doc-name>.yaml`.
Dashes in the document names will be converted to underscores for consistency.
**site_name** (Required).
Name of site.
**-a / --author** (Optional).
Identifying name of the author generating new certificates. Used for tracking
provenance information in the PeglegManagedDocuments. An attempt is made to
automatically determine this value, but should be provided.
**-d / --days** (Optional, Default=365).
Duration (in days) certificates should be valid.
Minimum=0, no maximum. Values less than 0 will raise an exception.
NOTE: A generated certificate where days = 0 should only be used for testing.
A certificate generated in such a way will be valid for 0 seconds.
**--regenerate-all** (Optional, Default=False).
Force Pegleg to regenerate all PKI items.
Examples
""""""""
::
./pegleg.sh site -r <site_repo> -e <extra_repo> \
secrets generate certificates \
<site_name> \
-a <author> \
-d <days> \
--regenerate-all
.. _command-line-repository-overrides:
passphrases passphrases
""""""""""" """""""""""
Generates, wraps and encrypts passphrase documents specified in the Generates, wraps and encrypts passphrase documents specified in the

6
doc/source/pki/pki.rst
View File

@ -20,9 +20,9 @@ Public Key Infrastructure (PKI) Catalog
======================================= =======================================
Configuration for certificate and keypair generation in the cluster. The Configuration for certificate and keypair generation in the cluster. The
``pegleg generate-certs`` command will read all ``PKICatalog`` documents and ``pegleg secrets generate certificates`` command will read all ``PKICatalog``
either find pre-existing certificates/keys, or generate new ones based on the documents and either find pre-existing certificates/keys, or generate new ones
given definition. based on the given definition.
Dependencies Dependencies
------------ ------------

94
pegleg/cli.py
View File

@ -430,53 +430,6 @@ def secrets():
pass pass
@secrets.command(
'generate-pki',
short_help='Generate certs and keys according to the site PKICatalog',
help='Generate certificates and keys according to all PKICatalog '
'documents in the site using the PKI module. The default behavior is '
'to generate all certificates that are not yet present. For example, '
'the first time generate PKI is run or when new entries are added '
'to the PKICatalogue, only those new entries will be generated on '
'subsequent runs.')
@click.option(
'-a',
'--author',
'author',
help='Identifying name of the author generating new certificates. Used'
'for tracking provenance information in the PeglegManagedDocuments. '
'An attempt is made to automatically determine this value, '
'but should be provided.')
@click.option(
'-d',
'--days',
'days',
default=365,
show_default=True,
help='Duration in days generated certificates should be valid.')
@click.option(
'--regenerate-all',
'regenerate_all',
is_flag=True,
default=False,
show_default=True,
help='Force Pegleg to regenerate all PKI items.')
@click.argument('site_name')
def generate_pki(site_name, author, days, regenerate_all):
"""Generate certificates, certificate authorities and keypairs for a given
site.
"""
engine.repository.process_repositories(site_name, overwrite_existing=True)
config.set_global_enc_keys(site_name)
pkigenerator = catalog.pki_generator.PKIGenerator(
site_name, author=author, duration=days, regenerate_all=regenerate_all)
output_paths = pkigenerator.generate()
click.echo("Generated PKI files written to:\n%s" % '\n'.join(output_paths))
@secrets.command( @secrets.command(
'wrap', 'wrap',
help='Wrap bare files (e.g. pem or crt) in a PeglegManagedDocument ' help='Wrap bare files (e.g. pem or crt) in a PeglegManagedDocument '
@ -623,6 +576,53 @@ def generate():
pass pass
@generate.command(
'certificates',
short_help='Generate certs and keys according to the site PKICatalog',
help='Generate certificates and keys according to all PKICatalog '
'documents in the site using the PKI module. The default behavior is '
'to generate all certificates that are not yet present. For example, '
'the first time generate PKI is run or when new entries are added '
'to the PKICatalogue, only those new entries will be generated on '
'subsequent runs.')
@click.option(
'-a',
'--author',
'author',
help='Identifying name of the author generating new certificates. Used'
'for tracking provenance information in the PeglegManagedDocuments. '
'An attempt is made to automatically determine this value, '
'but should be provided.')
@click.option(
'-d',
'--days',
'days',
default=365,
show_default=True,
help='Duration in days generated certificates should be valid.')
@click.option(
'--regenerate-all',
'regenerate_all',
is_flag=True,
default=False,
show_default=True,
help='Force Pegleg to regenerate all PKI items.')
@click.argument('site_name')
def generate_pki(site_name, author, days, regenerate_all):
"""Generate certificates, certificate authorities and keypairs for a given
site.
"""
engine.repository.process_repositories(site_name, overwrite_existing=True)
config.set_global_enc_keys(site_name)
pkigenerator = catalog.pki_generator.PKIGenerator(
site_name, author=author, duration=days, regenerate_all=regenerate_all)
output_paths = pkigenerator.generate()
click.echo("Generated PKI files written to:\n%s" % '\n'.join(output_paths))
@generate.command('passphrases', help='Command to generate site passphrases') @generate.command('passphrases', help='Command to generate site passphrases')
@click.argument('site_name') @click.argument('site_name')
@click.option( @click.option(

4
releasenotes/notes/move-generate-pki-under-generate-subcommand-92c36d6e2fde6e5a.yaml Normal file
View File

@ -0,0 +1,4 @@
---
deprecations:
- |
Moved pegleg secrets generate-pki to pegleg secrets generate certificates.

12
tests/unit/test_cli.py
View File

@ -516,7 +516,7 @@ class TestSiteSecretsActions(BaseCLIActionTest):
not pki_utility.PKIUtility.cfssl_exists(), not pki_utility.PKIUtility.cfssl_exists(),
reason='cfssl must be installed to execute these tests') reason='cfssl must be installed to execute these tests')
def test_site_secrets_generate_pki_using_remote_repo_url(self): def test_site_secrets_generate_pki_using_remote_repo_url(self):
"""Validates ``generate-pki`` action using remote repo URL.""" """Validates ``generate certificates`` action using remote repo URL."""
# Scenario: # Scenario:
# #
# 1) Generate PKI using remote repo URL # 1) Generate PKI using remote repo URL
@ -524,7 +524,7 @@ class TestSiteSecretsActions(BaseCLIActionTest):
repo_url = 'https://opendev.org/airship/%s@%s' % ( repo_url = 'https://opendev.org/airship/%s@%s' % (
self.repo_name, self.repo_rev) self.repo_name, self.repo_rev)
secrets_opts = ['secrets', 'generate-pki', self.site_name] secrets_opts = ['secrets', 'generate', 'certificates', self.site_name]
result = self.runner.invoke(cli.site, ['-r', repo_url] + secrets_opts) result = self.runner.invoke(cli.site, ['-r', repo_url] + secrets_opts)
self._validate_generate_pki_action(result) self._validate_generate_pki_action(result)
@ -533,13 +533,13 @@ class TestSiteSecretsActions(BaseCLIActionTest):
not pki_utility.PKIUtility.cfssl_exists(), not pki_utility.PKIUtility.cfssl_exists(),
reason='cfssl must be installed to execute these tests') reason='cfssl must be installed to execute these tests')
def test_site_secrets_generate_pki_using_local_repo_path(self): def test_site_secrets_generate_pki_using_local_repo_path(self):
"""Validates ``generate-pki`` action using local repo path.""" """Validates ``generate certificates`` action using local repo path."""
# Scenario: # Scenario:
# #
# 1) Generate PKI using local repo path # 1) Generate PKI using local repo path
repo_path = self.treasuremap_path repo_path = self.treasuremap_path
secrets_opts = ['secrets', 'generate-pki', self.site_name] secrets_opts = ['secrets', 'generate', 'certificates', self.site_name]
result = self.runner.invoke(cli.site, ['-r', repo_path] + secrets_opts) result = self.runner.invoke(cli.site, ['-r', repo_path] + secrets_opts)
self._validate_generate_pki_action(result) self._validate_generate_pki_action(result)
@ -553,7 +553,7 @@ class TestSiteSecretsActions(BaseCLIActionTest):
"PEGLEG_SALT": "MySecretSalt1234567890][" "PEGLEG_SALT": "MySecretSalt1234567890]["
}) })
def test_site_secrets_encrypt_and_decrypt_local_repo_path(self): def test_site_secrets_encrypt_and_decrypt_local_repo_path(self):
"""Validates ``generate-pki`` action using local repo path.""" """Validates ``generate certificates`` action using local repo path."""
# Scenario: # Scenario:
# #
# 1) Encrypt a file in a local repo # 1) Encrypt a file in a local repo
@ -604,7 +604,7 @@ class TestSiteSecretsActions(BaseCLIActionTest):
"PEGLEG_SALT": "123456" "PEGLEG_SALT": "123456"
}) })
def test_site_secrets_wrap(self): def test_site_secrets_wrap(self):
"""Validates ``generate-pki`` action using local repo path.""" """Validates ``generate certificates`` action using local repo path."""
# Scenario: # Scenario:
# #
# 1) Encrypt a file in a local repo # 1) Encrypt a file in a local repo