Felipe Monteiro
|
2a8d2638b3
|
pki: Port Promenade's PKI catalog into Pegleg
This patch set implements the PKICatalog [0] requirements
as well as PeglegManagedDocument [1] generation requirements
outlined in the spec [2].
Included in this patch set:
* New CLI entry point called "pegleg site secrets generate-pki"
* PeglegManagedDocument generation logic in
engine.cache.managed_document
* Refactored PKICatalog logic in engine.cache.pki_catalog derived
from the Promenade PKI implementation [3], responsible for
generating certificates, CAs, and keypairs
* Refactored PKIGenerator logic in engine.cache.pki_generator
derived from Promenade Generator implementation [4],
responsible for reading in pegleg/PKICatalog/v1 documents (as
well as promenade/PKICatalog/v1 documents for backwards
compatibility) and generating required secrets and storing
them into the paths specified under [0]
* Unit tests for all of the above [5]
* Example pki-catalog.yaml document under pegleg/site_yamls
* Validation schema for pki-catalog.yaml (TODO: implement
validation logic here: [6])
* Updates to CLI documentation and inclusion of PKICatalog
and PeglegManagedDocument documentation
* Documentation updates with PKI information [7]
TODO (in follow-up patch sets):
* Expand on overview documentation to include new Pegleg
responsibilities
* Allow the original repository (not the copied one) to
be the destination where the secrets are written to
* Finish up cert expiry/revocation logic
[0] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html#document-generation
[1] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html#peglegmanageddocument
[2] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html
[3] https://github.com/openstack/airship-promenade/blob/master/promenade/pki.py
[4] https://github.com/openstack/airship-promenade/blob/master/promenade/generator.py
[5] https://review.openstack.org/#/c/611739/
[6] https://review.openstack.org/#/c/608159/
[7] https://review.openstack.org/#/c/611738/
Change-Id: I3010d04cac6d22c656d144f0dafeaa5e19a13068
|
2019-01-15 13:29:21 -06:00 |
|