pegleg/doc/source/developer-overview.rst
Felipe Monteiro 2a8d2638b3 pki: Port Promenade's PKI catalog into Pegleg
This patch set implements the PKICatalog [0] requirements
as well as PeglegManagedDocument [1] generation requirements
outlined in the spec [2].

Included in this patch set:

* New CLI entry point called "pegleg site secrets generate-pki"
* PeglegManagedDocument generation logic in
  engine.cache.managed_document
* Refactored PKICatalog logic in engine.cache.pki_catalog derived
  from the Promenade PKI implementation [3], responsible for
  generating certificates, CAs, and keypairs
* Refactored PKIGenerator logic in engine.cache.pki_generator
  derived from Promenade Generator implementation [4],
  responsible for reading in pegleg/PKICatalog/v1 documents (as
  well as promenade/PKICatalog/v1 documents for backwards
  compatibility) and generating required secrets and storing
  them into the paths specified under [0]
* Unit tests for all of the above [5]
* Example pki-catalog.yaml document under pegleg/site_yamls
* Validation schema for pki-catalog.yaml (TODO: implement
  validation logic here: [6])
* Updates to CLI documentation and inclusion of PKICatalog
  and PeglegManagedDocument documentation
* Documentation updates with PKI information [7]

TODO (in follow-up patch sets):

* Expand on overview documentation to include new Pegleg
  responsibilities
* Allow the original repository (not the copied one) to
  be the destination where the secrets are written to
* Finish up cert expiry/revocation logic

[0] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html#document-generation
[1] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html#peglegmanageddocument
[2] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html
[3] https://github.com/openstack/airship-promenade/blob/master/promenade/pki.py
[4] https://github.com/openstack/airship-promenade/blob/master/promenade/generator.py
[5] https://review.openstack.org/#/c/611739/
[6] https://review.openstack.org/#/c/608159/
[7] https://review.openstack.org/#/c/611738/

Change-Id: I3010d04cac6d22c656d144f0dafeaa5e19a13068
2019-01-15 13:29:21 -06:00

143 lines
4.3 KiB
ReStructuredText

..
Copyright 2018 AT&T Intellectual Property.
All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
============================
Developer Overview of Pegleg
============================
Pegleg's core mission is to, alongside Deckhand, facilitate document authoring
strategies within `Airship`_, by:
* aggregating documents across multiple revisioned repositories, each of
which contains multiple documents defining sites' software and hardware
stacks
* providing early linting of documents prior to their collection and
eventual deployment
* including utility functions enabling operators and developers alike to list
available sites, render individual manifests via `Deckhand`_, bootstrap
repositories with Pegleg-compliant directory layouts, to name a few
Architecture
============
Pegleg, as a CLI, has a rather simplistic architecture. It is meaningful to
visualize Pegleg alongside Deckhand:
.. image:: images/architecture-pegleg.png
:alt: High level architecture of Pegleg + Deckhand
Components
==========
cli
---
The Pegleg ``cli`` module implements the user-facing CLI. For more information
about this module, reference the :ref:`CLI documentation <pegleg-cli>`.
engine
------
The ``engine`` module implements the following functionality:
* document linting
* document rendering via `Deckhand`_
* document aggregation
* additional document utility functions
Developer Workflow
==================
Because Airship is a container-centric platform, the developer workflow heavily
utilizes containers for testing and publishing. It also requires Pegleg to
produce multiple artifacts that are related, but separate: the Python package,
the Docker image and the Helm chart. The code is published via the
Docker image artifact.
Pegleg strives to conform to the `Airship coding conventions`_.
Python
------
The Pegleg code base lives under ``pegleg``. Pegleg supports py36 interpreter.
Docker
------
The Pegleg Dockerfile is located in ``/images/pegleg`` along with any
artifacts built specifically to enable the container image. Make targets are
used for generating and testing the artifacts.
* ``make images`` - Build the Pegleg Docker image.
Pegleg, as a containerized CLI, uses Docker via ``tools/pegleg.sh`` to
execute CLI commands. Commands can also be executed using the ``Makefile``
target: ``run_pegleg``.
Virtual Environment
-------------------
Rather than, after each local code change, rebuilding the Pegleg image and
overriding the ``IMAGE`` environment variable so ``tools/pegleg.sh`` uses
the latest code changes, it is possible to use a virtual environment for
much faster development.
This can achieved by issuing the following commands (from the root Pegleg
directory):
.. code-block:: console
# Quick way of building a virtualenv and installing all required
# dependencies into it.
tox -e py36 --notest
source .tox/py36/bin/activate
pip install -e .
# Now is it possible to run the Pegleg CLI to test local changes:
pegleg <command> <options>
# Or run unit tests:
pytest -k <regex>
Note that after setting up the virtual environment, one only needs to source it
in order to re-run unit tests or Pegleg CLI commands, to test local changes.
Testing
=======
All Pegleg tests are nested under ``tests``.
Pegleg comes equipped with a number of `tox`_ targets for running unit tests,
as well as `pep8`_ and `Bandit`_ checks.
Unit Tests
----------
To run all unit tests, execute::
$ tox -e py36
To run unit tests using a regex, execute::
$ tox -e py36 -- <regex>
.. _Airship: https://airshipit.readthedocs.io
.. _Deckhand: https://airship-deckhand.readthedocs.io/
.. _Airship coding conventions: https://airshipit.readthedocs.io/en/latest/conventions.html
.. _tox: https://tox.readthedocs.io/
.. _pep8: https://www.python.org/dev/peps/pep-0008/
.. _Bandit: https://github.com/PyCQA/bandit