airship/pegleg
Code Issues Proposed changes

Add generate-pki command as deprecated

Browse Source 
In [0] the secrets generate-pki command was moved to secrets
generate certificates. While release notes were added, this change
impacts automation set up for users of Pegleg. This change adds
back the generate-pki command but marks it as deprecated.

[0] https://review.opendev.org/#/c/694810/

Change-Id: I6a3841e5f5313511ec2afd8340bcae5857cd81fa
This commit is contained in:
Alexander Hughes 2019-12-06 10:13:22 -06:00 committed by Alexander Hughes
parent 2e0e9eab8c
commit 1a1c31b5a7
2 changed files with 117 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
doc/source/cli/cli.rst
View File

@ -484,6 +484,72 @@ level operations for secrets documents of a site.
./pegleg.sh site -r <site_repo> -e <extra_repo> secrets <command> <options> ./pegleg.sh site -r <site_repo> -e <extra_repo> secrets <command> <options>
Generate PKI (deprecated)
^^^^^^^^^^^^^^^^^^^^^^^^^
Generate certificates and keys according to all PKICatalog documents in the
site using the :ref:`pki` module. The default behavior is to generate all
certificates that are not yet present. For example, the first time generate PKI
is run or when new entries are added to the PKICatalogue, only those new
entries will be generated on subsequent runs.
Pegleg also supports a full regeneration of all certificates at any time, by
using the --regenerate-all flag.
Pegleg places generated document files in ``<site>/secrets/passphrases``,
``<site>/secrets/certificates``, or ``<site>/secrets/keypairs`` as
appropriate:
* The generated filenames for passphrases will follow the pattern
:file:`<passphrase-doc-name>.yaml`.
* The generated filenames for certificate authorities will follow the pattern
:file:`<ca-name>_ca.yaml`.
* The generated filenames for certificates will follow the pattern
:file:`<ca-name>_<certificate-doc-name>_certificate.yaml`.
* The generated filenames for certificate keys will follow the pattern
:file:`<ca-name>_<certificate-doc-name>_key.yaml`.
* The generated filenames for keypairs will follow the pattern
:file:`<keypair-doc-name>.yaml`.
Dashes in the document names will be converted to underscores for consistency.
**site_name** (Required).
Name of site.
**-a / --author** (Optional).
Identifying name of the author generating new certificates. Used for tracking
provenance information in the PeglegManagedDocuments. An attempt is made to
automatically determine this value, but should be provided.
**-d / --days** (Optional, Default=365).
Duration (in days) certificates should be valid.
Minimum=0, no maximum. Values less than 0 will raise an exception.
NOTE: A generated certificate where days = 0 should only be used for testing.
A certificate generated in such a way will be valid for 0 seconds.
**--regenerate-all** (Optional, Default=False).
Force Pegleg to regenerate all PKI items.
Examples
""""""""
::
./pegleg.sh site -r <site_repo> -e <extra_repo> \
secrets generate-pki \
<site_name> \
-a <author> \
-d <days> \
--regenerate-all
.. _command-line-repository-overrides:
Check PKI Certs Check PKI Certs
--------------- ---------------

51
pegleg/cli.py
View File

@ -15,6 +15,7 @@
import functools import functools
import logging import logging
import os import os
import warnings
import click import click
@ -430,6 +431,56 @@ def secrets():
pass pass
@secrets.command(
'generate-pki',
short_help='[DEPRECATED - Use secrets generate certificates] \n'
'Generate certs and keys according to the site PKICatalog',
help='[DEPRECATED - Use secrets generate certificates]\n'
'Generate certificates and keys according to all PKICatalog '
'documents in the site using the PKI module. The default behavior is '
'to generate all certificates that are not yet present. For example, '
'the first time generate PKI is run or when new entries are added '
'to the PKICatalogue, only those new entries will be generated on '
'subsequent runs.')
@click.option(
'-a',
'--author',
'author',
help='Identifying name of the author generating new certificates. Used'
'for tracking provenance information in the PeglegManagedDocuments. '
'An attempt is made to automatically determine this value, '
'but should be provided.')
@click.option(
'-d',
'--days',
'days',
default=365,
show_default=True,
help='Duration in days generated certificates should be valid.')
@click.option(
'--regenerate-all',
'regenerate_all',
is_flag=True,
default=False,
show_default=True,
help='Force Pegleg to regenerate all PKI items.')
@click.argument('site_name')
def generate_pki_deprecated(site_name, author, days, regenerate_all):
"""Generate certificates, certificate authorities and keypairs for a given
site.
"""
warnings.warn(
"DEPRECATED - Use secrets generate certificates", DeprecationWarning)
engine.repository.process_repositories(site_name, overwrite_existing=True)
config.set_global_enc_keys(site_name)
pkigenerator = catalog.pki_generator.PKIGenerator(
site_name, author=author, duration=days, regenerate_all=regenerate_all)
output_paths = pkigenerator.generate()
click.echo("Generated PKI files written to:\n%s" % '\n'.join(output_paths))
@secrets.command( @secrets.command(
'wrap', 'wrap',
help='Wrap bare files (e.g. pem or crt) in a PeglegManagedDocument ' help='Wrap bare files (e.g. pem or crt) in a PeglegManagedDocument '