Felipe Monteiro
2a8d2638b3
pki: Port Promenade's PKI catalog into Pegleg
...
This patch set implements the PKICatalog [0] requirements
as well as PeglegManagedDocument [1] generation requirements
outlined in the spec [2].
Included in this patch set:
* New CLI entry point called "pegleg site secrets generate-pki"
* PeglegManagedDocument generation logic in
engine.cache.managed_document
* Refactored PKICatalog logic in engine.cache.pki_catalog derived
from the Promenade PKI implementation [3], responsible for
generating certificates, CAs, and keypairs
* Refactored PKIGenerator logic in engine.cache.pki_generator
derived from Promenade Generator implementation [4],
responsible for reading in pegleg/PKICatalog/v1 documents (as
well as promenade/PKICatalog/v1 documents for backwards
compatibility) and generating required secrets and storing
them into the paths specified under [0]
* Unit tests for all of the above [5]
* Example pki-catalog.yaml document under pegleg/site_yamls
* Validation schema for pki-catalog.yaml (TODO: implement
validation logic here: [6])
* Updates to CLI documentation and inclusion of PKICatalog
and PeglegManagedDocument documentation
* Documentation updates with PKI information [7]
TODO (in follow-up patch sets):
* Expand on overview documentation to include new Pegleg
responsibilities
* Allow the original repository (not the copied one) to
be the destination where the secrets are written to
* Finish up cert expiry/revocation logic
[0] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html#document-generation
[1] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html#peglegmanageddocument
[2] https://airship-specs.readthedocs.io/en/latest/specs/approved/pegleg-secrets.html
[3] https://github.com/openstack/airship-promenade/blob/master/promenade/pki.py
[4] https://github.com/openstack/airship-promenade/blob/master/promenade/generator.py
[5] https://review.openstack.org/#/c/611739/
[6] https://review.openstack.org/#/c/608159/
[7] https://review.openstack.org/#/c/611738/
Change-Id: I3010d04cac6d22c656d144f0dafeaa5e19a13068
2019-01-15 13:29:21 -06:00
Felipe Monteiro
f8d79e119c
Only collect/parse Deckhand-formatted documents for processing
...
This patch set changes Pegleg in two similar ways:
1) Ignore certain types of files altogether:
- those located in hidden folders
- those prefixed with "." (files like .zuul.yaml)
2) Only read Deckhand-formatted documents for lint/collect/etc.
commands as Pegleg need not consider other types of documents
(it separately reads the site-definition.yaml for internal
processing still).
The tools/ subfolder is also ignored as it can contain
.yaml files which are not Deckhand-formatted documents,
so need not be processed by pegleg.engine.
Change-Id: I8996b5d430cf893122af648ef8e5805b36c1bfd9
2018-11-08 20:07:03 -05:00
Ahmad Mahmoudi
fb8e6f73ac
Update decrypt secrets to return a list of docs
...
1. Added the method to decrypt a secret file and return its contents
as a list of documents (instead of printing out the file content).
2. Added clarifications for a encrypt and decrypt commands.
Change-Id: I77bce21be214c880c8413f5e6a2d0c2d1993fc8e
2018-11-06 00:22:10 -06:00
Ahmad Mahmoudi
eb0deeb9e5
Pegleg encryption of site secrets
...
Added secret encryption/decryption to pegleg cli.
Change-Id: I95b993748d99fc4398eee1d1c59e74f382497f74
2018-10-30 16:53:51 +00:00