diff --git a/doc/source/cli/cli.rst b/doc/source/cli/cli.rst index 8a6d22e4..0db4f17c 100644 --- a/doc/source/cli/cli.rst +++ b/doc/source/cli/cli.rst @@ -465,8 +465,8 @@ level operations for secrets documents of a site. .. note:: - For the CLI commands ``encrypt``, ``decrypt``, ``generate-pki``, and ``wrap`` - in the ``secrets`` command + For the CLI commands ``encrypt``, ``decrypt``, ``generate certificates`` + and ``wrap`` in the ``secrets`` command group, which encrypt or decrypt site secrets, two environment variables, ``PEGLEG_PASSPHRASE``, and ``PEGLEG_SALT``, are used to capture the master passphrase, and the salt needed for encryption and decryption of the @@ -484,72 +484,6 @@ level operations for secrets documents of a site. ./pegleg.sh site -r -e secrets -Generate PKI -^^^^^^^^^^^^ - -Generate certificates and keys according to all PKICatalog documents in the -site using the :ref:`pki` module. The default behavior is to generate all -certificates that are not yet present. For example, the first time generate PKI -is run or when new entries are added to the PKICatalogue, only those new -entries will be generated on subsequent runs. - -Pegleg also supports a full regeneration of all certificates at any time, by -using the --regenerate-all flag. - -Pegleg places generated document files in ``/secrets/passphrases``, -``/secrets/certificates``, or ``/secrets/keypairs`` as -appropriate: - -* The generated filenames for passphrases will follow the pattern - :file:`.yaml`. -* The generated filenames for certificate authorities will follow the pattern - :file:`_ca.yaml`. -* The generated filenames for certificates will follow the pattern - :file:`__certificate.yaml`. -* The generated filenames for certificate keys will follow the pattern - :file:`__key.yaml`. -* The generated filenames for keypairs will follow the pattern - :file:`.yaml`. - -Dashes in the document names will be converted to underscores for consistency. - -**site_name** (Required). - -Name of site. - -**-a / --author** (Optional). - -Identifying name of the author generating new certificates. Used for tracking -provenance information in the PeglegManagedDocuments. An attempt is made to -automatically determine this value, but should be provided. - -**-d / --days** (Optional, Default=365). - -Duration (in days) certificates should be valid. -Minimum=0, no maximum. Values less than 0 will raise an exception. - -NOTE: A generated certificate where days = 0 should only be used for testing. -A certificate generated in such a way will be valid for 0 seconds. - -**--regenerate-all** (Optional, Default=False). - -Force Pegleg to regenerate all PKI items. - -Examples -"""""""" - -:: - - ./pegleg.sh site -r -e \ - secrets generate-pki \ - \ - -a \ - -d \ - --regenerate-all - -.. _command-line-repository-overrides: - - Check PKI Certs --------------- @@ -856,6 +790,72 @@ secrets documents of a site. ./pegleg.sh site -r -e secrets generate + +certificates +^^^^^^^^^^^^ + +Generate certificates and keys according to all PKICatalog documents in the +site using the :ref:`pki` module. The default behavior is to generate all +certificates that are not yet present. For example, the first time generate PKI +is run or when new entries are added to the PKICatalogue, only those new +entries will be generated on subsequent runs. + +Pegleg also supports a full regeneration of all certificates at any time, by +using the --regenerate-all flag. + +Pegleg places generated document files in ``/secrets/passphrases``, +``/secrets/certificates``, or ``/secrets/keypairs`` as +appropriate: + +* The generated filenames for passphrases will follow the pattern + :file:`.yaml`. +* The generated filenames for certificate authorities will follow the pattern + :file:`_ca.yaml`. +* The generated filenames for certificates will follow the pattern + :file:`__certificate.yaml`. +* The generated filenames for certificate keys will follow the pattern + :file:`__key.yaml`. +* The generated filenames for keypairs will follow the pattern + :file:`.yaml`. + +Dashes in the document names will be converted to underscores for consistency. + +**site_name** (Required). + +Name of site. + +**-a / --author** (Optional). + +Identifying name of the author generating new certificates. Used for tracking +provenance information in the PeglegManagedDocuments. An attempt is made to +automatically determine this value, but should be provided. + +**-d / --days** (Optional, Default=365). + +Duration (in days) certificates should be valid. +Minimum=0, no maximum. Values less than 0 will raise an exception. + +NOTE: A generated certificate where days = 0 should only be used for testing. +A certificate generated in such a way will be valid for 0 seconds. + +**--regenerate-all** (Optional, Default=False). + +Force Pegleg to regenerate all PKI items. + +Examples +"""""""" + +:: + + ./pegleg.sh site -r -e \ + secrets generate certificates \ + \ + -a \ + -d \ + --regenerate-all + +.. _command-line-repository-overrides: + passphrases """"""""""" Generates, wraps and encrypts passphrase documents specified in the diff --git a/doc/source/pki/pki.rst b/doc/source/pki/pki.rst index 57beea48..7b7ffe71 100644 --- a/doc/source/pki/pki.rst +++ b/doc/source/pki/pki.rst @@ -20,9 +20,9 @@ Public Key Infrastructure (PKI) Catalog ======================================= Configuration for certificate and keypair generation in the cluster. The -``pegleg generate-certs`` command will read all ``PKICatalog`` documents and -either find pre-existing certificates/keys, or generate new ones based on the -given definition. +``pegleg secrets generate certificates`` command will read all ``PKICatalog`` +documents and either find pre-existing certificates/keys, or generate new ones +based on the given definition. Dependencies ------------ diff --git a/pegleg/cli.py b/pegleg/cli.py index 5312cabb..07c1299a 100644 --- a/pegleg/cli.py +++ b/pegleg/cli.py @@ -430,53 +430,6 @@ def secrets(): pass -@secrets.command( - 'generate-pki', - short_help='Generate certs and keys according to the site PKICatalog', - help='Generate certificates and keys according to all PKICatalog ' - 'documents in the site using the PKI module. The default behavior is ' - 'to generate all certificates that are not yet present. For example, ' - 'the first time generate PKI is run or when new entries are added ' - 'to the PKICatalogue, only those new entries will be generated on ' - 'subsequent runs.') -@click.option( - '-a', - '--author', - 'author', - help='Identifying name of the author generating new certificates. Used' - 'for tracking provenance information in the PeglegManagedDocuments. ' - 'An attempt is made to automatically determine this value, ' - 'but should be provided.') -@click.option( - '-d', - '--days', - 'days', - default=365, - show_default=True, - help='Duration in days generated certificates should be valid.') -@click.option( - '--regenerate-all', - 'regenerate_all', - is_flag=True, - default=False, - show_default=True, - help='Force Pegleg to regenerate all PKI items.') -@click.argument('site_name') -def generate_pki(site_name, author, days, regenerate_all): - """Generate certificates, certificate authorities and keypairs for a given - site. - - """ - - engine.repository.process_repositories(site_name, overwrite_existing=True) - config.set_global_enc_keys(site_name) - pkigenerator = catalog.pki_generator.PKIGenerator( - site_name, author=author, duration=days, regenerate_all=regenerate_all) - output_paths = pkigenerator.generate() - - click.echo("Generated PKI files written to:\n%s" % '\n'.join(output_paths)) - - @secrets.command( 'wrap', help='Wrap bare files (e.g. pem or crt) in a PeglegManagedDocument ' @@ -623,6 +576,53 @@ def generate(): pass +@generate.command( + 'certificates', + short_help='Generate certs and keys according to the site PKICatalog', + help='Generate certificates and keys according to all PKICatalog ' + 'documents in the site using the PKI module. The default behavior is ' + 'to generate all certificates that are not yet present. For example, ' + 'the first time generate PKI is run or when new entries are added ' + 'to the PKICatalogue, only those new entries will be generated on ' + 'subsequent runs.') +@click.option( + '-a', + '--author', + 'author', + help='Identifying name of the author generating new certificates. Used' + 'for tracking provenance information in the PeglegManagedDocuments. ' + 'An attempt is made to automatically determine this value, ' + 'but should be provided.') +@click.option( + '-d', + '--days', + 'days', + default=365, + show_default=True, + help='Duration in days generated certificates should be valid.') +@click.option( + '--regenerate-all', + 'regenerate_all', + is_flag=True, + default=False, + show_default=True, + help='Force Pegleg to regenerate all PKI items.') +@click.argument('site_name') +def generate_pki(site_name, author, days, regenerate_all): + """Generate certificates, certificate authorities and keypairs for a given + site. + + """ + + engine.repository.process_repositories(site_name, overwrite_existing=True) + config.set_global_enc_keys(site_name) + pkigenerator = catalog.pki_generator.PKIGenerator( + site_name, author=author, duration=days, regenerate_all=regenerate_all) + output_paths = pkigenerator.generate() + + click.echo("Generated PKI files written to:\n%s" % '\n'.join(output_paths)) + + @generate.command('passphrases', help='Command to generate site passphrases') @click.argument('site_name') @click.option( diff --git a/releasenotes/notes/move-generate-pki-under-generate-subcommand-92c36d6e2fde6e5a.yaml b/releasenotes/notes/move-generate-pki-under-generate-subcommand-92c36d6e2fde6e5a.yaml new file mode 100644 index 00000000..2f050c5b --- /dev/null +++ b/releasenotes/notes/move-generate-pki-under-generate-subcommand-92c36d6e2fde6e5a.yaml @@ -0,0 +1,4 @@ +--- +deprecations: + - | + Moved pegleg secrets generate-pki to pegleg secrets generate certificates. diff --git a/tests/unit/test_cli.py b/tests/unit/test_cli.py index 48d021fc..43699339 100644 --- a/tests/unit/test_cli.py +++ b/tests/unit/test_cli.py @@ -516,7 +516,7 @@ class TestSiteSecretsActions(BaseCLIActionTest): not pki_utility.PKIUtility.cfssl_exists(), reason='cfssl must be installed to execute these tests') def test_site_secrets_generate_pki_using_remote_repo_url(self): - """Validates ``generate-pki`` action using remote repo URL.""" + """Validates ``generate certificates`` action using remote repo URL.""" # Scenario: # # 1) Generate PKI using remote repo URL @@ -524,7 +524,7 @@ class TestSiteSecretsActions(BaseCLIActionTest): repo_url = 'https://opendev.org/airship/%s@%s' % ( self.repo_name, self.repo_rev) - secrets_opts = ['secrets', 'generate-pki', self.site_name] + secrets_opts = ['secrets', 'generate', 'certificates', self.site_name] result = self.runner.invoke(cli.site, ['-r', repo_url] + secrets_opts) self._validate_generate_pki_action(result) @@ -533,13 +533,13 @@ class TestSiteSecretsActions(BaseCLIActionTest): not pki_utility.PKIUtility.cfssl_exists(), reason='cfssl must be installed to execute these tests') def test_site_secrets_generate_pki_using_local_repo_path(self): - """Validates ``generate-pki`` action using local repo path.""" + """Validates ``generate certificates`` action using local repo path.""" # Scenario: # # 1) Generate PKI using local repo path repo_path = self.treasuremap_path - secrets_opts = ['secrets', 'generate-pki', self.site_name] + secrets_opts = ['secrets', 'generate', 'certificates', self.site_name] result = self.runner.invoke(cli.site, ['-r', repo_path] + secrets_opts) self._validate_generate_pki_action(result) @@ -553,7 +553,7 @@ class TestSiteSecretsActions(BaseCLIActionTest): "PEGLEG_SALT": "MySecretSalt1234567890][" }) def test_site_secrets_encrypt_and_decrypt_local_repo_path(self): - """Validates ``generate-pki`` action using local repo path.""" + """Validates ``generate certificates`` action using local repo path.""" # Scenario: # # 1) Encrypt a file in a local repo @@ -604,7 +604,7 @@ class TestSiteSecretsActions(BaseCLIActionTest): "PEGLEG_SALT": "123456" }) def test_site_secrets_wrap(self): - """Validates ``generate-pki`` action using local repo path.""" + """Validates ``generate certificates`` action using local repo path.""" # Scenario: # # 1) Encrypt a file in a local repo