66 lines
2.6 KiB
Python
66 lines
2.6 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
import argparse
|
|
import textwrap
|
|
|
|
from os_cloud_config.cmd.utils import environment
|
|
from os_cloud_config import keystone_pki
|
|
|
|
|
|
def parse_args():
|
|
description = textwrap.dedent("""
|
|
Generate 4 files inside <directory> for use with Keystone PKI
|
|
token signing:
|
|
|
|
ca_key.pem - certificate authority key
|
|
ca_cert.pem - self-signed certificate authority certificate
|
|
signing_key.pem - key for signing tokens
|
|
signing_cert.pem - certificate for verifying token validity, the
|
|
certificate itself is verifiable by ca_cert.pem
|
|
|
|
Alternatively write generated key/certs into <heatenv> JSON file
|
|
or into an os-apply-config metadata file for use without Heat.
|
|
|
|
ca_key.pem doesn't have to (shouldn't) be uploaded to Keystone nodes.
|
|
""")
|
|
|
|
parser = argparse.ArgumentParser(
|
|
description=description,
|
|
formatter_class=argparse.RawDescriptionHelpFormatter,
|
|
)
|
|
group = parser.add_mutually_exclusive_group(required=True)
|
|
group.add_argument('-d', '--directory', dest='directory',
|
|
help='directory where keys/certs will be generated')
|
|
group.add_argument('-j', '--heatenv', dest='heatenv',
|
|
help='write signing key/cert and CA cert into JSON '
|
|
'Heat environment file, CA key is omitted')
|
|
parser.add_argument('-s', '--seed', action='store_true',
|
|
help='JSON file for seed machine has different '
|
|
'structure (for seed machine we update directly '
|
|
'heat metadata file injected into image). '
|
|
'Different key/certs names and different '
|
|
'parent node are used (default: false)')
|
|
environment._add_logging_arguments(parser)
|
|
return parser.parse_args()
|
|
|
|
|
|
def main():
|
|
args = parse_args()
|
|
environment._configure_logging(args)
|
|
|
|
if args.heatenv:
|
|
keystone_pki.generate_certs_into_json(args.heatenv, args.seed)
|
|
else:
|
|
keystone_pki.create_and_write_ca_and_signing_pairs(args.directory)
|