Updated schemas with new metadata section

- added a new metadata section to more closely emulate Kubernetes manifests - renamed kv_backend to kv_engine - enabled static analysis and security scans in CI - bumped the version to 0.2.0 - pinned pipenv in Dockerfile to avoid regression in new release, see: pypa/pipenv#3239
bincyber · Nov 16, 2018 · 708d0d3 · 708d0d3
1 parent 16e9e80
commit 708d0d3
Show file tree

Hide file tree

Showing 22 changed files with 303 additions and 179 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -29,7 +29,7 @@ jobs:
             pipenv run make lint
 
       - run:
-          name: Lint the examples manifests
+          name: Lint the example manifests
           command: |
             pipenv run make yaml-lint
 
@@ -45,6 +45,16 @@ jobs:
             sudo .circleci/setup-e2e.sh
             pipenv run make e2e-test
 
+      - run:
+          name: Run static analysis with mypy
+          command: |
+            pipenv run make static-analysis
+
+      - run:
+          name: Scan the codebase for security issues with bandit
+          command: |
+            pipenv run make scan
+
   build:
     working_directory: ~/repo
     docker:

diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ FROM python:3.6-slim
 
 COPY Pipfile* /
 
-RUN set -ex && pip install pipenv --no-cache-dir --disable-pip-version-check \
+RUN set -ex && pip install pipenv==2018.10.13 --no-cache-dir --disable-pip-version-check \
     && pipenv --python 3.6 lock -r > requirements.txt
 
 # -----------------------------------------------------------------------------------------

diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # pkictl
 
 [![Python](https://img.shields.io/badge/Python-3.6+-blue.svg)](#)
-[![Version](https://img.shields.io/badge/version-0.1.2-green.svg)](#)
+[![Version](https://img.shields.io/badge/version-0.2.0-green.svg)](#)
 [![License](https://img.shields.io/badge/license-MPL-blue.svg)](https://www.gnu.org/licenses/agpl-3.0.en.html)
 [![Coverage Status](https://coveralls.io/repos/github/bincyber/pkictl/badge.svg?branch=master)](https://coveralls.io/github/bincyber/pkictl?branch=master)
 [![CircleCI](https://circleci.com/gh/bincyber/pkictl.svg?style=svg)](https://circleci.com/gh/bincyber/pkictl)
@@ -78,8 +78,9 @@ Create a [manifest file](docs/examples/manifest.yaml):
 
     ---
     kind: RootCA
-    name: demo-root-ca
-    description: pkictl demo Root CA
+    metadata:
+      name: demo-root-ca
+      description: pkictl demo Root CA
     spec:
       key_type: ec
       key_bits: 384
@@ -94,10 +95,11 @@ Create a [manifest file](docs/examples/manifest.yaml):
         province: California
     ---
     kind: IntermediateCA
-    name: demo-intermediate-ca
-    description: pkictl demo Intermediate CA
-    issuer: demo-root-ca
-    kv_backend: demo-kv-engine
+    metadata:
+      name: demo-intermediate-ca
+      description: pkictl demo Intermediate CA
+      issuer: demo-root-ca
+      kv_backend: demo-kv-engine
     spec:
       type: exported
       key_type: rsa
@@ -154,8 +156,9 @@ Create a [manifest file](docs/examples/manifest.yaml):
           }
     ---
     kind: KV
-    name: demo-kv-engine
-    description: pkictl demo KV v1 engine
+    metadata:
+      name: demo-kv-engine
+      description: pkictl demo KV v1 engine
     spec:
       options:
         version: 1

diff --git a/docs/Environment Variables.md b/docs/Environment Variables.md
@@ -3,6 +3,10 @@
 _pkictl_ supports a subset of the [environment variables](https://www.vaultproject.io/docs/commands/#environment-variables) that the Vault CLI does.
 
 The following environment variables are supported:
-* VAULT_TOKEN
 * VAULT_ADDR
+* VAULT_TOKEN
 * VAULT_SKIP_VERIFY
+
+If the `-u` flag or `VAULT_ADDR` is not specified, the address of the Vault server will be prompted for.
+
+If `VAULT_TOKEN` is not specified, it will be prompted for. The token cannot be supplied any other way.
diff --git a/docs/PKI as a Service.md b/docs/PKI as a Service.md
@@ -10,8 +10,9 @@ Create the YAML manifest file:
 
     ---
     kind: RootCA
-    name: root
-    description: PKI-as-a-Service Root CA
+    metadata:
+      name: root
+      description: PKI-as-a-Service Root CA
     spec:
       key_type: rsa
       key_bits: 4096
@@ -21,9 +22,10 @@ Create the YAML manifest file:
         common_name: Root CA
     ---
     kind: IntermediateCA
-    name: intermediate
-    description: PKI-as-a-Service Intermediate CA
-    issuer: root
+    metadata:
+      name: intermediate
+      description: PKI-as-a-Service Intermediate CA
+      issuer: root
     spec:
       type: internal
       key_type: rsa

diff --git a/docs/Provision PKI for Kubernetes.md b/docs/Provision PKI for Kubernetes.md
@@ -6,26 +6,31 @@ _pkictl_ can be used to simplify the process of provisioning the PKI for Kuberne
 
 ## Provision the Certificate Authorities
 
-This example is for provisioning a control plane which uses external etcd. Define the Certificate Authorities to provision in the YAML manifest file:
+This example is for provisioning a control plane which uses external etcd. Define the Certificate Authorities to provision in the YAML manifest [file](docs/examples/kubernetes.yaml):
+
+    $ vim kubernetes.yaml
 
     ---
     kind: KV
-    name: kv/kube-ca
-    description: exported PKI secrets for the Kubernetes CA
+    metadata:
+      name: kv/kube-ca
+      description: exported PKI secrets for the Kubernetes CA
     spec:
       options:
         version: 1
     ---
     kind: KV
-    name: kv/kube-fp-ca
-    description: exported PKI secrets for the Kubernetes Front Proxy CA
+    metadata:
+      name: kv/kube-fp-ca
+      description: exported PKI secrets for the Kubernetes Front Proxy CA
     spec:
       options:
         version: 1
     ---
     kind: RootCA
-    name: pki/kube-root-ca
-    description: Kubernetes Root CA
+    metadata:
+      name: pki/kube-root-ca
+      description: Kubernetes Root CA
     spec:
       key_type: rsa
       key_bits: 4096
@@ -35,9 +40,10 @@ This example is for provisioning a control plane which uses external etcd. Defin
         common_name: Kubernetes Root Certificate Authority
     ---
     kind: IntermediateCA
-    name: pki/etcd-ca
-    description: Intermediate CA for etcd
-    issuer: pki/root-ca
+    metadata:
+      name: pki/etcd-ca
+      description: Intermediate CA for etcd
+      issuer: pki/root-ca
     spec:
       type: internal
       key_type: rsa
@@ -96,10 +102,11 @@ This example is for provisioning a control plane which uses external etcd. Defin
           }
     ---
     kind: IntermediateCA
-    name: pki/kube-ca
-    description: Kubernetes CA
-    issuer: pki/kube-root-ca
-    kv_backend: kv/kube-ca
+    metadata:
+      name: pki/kube-ca
+      description: Kubernetes CA
+      issuer: pki/kube-root-ca
+      kv_backend: kv/kube-ca
     spec:
       type: exported
       key_type: rsa
@@ -115,10 +122,11 @@ This example is for provisioning a control plane which uses external etcd. Defin
           }
     ---
     kind: IntermediateCA
-    name: pki/kube-fp-ca
-    description: Kubernetes Front Proxy CA
-    issuer: pki/kube-root-ca
-    kv_backend: kv/kube-fp-ca
+    metadata:
+      name: pki/kube-fp-ca
+      description: Kubernetes Front Proxy CA
+      issuer: pki/kube-root-ca
+      kv_backend: kv/kube-fp-ca
     spec:
       type: exported
       key_type: rsa
@@ -149,6 +157,44 @@ This example is for provisioning a control plane which uses external etcd. Defin
             capabilities = ["read"]
           }
 
+
+    $ pkictl apply -f kubernetes.yaml
+
+    [*] pkictl - the Vault server has been initialized and is not sealed
+    [*] pkictl - Mounted KV secrets engine: kv/kube-ca
+    [*] pkictl - Mounted KV secrets engine: kv/kube-fp-ca
+    [*] pkictl - Mounted PKI secrets engine: pki/kube-root-ca
+    [*] pkictl - Generated Root CA: pki/kube-root-ca
+    [*] pkictl - Mounted PKI secrets engine: pki/kube-fp-ca
+    [*] pkictl - Created intermediate CA: pki/kube-fp-ca
+    [*] pkictl - Signed intermediate CA 'pki/kube-fp-ca' with issuing CA: pki/kube-root-ca
+    [*] pkictl - Set signed certificate for intermediate CA: pki/kube-fp-ca
+    [*] pkictl - Configured URLs for CA: pki/kube-fp-ca
+    [*] pkictl - Set CRL configuration for CA: pki/kube-fp-ca
+    [*] pkictl - Stored private key for 'pki/kube-fp-ca' in KV engine: kv/kube-fp-ca
+    [*] pkictl - Configured role 'client' for intermediate CA: pki/kube-fp-ca
+    [*] pkictl - Configured policy 'kv-kube-fp-ca-policy' for intermediate CA: pki/kube-fp-ca
+    [*] pkictl - Configured policy 'kube-fp-ca-client-policy' for intermediate CA: pki/kube-fp-ca
+    [*] pkictl - Mounted PKI secrets engine: pki/kube-ca
+    [*] pkictl - Created intermediate CA: pki/kube-ca
+    [*] pkictl - Signed intermediate CA 'pki/kube-ca' with issuing CA: pki/kube-root-ca
+    [*] pkictl - Set signed certificate for intermediate CA: pki/kube-ca
+    [*] pkictl - Configured URLs for CA: pki/kube-ca
+    [*] pkictl - Set CRL configuration for CA: pki/kube-ca
+    [*] pkictl - Stored private key for 'pki/kube-ca' in KV engine: kv/kube-ca
+    [*] pkictl - Configured policy 'kv-kube-ca-policy' for intermediate CA: pki/kube-ca
+    [*] pkictl - Mounted PKI secrets engine: pki/etcd-ca
+    [*] pkictl - Created intermediate CA: pki/etcd-ca
+    [*] pkictl - Signed intermediate CA 'pki/etcd-ca' with issuing CA: pki/kube-root-ca
+    [*] pkictl - Set signed certificate for intermediate CA: pki/etcd-ca
+    [*] pkictl - Configured URLs for CA: pki/etcd-ca
+    [*] pkictl - Set CRL configuration for CA: pki/etcd-ca
+    [*] pkictl - Configured role 'peer' for intermediate CA: pki/etcd-ca
+    [*] pkictl - Configured role 'server' for intermediate CA: pki/etcd-ca
+    [*] pkictl - Configured role 'client' for intermediate CA: pki/etcd-ca
+    [*] pkictl - Configured policy 'etcd-ca-server-policy' for intermediate CA: pki/etcd-ca
+    [*] pkictl - Configured policy 'etcd-ca-client-policy' for intermediate CA: pki/etcd-ca
+
 The above will create:
 - a Root CA for the Kubernetes cluster with a TTL of 10 years
 - an Intermediate CA for etcd with a TTL of 5 years

diff --git a/docs/examples/kubernetes.yaml b/docs/examples/kubernetes.yaml
@@ -1,21 +1,24 @@
 ---
 kind: KV
-name: kv/kube-ca
-description: exported PKI secrets for the Kubernetes CA
+metadata:
+  name: kv/kube-ca
+  description: exported PKI secrets for the Kubernetes CA
 spec:
   options:
     version: 1
 ---
 kind: KV
-name: kv/kube-fp-ca
-description: exported PKI secrets for the Kubernetes Front Proxy CA
+metadata:
+  name: kv/kube-fp-ca
+  description: exported PKI secrets for the Kubernetes Front Proxy CA
 spec:
   options:
     version: 1
 ---
 kind: RootCA
-name: pki/kube-root-ca
-description: Kubernetes Root CA
+metadata:
+  name: pki/kube-root-ca
+  description: Kubernetes Root CA
 spec:
   key_type: rsa
   key_bits: 4096
@@ -25,9 +28,10 @@ spec:
     common_name: Kubernetes Root Certificate Authority
 ---
 kind: IntermediateCA
-name: pki/etcd-ca
-description: Intermediate CA for etcd
-issuer: pki/kube-root-ca
+metadata:
+  name: pki/etcd-ca
+  description: Intermediate CA for etcd
+  issuer: pki/kube-root-ca
 spec:
   type: internal
   key_type: rsa
@@ -92,10 +96,11 @@ spec:
       }
 ---
 kind: IntermediateCA
-name: pki/kube-ca
-description: Kubernetes CA
-issuer: pki/kube-root-ca
-kv_backend: kv/kube-ca
+metadata:
+  name: pki/kube-ca
+  description: Kubernetes CA
+  issuer: pki/kube-root-ca
+  kv_engine: kv/kube-ca
 spec:
   type: exported
   key_type: rsa
@@ -117,10 +122,11 @@ spec:
       }
 ---
 kind: IntermediateCA
-name: pki/kube-fp-ca
-description: Kubernetes Front Proxy CA
-issuer: pki/kube-root-ca
-kv_backend: kv/kube-fp-ca
+metadata:
+  name: pki/kube-fp-ca
+  description: Kubernetes Front Proxy CA
+  issuer: pki/kube-root-ca
+  kv_engine: kv/kube-fp-ca
 spec:
   type: exported
   key_type: rsa

diff --git a/docs/examples/manifest.yaml b/docs/examples/manifest.yaml
@@ -1,7 +1,8 @@
 ---
 kind: RootCA
-name: demo-root-ca
-description: pkictl demo Root CA
+metadata:
+  name: demo-root-ca
+  description: pkictl demo Root CA
 spec:
   key_type: ec
   key_bits: 384
@@ -16,10 +17,11 @@ spec:
     province: California
 ---
 kind: IntermediateCA
-name: demo-intermediate-ca
-description: pkictl demo Intermediate CA
-issuer: demo-root-ca
-kv_backend: demo-kv-engine
+metadata:
+  name: demo-intermediate-ca
+  description: pkictl demo Intermediate CA
+  issuer: demo-root-ca
+  kv_engine: demo-kv-engine
 spec:
   type: exported
   key_type: rsa
@@ -76,8 +78,9 @@ spec:
       }
 ---
 kind: KV
-name: demo-kv-engine
-description: pkictl demo KV v1 engine
+metadata:
+  name: demo-kv-engine
+  description: pkictl demo KV v1 engine
 spec:
   options:
     version: 1
diff --git a/docs/examples/pki-as-a-service.yaml b/docs/examples/pki-as-a-service.yaml
@@ -1,7 +1,8 @@
 ---
 kind: RootCA
-name: root
-description: PKI-as-a-Service Root CA
+metadata:
+  name: root
+  description: PKI-as-a-Service Root CA
 spec:
   key_type: rsa
   key_bits: 4096
@@ -11,9 +12,10 @@ spec:
     common_name: Root CA
 ---
 kind: IntermediateCA
-name: intermediate
-description: PKI-as-a-Service Intermediate CA
-issuer: root
+metadata:
+  name: intermediate
+  description: PKI-as-a-Service Intermediate CA
+  issuer: root
 spec:
   type: internal
   key_type: rsa