Categorygithub.com/choria-io/go-security
modulepackage
0.6.0
Repository: https://github.com/choria-io/go-security.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
5
Dependents
0
Files
87 SLOC

# README

Choria Security Providers

This provides a unified interface to PKI systems that all the Choria eco system projects can use to present a more unified UI / UX.

Providers

At present there are only 2 providers - file and puppet - in future we'll support a Choria specific CA and others like Vault and perhaps those provided by public Clouds.

ProviderDescription
PuppetUnderstands the structure of SSL files maintained by puppet agent, supports enrolling into a PuppetCA
FileAccepts a fully manual configuration with paths to all the major needed files, does not support enrollment

CLI

You can do arbitrary enrolls using the CLI provided here:

$ pki-enroll --help
usage: pki-enroll [<flags>] <identity>

Enrolls with various PKI systems using the Choria framework

Flags:
  --help                     Show context-sensitive help (also try --help-long and --help-man).
  --version                  Show application version.
  --scheme=puppet            Provider to enroll with, only support 'puppet'
  --wait=30m                 How long to wait for the certificate to be signed
  --puppet-ssldir=PATH       The directory to write the Puppet compatible SSL structure
  --puppet-ca="puppet:8140"  PuppetCA in host:port format
  --verbose                  Verbose logging

Args:
  <identity>  Identity to enroll as

Enrolling into a PuppetCA entails the following:

  • Create a private key
  • Create a CSR
  • Download the CA
  • Submit the CSR
  • Repeatedly attempt to download the signed certificate until someone issues puppet cert sign on the CA

Here we use the pki-enroll command to perform this task with the resulting SSL tree created in /tmp/ssl.

$ pki-enroll bob --puppet-ssldir /tmp/ssl
Attempting to download certificate for bob, try 1.
Attempting to download certificate for bob, try 2.
Attempting to download certificate for bob, try 3.

# Packages

No description provided by the author
Package filesec provides a manually configurable security Provider it allows you set every parameter like key paths etc manually without making any assumptions about your system It does not support any enrollment.
No description provided by the author
No description provided by the author
Package puppetsec provides a Puppet compatable Security Provider The provider supports enrolling into a Puppet CA by creating a key and csr, sending it to the PuppetCA and waiting for it to be signed and later it will download the certificate once signed.

# Interfaces

Provider provides a security plugin for the choria subsystem.