Issue #5528 has been updated by Matt Robinson.
Branch set to
https://github.com/rcrowley/puppet/tree/feature/master/5528-certificates_signing_api
I just sat down with Luke to clarify the conflicting info in this ticket on
what the REST API should look like.
James' original proposal isn't feasible since it doesn't use the right verbs,
but the main idea of wanting to sign certificate requests is good.
Pauls wiki documentation differs from what has been partially implemented
mostly (from what I can see so far) in that the 'certificate_status' part of
the api is implemented as 'ssl_client'. Other than that it appears thorough
and a good guide.
Brief summary of that wiki with the ssl_client in place instead of
'certificate_status'
PUT /{environment}/ssl_client/name is to sign certificate requests
DELETE /{environment}/ssl_client/name is to clean certs and keys
GET /{environment}/ssl_clients/whatever is to search
GET /{environment}/ssl_client/name is to find name
The reason for not using existing certificate_request rest api is put already
saves cert requests, not sign. also security, separately authorizing uploading
and downloading cert requests and authorizing certs. this is said somewhat
differently in the "Design" section of the wiki page.
Another difference from Paul's proposal that Luke and I discussed is currently
the way the PUT/save portion of the API is handled is to have the 'state'
(revoke, sign) embedded in the serialized object that is uploaded. Paul's
proposal was for this 'state' to come from json in the http that specified the
state. Luke was fine having both or either supported, it was just done the way
it is now because it was easier in the code.
----------------------------------------
Feature #5528: API call to sign, clean or generate certificate request
https://projects.puppetlabs.com/issues/5528
Author: James Turnbull
Status: Accepted
Priority: High
Assignee:
Category: API
Target version: Statler
Affected Puppet version:
Keywords: API certificate SSL generate clean sign
Branch:
https://github.com/rcrowley/puppet/tree/feature/master/5528-certificates_signing_api
Proposal from James:
SIGN
<pre>
Certificate Request
PUT /{environment}/certificate_requests/sign/{anything}
PUT /{environment}/certificate_request/sign/{node certificate name}
curl -k -H "Accept: yaml"
https://puppetmaster:8140/production/certificate_requests/sign/all
curl -k -H "Accept: yaml"
https://puppetmaster:8140/production/certificate_request/sign/puppetclient
</pre>
CLEAN
<pre>
Certificate Request
PUT /{environment}/certificate_requests/clean/{anything}
PUT /{environment}/certificate_request/clean/{node certificate name}
curl -k -H "Accept: yaml"
https://puppetmaster:8140/production/certificate_requests/clean/all
curl -k -H "Accept: yaml"
https://puppetmaster:8140/production/certificate_request/clean/puppetclient
</pre>
GENERATE
<pre>
Certificate Request
GET /{environment}/certificate_request/generate/{node certificate name}
curl -k -H "Accept: yaml"
https://puppetmaster:8140/production/certificate_request/generate/puppetclient
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
