docs: Document signature endpoints and openpgp flags/vars

.gitignore

@@ -27,6 +27,4 @@ _testmain.go
 *.prof
 
 bin/
-coverage/
-Godeps/_workspace/src/github.com/coreos/coreos-baremetal
 assets/

Documentation/api.md

@@ -146,6 +146,47 @@ Get a `Spec` definition by id (UUID, MAC).
 }
 ```
 
+## Signatures
+
+The OpenPGP signature endpoints exist for each config API endpoint. Add the suffix `.sig` to receive the ASCII armored signature of the HTTP response from the config API endpoint.
+
+* `http://bootcfg.example.com/boot.ipxe`
+* `http://bootcfg.example.com/boot.ipxe.0.sig`
+* `http://bootcfg.example.com/ipxe.sig`
+* `http://bootcfg.example.com/pixiecore/v1/boot.sig/:MAC`
+* `http://bootcfg.example.com/cloud.sig`
+* `http://bootcfg.example.com/ignition.sig`
+
+For example, each HTTP API endpoint like the following:
+
+    GET http://bootcfg.example.com/ipxe?attribute=value
+
+**Response**
+
+    #!ipxe
+    kernel /assets/coreos/835.9.0/coreos_production_pxe.vmlinuz cloud-config-url=http://172.17.0.2:8080/cloud?uuid=${uuid}&mac=${net0/mac:hexhyp} coreos.autologin
+    initrd  /assets/coreos/835.9.0/coreos_production_pxe_image.cpio.gz
+    boot
+
+Provides a sibling OpenPGP signature endpoint.
+
+    GET http://bootcfg.example.com/ipxe.sig?attribute=value
+
+**Response**
+
+```
+-----BEGIN PGP SIGNATURE-----
+
+wsBcBAEBCAAQBQJWoDHyCRCzUpbPLRRcKAAAqQ8IAGD+eC9kzc/U7h9tgwvvWwm9
+suTmVSGlzC5RwTRXg6CKuW31m3WAin2b5zWRPa7MxxanYMhhBbOfrqg/4xi1tfdE
+w7ipmmgftl3re0np75Jt9K1rwGXUHTCs3yooz/zvqSvNSobG13FL5tp+Jl7a22wE
++W7x9BukTytVgNLt3IDIxsJ/rAEYUm4zySftooDbFVKj/SK5w8xg4zLmE6Jxz6wp
+eaMlL1TEXy3NaFR0+hgbqM/tgeV2j6pmho8yaPF63iPnksH+gdmPiwasCfpSaJyr
+NO+p24BL3PHZyKw0nsrm275C913OxEVgnNZX7TQltaweW23Cd1YBNjcfb3zv+Zo=
+=mqZK
+-----END PGP SIGNATURE-----
+```
+
 ## Assets
 
 If you need to host static assets (e.g. kernel, initrd) within your network, bootcfg server's `/assets/` route serves free-form static assets. Set the `-assets-path` when starting the bootcfg server. Here is an example:

Documentation/config.md

@@ -9,6 +9,8 @@
 | -config | BOOTCFG_CONFIG | ./data/config.yaml |
 | -data-path | BOOTCFG_DATA_PATH | ./data |
 | -assets-path | BOOTCFG_ASSETS_PATH | ./assets |
+| -key-ring-path | BOOTCFG_KEY_RING_PATH | ~/.secrets/vault/bootcfg/secring.gpg |
+| Disallowed | BOOTCFG_PASSPHRASE | secret passphrase |
 | -log-level | BOOTCFG_LOG_LEVEL | critical, error, warning, notice, info, debug |
 
 ## Examples
@@ -17,6 +19,11 @@ Binary
 
     ./run -address=0.0.0.0:8080 -data-path=./examples/dev -config=./examples/dev/config.yaml -assets-path=./assets -log-level=debug
 
+Binary with Signature Endpoints Enabled
+
+    BOOTCFG_PASSPHRASE=phrase
+    ./run -address=0.0.0.0:8080 -data-path=./examples/dev -config=./examples/dev/config.yaml -assets-path=./assets -key-ring-path path/to/ring/secring.gpg -log-level=debug
+
 Container
 
     docker run -p 8080:8080 --name=bootcfg --rm -v $PWD/examples/dev:/data:Z -v $PWD/assets:/assets:Z coreos/bootcfg:latest -address=0.0.0.0:8080 -data-path=./data -config=./data/config.yaml -assets-path=./assets -log-level=debug

cmd/bootcfg/main.go

@@ -110,7 +110,7 @@ func main() {
 		Signer:     signer,
 	}
 	server := api.NewServer(config)
-	log.Infof("starting bootcfg API Server on %s", flags.address)
+	log.Infof("starting config server on %s", flags.address)
 	err = http.ListenAndServe(flags.address, server.HTTPHandler())
 	if err != nil {
 		log.Fatalf("failed to start listening: %s", err)

scripts/get-coreos

@@ -1,6 +1,6 @@
 #!/bin/bash -e
-# USAGE: ./get-coreos
-# USAGE: ./get-coreos beta 877.1.0
+# USAGE: ./scripts/get-coreos
+# USAGE: ./scripts/get-coreos beta 877.1.0
 
 CHANNEL=${1:-"stable"}
 VERSION=${2:-"835.9.0"}