From a184e4386822f1d63e2886a7655a00cdadf598d3 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Wed, 20 Jan 2016 17:31:25 -0800 Subject: [PATCH] docs: Document signature endpoints and openpgp flags/vars --- .gitignore | 2 -- Documentation/api.md | 41 +++++++++++++++++++++++++++++++++++++++++ Documentation/config.md | 7 +++++++ cmd/bootcfg/main.go | 2 +- scripts/get-coreos | 4 ++-- 5 files changed, 51 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 5a121101..96410f4d 100644 --- a/.gitignore +++ b/.gitignore @@ -27,6 +27,4 @@ _testmain.go *.prof bin/ -coverage/ -Godeps/_workspace/src/github.com/coreos/coreos-baremetal assets/ \ No newline at end of file diff --git a/Documentation/api.md b/Documentation/api.md index 7b97f715..0a2414d3 100644 --- a/Documentation/api.md +++ b/Documentation/api.md @@ -146,6 +146,47 @@ Get a `Spec` definition by id (UUID, MAC). } ``` +## Signatures + +The OpenPGP signature endpoints exist for each config API endpoint. Add the suffix `.sig` to receive the ASCII armored signature of the HTTP response from the config API endpoint. + +* `http://bootcfg.example.com/boot.ipxe` +* `http://bootcfg.example.com/boot.ipxe.0.sig` +* `http://bootcfg.example.com/ipxe.sig` +* `http://bootcfg.example.com/pixiecore/v1/boot.sig/:MAC` +* `http://bootcfg.example.com/cloud.sig` +* `http://bootcfg.example.com/ignition.sig` + +For example, each HTTP API endpoint like the following: + + GET http://bootcfg.example.com/ipxe?attribute=value + +**Response** + + #!ipxe + kernel /assets/coreos/835.9.0/coreos_production_pxe.vmlinuz cloud-config-url=http://172.17.0.2:8080/cloud?uuid=${uuid}&mac=${net0/mac:hexhyp} coreos.autologin + initrd /assets/coreos/835.9.0/coreos_production_pxe_image.cpio.gz + boot + +Provides a sibling OpenPGP signature endpoint. + + GET http://bootcfg.example.com/ipxe.sig?attribute=value + +**Response** + +``` +-----BEGIN PGP SIGNATURE----- + +wsBcBAEBCAAQBQJWoDHyCRCzUpbPLRRcKAAAqQ8IAGD+eC9kzc/U7h9tgwvvWwm9 +suTmVSGlzC5RwTRXg6CKuW31m3WAin2b5zWRPa7MxxanYMhhBbOfrqg/4xi1tfdE +w7ipmmgftl3re0np75Jt9K1rwGXUHTCs3yooz/zvqSvNSobG13FL5tp+Jl7a22wE ++W7x9BukTytVgNLt3IDIxsJ/rAEYUm4zySftooDbFVKj/SK5w8xg4zLmE6Jxz6wp +eaMlL1TEXy3NaFR0+hgbqM/tgeV2j6pmho8yaPF63iPnksH+gdmPiwasCfpSaJyr +NO+p24BL3PHZyKw0nsrm275C913OxEVgnNZX7TQltaweW23Cd1YBNjcfb3zv+Zo= +=mqZK +-----END PGP SIGNATURE----- +``` + ## Assets If you need to host static assets (e.g. kernel, initrd) within your network, bootcfg server's `/assets/` route serves free-form static assets. Set the `-assets-path` when starting the bootcfg server. Here is an example: diff --git a/Documentation/config.md b/Documentation/config.md index 76856766..ca49ff56 100644 --- a/Documentation/config.md +++ b/Documentation/config.md @@ -9,6 +9,8 @@ | -config | BOOTCFG_CONFIG | ./data/config.yaml | | -data-path | BOOTCFG_DATA_PATH | ./data | | -assets-path | BOOTCFG_ASSETS_PATH | ./assets | +| -key-ring-path | BOOTCFG_KEY_RING_PATH | ~/.secrets/vault/bootcfg/secring.gpg | +| Disallowed | BOOTCFG_PASSPHRASE | secret passphrase | | -log-level | BOOTCFG_LOG_LEVEL | critical, error, warning, notice, info, debug | ## Examples @@ -17,6 +19,11 @@ Binary ./run -address=0.0.0.0:8080 -data-path=./examples/dev -config=./examples/dev/config.yaml -assets-path=./assets -log-level=debug +Binary with Signature Endpoints Enabled + + BOOTCFG_PASSPHRASE=phrase + ./run -address=0.0.0.0:8080 -data-path=./examples/dev -config=./examples/dev/config.yaml -assets-path=./assets -key-ring-path path/to/ring/secring.gpg -log-level=debug + Container docker run -p 8080:8080 --name=bootcfg --rm -v $PWD/examples/dev:/data:Z -v $PWD/assets:/assets:Z coreos/bootcfg:latest -address=0.0.0.0:8080 -data-path=./data -config=./data/config.yaml -assets-path=./assets -log-level=debug diff --git a/cmd/bootcfg/main.go b/cmd/bootcfg/main.go index 80e346cc..8ff1c46e 100644 --- a/cmd/bootcfg/main.go +++ b/cmd/bootcfg/main.go @@ -110,7 +110,7 @@ func main() { Signer: signer, } server := api.NewServer(config) - log.Infof("starting bootcfg API Server on %s", flags.address) + log.Infof("starting config server on %s", flags.address) err = http.ListenAndServe(flags.address, server.HTTPHandler()) if err != nil { log.Fatalf("failed to start listening: %s", err) diff --git a/scripts/get-coreos b/scripts/get-coreos index b1c14734..8339c105 100755 --- a/scripts/get-coreos +++ b/scripts/get-coreos @@ -1,6 +1,6 @@ #!/bin/bash -e -# USAGE: ./get-coreos -# USAGE: ./get-coreos beta 877.1.0 +# USAGE: ./scripts/get-coreos +# USAGE: ./scripts/get-coreos beta 877.1.0 CHANNEL=${1:-"stable"} VERSION=${2:-"835.9.0"}