centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-04-12 14:25:46 +07:00
Code Issues Packages Projects Releases Wiki Activity
878 Commits 57 Branches 28 Tags
ca7e4c8d382c8003328079ef5c7ff3c3c1f62fda
Commit Graph

269 Commits

Author SHA1 Message Date
David Lawrence
ca7e4c8d38 set withHardware flag to false for export commands. We can never export from hardware 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:13:00 -08:00
David Lawrence
8628b57a96 private subdir should be added by keyfilestore, rather than all over the place 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:57 -08:00
Diogo Monica
4c2fcda620 Addressing small nits 
Signed-off-by: Diogo Monica <diogo@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)
 2015-11-12 01:12:48 -08:00
Diogo Monica
0344dfc038 Making tests pass 
Signed-off-by: Diogo Monica <diogo@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo@docker.com> (github: endophage)
 2015-11-12 01:12:31 -08:00
Diogo Monica
5b7480f599 Adding default to notary key generate and configurable trust dir from 
config

Signed-off-by: Diogo Monica <diogo.monica@gmail.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo.monica@gmail.com> (github: endophage)
 2015-11-12 01:12:26 -08:00
David Lawrence
ee270b6a2b fixing integrations tests for new list keys layout 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:21 -08:00
David Lawrence
a21287c0d1 taking out message when yubikey not found 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:20 -08:00
David Lawrence
6acc130e17 list shows where the key is stored 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:12:20 -08:00
Diogo Monica
f9f118d088 Changing env to be TARGETS 
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Diogo Monica <diogo.monica@gmail.com> (github: endophage)
 2015-11-12 01:12:04 -08:00
Ying Li
0280a82ae0 Do not back up a root key that is imported into Yubikey. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:43 -08:00
Ying Li
9a01cf091d Add "notary lookup" to the integration tests. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:11:17 -08:00
Ying Li
c82802b800 Move ecdsa_hardware_crypto_service to trustmanager/yubikeystore 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:10:56 -08:00
Ying Li
4867410e98 Ensure that tests pass and binaries build without the pkcs11 build tag. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:10:16 -08:00
Ying Li
087f13ae7d Normalize and elaborate on the command line help. 
Ensures that the notary command line help text start with capital
letters, and add information about hardware keys and online/offline operation.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:10:03 -08:00
Ying Li
313ae80345 Remove unused rawOutput option in notary CLI. 
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:09:59 -08:00
Ying Li
e4e099ae00 Just ignore the -s notary CLI option instead of erroring. 
Currently commands that do not require online access will error if
this option is passed.  Do not error anymore, just ignore.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:09:53 -08:00
Ying Li
1f1868d3ee Adding integration tests for notary client. 
This runs through the basic notary init/add/publish/etc. workflow,
and some basic key workflows.

Note that this does work with the Yubikey, in that created keys while
testing do not require touch.

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
 2015-11-12 01:09:40 -08:00
David Lawrence
91e8b9bcdb backup to a KeyFileStore and take out key remove 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:32 -08:00
David Lawrence
f9cf7bcca5 remove needs to list keys to find guns 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence
51a99a4127 generate should instantiate a yubikeystore 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence
e8d2240c79 write private key to a backup dir when creating keys on yubikey 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence
b7c38f0287 fixing tests 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence
da18f54699 import-root, list, and remove working with yubikey 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
David Lawrence
be4c0669c1 move import/export to cryptoservice and add import to yubikey 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:09:31 -08:00
Jessica Frazelle
5f21ebd185 Add pkcs11 build tags 
Add build tags and a check in Makefile to be sure you do not import
pkcs11 lib somewhere where it should not be. This will ensure docker
import and integration will continue to work.

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Jessica Frazelle <acidburn@docker.com> (github: endophage)
 2015-11-12 01:07:00 -08:00
David Lawrence
07f0065152 ask for pin when signing 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-11-12 01:06:38 -08:00
Diogo Monica
21138e6bad Working version of Notary and Yubikey 
Signed-off-by: Diogo Monica <diogo@docker.com>

Remove symlinks from notary-client repo creation

Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: Diogo Monica <diogo@docker.com>

WIP

Signed-off-by: Diogo Monica <diogo@docker.com>

working yubikey integration
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)

Fixing small colon bug

Signed-off-by: Diogo Monica <diogo@docker.com>

Added things. Ship it.

Signed-off-by: Diogo Monica <diogo@docker.com>

Bringing ecdsahwcryptosigner to 2015

Signed-off-by: Diogo Monica <diogo@docker.com>

Working version of notary and yubikey

Signed-off-by: Diogo Monica <diogo@docker.com>
 2015-11-12 01:06:09 -08:00
Diogo Mónica
fd0775e1dc Merge pull request #257 from mtrmac/fix-export-root 
Fix (notary key export-root)
 2015-11-01 10:31:29 +00:00
Miloslav Trmač
62dc66e936 Remove key ID from (notary key import-root) 
PR #242 has started requiring a passphrase for the imported key, and
recomputes the key ID, making the command-line argument redundant.  So,
remove it from the command line and from the KeyStoreManager API.

Also updates the comment for KeyStoreManager.ImportRootKey, and changes
(notary key import-root) to refuse unexpected arguments instead of
silently ignoring them.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
 2015-10-30 20:40:03 +01:00
Miloslav Trmač
93c28ccb1b Fix (notary key export-root) 
-c was recently taken over by --configFile; using it for
--change-passphrase as well results in

panic: shorthand redefinition

So, move --change-passphrase to -p.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
 2015-10-30 20:39:20 +01:00
Ying Li
b9a4175ea9 Update the client NotaryRepository to initialize with a root key ID 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-29 15:11:15 -07:00
Ying Li
aa5b621968 Fix import error after rebase 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-28 15:44:33 -07:00
Ying Li
adda5776cb Use ListenAndServeTLS with blank args, since ListenAndServe doesn't actually set up TLS 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-28 15:42:36 -07:00
Ying Li
126691ac9e Update the notary server and signer configs to make use of client authentication. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-28 15:42:33 -07:00
Ying Li
34aecae033 Split out parsing the client TLS in notary-server. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-28 15:40:41 -07:00
Ying Li
04a78e720f Factor out and test TLS configuration in notary-server. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-28 15:39:52 -07:00
Ying Li
bbf941d198 Allow client CAs to be provided to notary-signer. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-28 15:39:52 -07:00
David Lawrence
daa36b43b7 Merge pull request #242 from docker/unify-root-nonroot-keystore 
Unify root nonroot keystore
 2015-10-28 13:14:19 -07:00
Ying Li
6150c931dd Make a keysMap rather than just declaring 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-28 12:47:42 -07:00
David Lawrence
fa70a79ed7 go fmt was complaining about import order after my sed replacement 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-10-27 17:22:08 -07:00
David Lawrence
2833a88292 adding gotuf to notary 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-10-27 16:36:06 -07:00
Ying Li
566bd3ce67 Combine the nonRootKeyStore with the rootKeyStore, and move the abstracting 
over the root keys directory from non-root keys directory from keystoremanager
to keystore, since we're eliminating keystoremanager.

Maintain the two separate directories, though, because one can't tell whether
there is an old-style separate-directories structure, or if someone has a GUN
that starts with tuf_keys.

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-27 12:33:46 -07:00
Ying Li
61f9f84254 Use configuration option structures to set up client TLS and server TLS. 
Test for if client cert is passed without a client key and vice versa.
Fail in ConfigureClientTLS if only one of client cert/key is passed.
Lint fixes.

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-21 18:43:33 -07:00
Ying Li
412e0facc8 Explicitly check the skip tls verify boolean in notary client 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-21 10:38:48 -07:00
Ying Li
fc389b7bc3 Use tls client config utility in notary as well. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-19 17:31:18 -07:00
Ying Li
8d96cf0c1f Use ConfigureServerTLS for notary-server and notary-signer 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-19 17:29:54 -07:00
Ying Li
a5e64ecf03 Do not use the viper singleton instance everywhere 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-19 11:50:04 -07:00
Ying Li
6db76a873e Small cleanup as per review comments 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-16 14:48:05 -07:00
Ying Li
81380e0862 Even simpler - cancel the GRPC call using the context object passed 
to the GRPC clients - thanks @endophage!

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-16 09:46:08 -07:00
Ying Li
a49406de42 Log an error if the notary server cannot reach the signer or otherwise 
if the signer is in trouble, but do not fail the health check, since
the server can operate for a while without the signer (the server will
have degraded performance, but is not down)

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-10-15 10:48:10 -07:00