From 543bd6fa5578acd5f1e4f4b6e3c326297afbb75b Mon Sep 17 00:00:00 2001
From: Sergiusz Bazanski <q3k@q3k.org>
Date: Tue, 28 Aug 2018 15:25:25 +0100
Subject: [PATCH] Remove pki scripts and info (now in hspki)

---
 README.md            | 78 ++------------------------------------------
 pki/.gitignore       |  2 --
 pki/ca_config.json   | 13 --------
 pki/ca_csr.json      | 11 -------
 pki/clean.sh         |  6 ----
 pki/client_csr.json  | 12 -------
 pki/gen.sh           |  7 ----
 pki/service_csr.json | 12 -------
 8 files changed, 3 insertions(+), 138 deletions(-)
 delete mode 100644 pki/.gitignore
 delete mode 100644 pki/ca_config.json
 delete mode 100644 pki/ca_csr.json
 delete mode 100755 pki/clean.sh
 delete mode 100644 pki/client_csr.json
 delete mode 100755 pki/gen.sh
 delete mode 100644 pki/service_csr.json

diff --git a/README.md b/README.md
index fb3883d4..3f9ccaff 100644
--- a/README.md
+++ b/README.md
@@ -5,46 +5,10 @@ Our Arista 7148S does not support gRPC/OpenConfig, so we have to make our own da
 
 The schema is supposed to be 1:1 mapped to the JSON-RPC EAPI. This is just a dumb proxy.
 
-PKI Introduction
-----------------
+PKI
+---
 
-This project is a testing ground for the HSCloud PKI setup. Long story short,
-all gRPC is mutually authenticated via TLS (server & client certs).
-
-All certs for mutual auth have the following CN/SAN format:
-
-   <job>.<principal>.<realm>
-
-For example, if principal maps into a 'group' and job into a 'user':
-
-   arista-proxy-dcr01u23.prod.c.example.com
-
-   job = arista-proxy-dcr01u23
-   principal = cluster-management-prod
-   realm = c.example.com
-
-The Realm is a DNS name that is global to all jobs that need mutual authentication.
-
-The Principal is any name that carries significance for logical grouping of jobs.
-It can, but doesn't need to, group jobs by similar permissions.
-
-The Job is any name that identifies uniquely (within the principal) a security
-endpoint that describes a single security policy for a gRPC endpoint.
-
-The entire CN should be DNS resolvable into an IP address that would respond to
-gRPC requests on port 42000 (with a server TLS certificate that represents this CN) if the
-job represents a service.
-
-This maps nicely to the Kubernetes Cluster DNS format if you set `realm` to `svc.cluster.local`.
-Then, `principal` maps to a Kubernetes namespace, and `job` maps into a Kubernetes service.
-
-    arista-proxy-dcr01u23.arista-prod.svc.cluster.local
-
-    job/service = arista-proxy-dcr01u23
-    principal/namespace = arista-prod
-    realm = svc.cluster.local
-
-ACLs based on job/principal are yet to be implemented :).
+This service uses [HSPKI](https://code.hackerspace.pl/q3k/hspki), you will need to generate development TLS certificates for local use.
 
 Getting and Building
 --------------------
@@ -53,34 +17,6 @@ Getting and Building
     go generate code.hackerspace.pl/q3k/arista-proxy/proto
     go build code.hackerspace.pl/q3k/arista-proxy
 
-PKI Certs for Development
--------------------------
-
-In production, those certs will be automatigacally provided for you by
-automation. In development, you'll have to do the following:
-
-    cd pki
-    ./gen.sh
-
-This will generate:
- - `pki/ca.pem` - CA certificate
- - `pki/client{,-key}.pem` - certificate and key for `developer.humans.svc.cluster.local`
- - `pki/service{,-key}.pem` - certificate and key for `test.arista-proxy.svc.cluster.local`
-
-You will have to setup an /etc/hosts alias to make `test.arista-proxy.svc.cluster.local` resolve to your machine.
-
-    # cat /etc/hosts
-    ...
-    127.0.0.1 test.arista-proxy.svc.cluster.local
-    ...
-
-You can then start `arista-proxy` with default flags and talk to it via gRPC:
-
-    ./arista-proxy
-
-    alias grpc-dev="grpc -cacert $(pwd)/pki/ca.pem -key $(pwd)/pki/client-key.pem -cert $(pwd)/pki/client.pem"
-    grpc-dev test.arista-proxy.svc.cluster.local:42000 proto.AristaProxy.ShowVersion
-
 Debug Status Page
 -----------------
 
@@ -105,16 +41,8 @@ Flags
         	If non-empty, write log files in this directory
       -logtostderr
         	log to standard error instead of files
-      -pki_realm string
-        	PKI realm (default "svc.cluster.local")
       -stderrthreshold value
         	logs at or above this threshold go to stderr
-      -tls_ca_path string
-        	Path to PKI CA certificate (default "pki/ca.pem")
-      -tls_certificate_path string
-        	Path to PKI service certificate (default "pki/service.pem")
-      -tls_key_path string
-        	Path to PKI service private key (default "pki/service-key.pem")
       -v value
         	log level for V logs
       -vmodule value
diff --git a/pki/.gitignore b/pki/.gitignore
deleted file mode 100644
index e24607da..00000000
--- a/pki/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-*csr
-*pem
diff --git a/pki/ca_config.json b/pki/ca_config.json
deleted file mode 100644
index 113a08f6..00000000
--- a/pki/ca_config.json
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-  "signing": {
-    "default": {
-      "expiry": "8760h"
-    },
-    "profiles": {
-      "test": {
-        "usages": ["signing", "key encipherment", "server auth", "client auth"],
-        "expiry": "8760h"
-      }
-    }
-  }
-}
diff --git a/pki/ca_csr.json b/pki/ca_csr.json
deleted file mode 100644
index b24c6380..00000000
--- a/pki/ca_csr.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-    "names": [
-        {
-            "C":  "US",
-            "L":  "San Francisco",
-            "O":  "Internet Widgets, Inc.",
-            "OU": "WWW",
-            "ST": "California"
-        }
-    ]
-}
diff --git a/pki/clean.sh b/pki/clean.sh
deleted file mode 100755
index 490223d1..00000000
--- a/pki/clean.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-
-set -e -x
-
-rm *pem
-rm *csr
diff --git a/pki/client_csr.json b/pki/client_csr.json
deleted file mode 100644
index 26fc0415..00000000
--- a/pki/client_csr.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "CN": "developer.humans.svc.cluster.local",
-    "names": [
-        {
-            "C":  "US",
-            "L":  "San Francisco",
-            "O":  "Internet Widgets, Inc.",
-            "OU": "WWW",
-            "ST": "California"
-        }
-    ]
-}
diff --git a/pki/gen.sh b/pki/gen.sh
deleted file mode 100755
index e09e9f3b..00000000
--- a/pki/gen.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-set -e -x
-
-test -f ca.pem || ( cfssl gencert -initca ca_csr.json | cfssljson -bare ca )
-test -f service.pem || ( cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca_config.json -profile=test service_csr.json | cfssljson -bare service )
-test -f client.pem || ( cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca_config.json -profile=test client_csr.json | cfssljson -bare client )
diff --git a/pki/service_csr.json b/pki/service_csr.json
deleted file mode 100644
index 72c910eb..00000000
--- a/pki/service_csr.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-    "CN": "test.arista-proxy.svc.cluster.local",
-    "names": [
-        {
-            "C":  "US",
-            "L":  "San Francisco",
-            "O":  "Internet Widgets, Inc.",
-            "OU": "WWW",
-            "ST": "California"
-        }
-    ]
-}