jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/docs/book/user/NUSHELL_PLUGINS_GUIDE.html

993 lines
41 KiB
HTML
Raw Permalink Normal View History

chore: update provisioning configuration and documentation Update configuration files, templates, and internal documentation for the provisioning repository system. Configuration Updates: - KMS configuration modernization - Plugin system settings - Service port mappings - Test cluster topologies - Installation configuration examples - VM configuration defaults - Cedar authorization policies Documentation Updates: - Library module documentation - Extension API guides - AI system documentation - Service management guides - Test environment setup - Plugin usage guides - Validator configuration documentation All changes are backward compatible.
2025-12-11 21:50:42 +00:00
<!DOCTYPE HTML>
<html lang="en" class="ayu sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>Nushell Plugins Guide - Provisioning Platform Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="Complete documentation for the Provisioning Platform - Infrastructure automation with Nushell, KCL, and Rust">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../";
const default_light_theme = "ayu";
const default_dark_theme = "navy";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="mdbook-help-container">
<div id="mdbook-help-popup">
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
<div>
<p>Press <kbd></kbd> or <kbd></kbd> to navigate between chapters</p>
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
<p>Press <kbd>?</kbd> to show this help</p>
<p>Press <kbd>Esc</kbd> to hide this help</p>
</div>
</div>
</div>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('ayu')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">Provisioning Platform Documentation</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform/edit/main/provisioning/docs/src/user/NUSHELL_PLUGINS_GUIDE.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="nushell-plugins-for-provisioning-platform"><a class="header" href="#nushell-plugins-for-provisioning-platform">Nushell Plugins for Provisioning Platform</a></h1>
<p>Complete guide to authentication, KMS, and orchestrator plugins.</p>
<h2 id="overview"><a class="header" href="#overview">Overview</a></h2>
<p>Three native Nushell plugins provide high-performance integration with the provisioning platform:</p>
<ol>
<li><strong>nu_plugin_auth</strong> - JWT authentication and MFA operations</li>
<li><strong>nu_plugin_kms</strong> - Key management (RustyVault, Age, Cosmian, AWS, Vault)</li>
<li><strong>nu_plugin_orchestrator</strong> - Orchestrator operations (status, validate, tasks)</li>
</ol>
<h2 id="why-native-plugins"><a class="header" href="#why-native-plugins">Why Native Plugins?</a></h2>
<p><strong>Performance Advantages</strong>:</p>
<ul>
<li><strong>10x faster</strong> than HTTP API calls (KMS operations)</li>
<li><strong>Direct access</strong> to Rust libraries (no HTTP overhead)</li>
<li><strong>Native integration</strong> with Nushell pipelines</li>
<li><strong>Type safety</strong> with Nushells type system</li>
</ul>
<p><strong>Developer Experience</strong>:</p>
<ul>
<li><strong>Pipeline friendly</strong> - Use Nushell pipes naturally</li>
<li><strong>Tab completion</strong> - All commands and flags</li>
<li><strong>Consistent interface</strong> - Follows Nushell conventions</li>
<li><strong>Error handling</strong> - Nushell-native error messages</li>
</ul>
<hr />
<h2 id="installation"><a class="header" href="#installation">Installation</a></h2>
<h3 id="prerequisites"><a class="header" href="#prerequisites">Prerequisites</a></h3>
<ul>
<li>Nushell 0.107.1+</li>
<li>Rust toolchain (for building from source)</li>
<li>Access to provisioning platform services</li>
</ul>
<h3 id="build-from-source"><a class="header" href="#build-from-source">Build from Source</a></h3>
<pre><code class="language-bash">cd /Users/Akasha/project-provisioning/provisioning/core/plugins/nushell-plugins
# Build all plugins
cargo build --release -p nu_plugin_auth
cargo build --release -p nu_plugin_kms
cargo build --release -p nu_plugin_orchestrator
# Or build individually
cargo build --release -p nu_plugin_auth
cargo build --release -p nu_plugin_kms
cargo build --release -p nu_plugin_orchestrator
</code></pre>
<h3 id="register-with-nushell"><a class="header" href="#register-with-nushell">Register with Nushell</a></h3>
<pre><code class="language-bash"># Register all plugins
plugin add target/release/nu_plugin_auth
plugin add target/release/nu_plugin_kms
plugin add target/release/nu_plugin_orchestrator
# Verify registration
plugin list | where name =~ "provisioning"
</code></pre>
<h3 id="verify-installation"><a class="header" href="#verify-installation">Verify Installation</a></h3>
<pre><code class="language-bash"># Test auth commands
auth --help
# Test KMS commands
kms --help
# Test orchestrator commands
orch --help
</code></pre>
<hr />
<h2 id="plugin-nu_plugin_auth"><a class="header" href="#plugin-nu_plugin_auth">Plugin: nu_plugin_auth</a></h2>
<p>Authentication plugin for JWT login, MFA enrollment, and session management.</p>
<h3 id="commands"><a class="header" href="#commands">Commands</a></h3>
<h4 id="auth-login-username-password"><a class="header" href="#auth-login-username-password"><code>auth login &lt;username&gt; [password]</code></a></h4>
<p>Login to provisioning platform and store JWT tokens securely.</p>
<p><strong>Arguments</strong>:</p>
<ul>
<li><code>username</code> (required): Username for authentication</li>
<li><code>password</code> (optional): Password (prompts interactively if not provided)</li>
</ul>
<p><strong>Flags</strong>:</p>
<ul>
<li><code>--url &lt;url&gt;</code>: Control center URL (default: <code>http://localhost:9080</code>)</li>
<li><code>--password &lt;password&gt;</code>: Password (alternative to positional argument)</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Interactive password prompt (recommended)
auth login admin
# Password in command (not recommended for production)
auth login admin mypassword
# Custom URL
auth login admin --url http://control-center:9080
# Pipeline usage
"admin" | auth login
</code></pre>
<p><strong>Token Storage</strong>:
Tokens are stored securely in OS-native keyring:</p>
<ul>
<li><strong>macOS</strong>: Keychain Access</li>
<li><strong>Linux</strong>: Secret Service (gnome-keyring, kwallet)</li>
<li><strong>Windows</strong>: Credential Manager</li>
</ul>
<p><strong>Success Output</strong>:</p>
<pre><code>✓ Login successful
User: admin
Role: Admin
Expires: 2025-10-09T14:30:00Z
</code></pre>
<hr />
<h4 id="auth-logout"><a class="header" href="#auth-logout"><code>auth logout</code></a></h4>
<p>Logout from current session and remove stored tokens.</p>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Simple logout
auth logout
# Pipeline usage (conditional logout)
if (auth verify | get active) { auth logout }
</code></pre>
<p><strong>Success Output</strong>:</p>
<pre><code>✓ Logged out successfully
</code></pre>
<hr />
<h4 id="auth-verify"><a class="header" href="#auth-verify"><code>auth verify</code></a></h4>
<p>Verify current session and check token validity.</p>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Check session status
auth verify
# Pipeline usage
auth verify | if $in.active { echo "Session valid" } else { echo "Session expired" }
</code></pre>
<p><strong>Success Output</strong>:</p>
<pre><code class="language-json">{
"active": true,
"user": "admin",
"role": "Admin",
"expires_at": "2025-10-09T14:30:00Z",
"mfa_verified": true
}
</code></pre>
<hr />
<h4 id="auth-sessions"><a class="header" href="#auth-sessions"><code>auth sessions</code></a></h4>
<p>List all active sessions for current user.</p>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># List sessions
auth sessions
# Filter by date
auth sessions | where created_at &gt; (date now | date to-timezone UTC | into string)
</code></pre>
<p><strong>Output Format</strong>:</p>
<pre><code class="language-json">[
{
"session_id": "sess_abc123",
"created_at": "2025-10-09T12:00:00Z",
"expires_at": "2025-10-09T14:30:00Z",
"ip_address": "192.168.1.100",
"user_agent": "nushell/0.107.1"
}
]
</code></pre>
<hr />
<h4 id="auth-mfa-enroll-type"><a class="header" href="#auth-mfa-enroll-type"><code>auth mfa enroll &lt;type&gt;</code></a></h4>
<p>Enroll in MFA (TOTP or WebAuthn).</p>
<p><strong>Arguments</strong>:</p>
<ul>
<li><code>type</code> (required): MFA type (<code>totp</code> or <code>webauthn</code>)</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Enroll TOTP (Google Authenticator, Authy)
auth mfa enroll totp
# Enroll WebAuthn (YubiKey, Touch ID, Windows Hello)
auth mfa enroll webauthn
</code></pre>
<p><strong>TOTP Enrollment Output</strong>:</p>
<pre><code>✓ TOTP enrollment initiated
Scan this QR code with your authenticator app:
████ ▄▄▄▄▄ █▀█ █▄▀▀▀▄ ▄▄▄▄▄ ████
████ █ █ █▀▀▀█▄ ▀▀█ █ █ ████
████ █▄▄▄█ █ █▀▄ ▀▄▄█ █▄▄▄█ ████
...
Or enter manually:
Secret: JBSWY3DPEHPK3PXP
URL: otpauth://totp/Provisioning:admin?secret=JBSWY3DPEHPK3PXP&amp;issuer=Provisioning
Backup codes (save securely):
1. ABCD-EFGH-IJKL
2. MNOP-QRST-UVWX
...
</code></pre>
<hr />
<h4 id="auth-mfa-verify---code-code"><a class="header" href="#auth-mfa-verify---code-code"><code>auth mfa verify --code &lt;code&gt;</code></a></h4>
<p>Verify MFA code (TOTP or backup code).</p>
<p><strong>Flags</strong>:</p>
<ul>
<li><code>--code &lt;code&gt;</code> (required): 6-digit TOTP code or backup code</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Verify TOTP code
auth mfa verify --code 123456
# Verify backup code
auth mfa verify --code ABCD-EFGH-IJKL
</code></pre>
<p><strong>Success Output</strong>:</p>
<pre><code>✓ MFA verification successful
</code></pre>
<hr />
<h3 id="environment-variables"><a class="header" href="#environment-variables">Environment Variables</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Variable</th><th>Description</th><th>Default</th></tr></thead><tbody>
<tr><td><code>USER</code></td><td>Default username</td><td>Current OS user</td></tr>
<tr><td><code>CONTROL_CENTER_URL</code></td><td>Control center URL</td><td><code>http://localhost:9080</code></td></tr>
</tbody></table>
</div>
<hr />
<h3 id="error-handling"><a class="header" href="#error-handling">Error Handling</a></h3>
<p><strong>Common Errors</strong>:</p>
<pre><code class="language-nushell"># "No active session"
Error: No active session found
→ Run: auth login &lt;username&gt;
# "Invalid credentials"
Error: Authentication failed: Invalid username or password
→ Check username and password
# "Token expired"
Error: Token has expired
→ Run: auth login &lt;username&gt;
# "MFA required"
Error: MFA verification required
→ Run: auth mfa verify --code &lt;code&gt;
# "Keyring error" (macOS)
Error: Failed to access keyring
→ Check Keychain Access permissions
# "Keyring error" (Linux)
Error: Failed to access keyring
→ Install gnome-keyring or kwallet
</code></pre>
<hr />
<h2 id="plugin-nu_plugin_kms"><a class="header" href="#plugin-nu_plugin_kms">Plugin: nu_plugin_kms</a></h2>
<p>Key Management Service plugin supporting multiple backends.</p>
<h3 id="supported-backends"><a class="header" href="#supported-backends">Supported Backends</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Backend</th><th>Description</th><th>Use Case</th></tr></thead><tbody>
<tr><td><code>rustyvault</code></td><td>RustyVault Transit engine</td><td>Production KMS</td></tr>
<tr><td><code>age</code></td><td>Age encryption (local)</td><td>Development/testing</td></tr>
<tr><td><code>cosmian</code></td><td>Cosmian KMS (HTTP)</td><td>Cloud KMS</td></tr>
<tr><td><code>aws</code></td><td>AWS KMS</td><td>AWS environments</td></tr>
<tr><td><code>vault</code></td><td>HashiCorp Vault</td><td>Enterprise KMS</td></tr>
</tbody></table>
</div>
<h3 id="commands-1"><a class="header" href="#commands-1">Commands</a></h3>
<h4 id="kms-encrypt-data---backend-backend"><a class="header" href="#kms-encrypt-data---backend-backend"><code>kms encrypt &lt;data&gt; [--backend &lt;backend&gt;]</code></a></h4>
<p>Encrypt data using KMS.</p>
<p><strong>Arguments</strong>:</p>
<ul>
<li><code>data</code> (required): Data to encrypt (string or binary)</li>
</ul>
<p><strong>Flags</strong>:</p>
<ul>
<li><code>--backend &lt;backend&gt;</code>: KMS backend (<code>rustyvault</code>, <code>age</code>, <code>cosmian</code>, <code>aws</code>, <code>vault</code>)</li>
<li><code>--key &lt;key&gt;</code>: Key ID or recipient (backend-specific)</li>
<li><code>--context &lt;context&gt;</code>: Additional authenticated data (AAD)</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Auto-detect backend from environment
kms encrypt "secret data"
# RustyVault
kms encrypt "data" --backend rustyvault --key provisioning-main
# Age (local encryption)
kms encrypt "data" --backend age --key age1xxxxxxxxx
# AWS KMS
kms encrypt "data" --backend aws --key alias/provisioning
# With context (AAD)
kms encrypt "data" --backend rustyvault --key provisioning-main --context "user=admin"
</code></pre>
<p><strong>Output Format</strong>:</p>
<pre><code>vault:v1:abc123def456...
</code></pre>
<hr />
<h4 id="kms-decrypt-encrypted---backend-backend"><a class="header" href="#kms-decrypt-encrypted---backend-backend"><code>kms decrypt &lt;encrypted&gt; [--backend &lt;backend&gt;]</code></a></h4>
<p>Decrypt KMS-encrypted data.</p>
<p><strong>Arguments</strong>:</p>
<ul>
<li><code>encrypted</code> (required): Encrypted data (base64 or KMS format)</li>
</ul>
<p><strong>Flags</strong>:</p>
<ul>
<li><code>--backend &lt;backend&gt;</code>: KMS backend (auto-detected if not specified)</li>
<li><code>--context &lt;context&gt;</code>: Additional authenticated data (AAD, must match encryption)</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Auto-detect backend
kms decrypt "vault:v1:abc123def456..."
# RustyVault explicit
kms decrypt "vault:v1:abc123..." --backend rustyvault
# Age
kms decrypt "-----BEGIN AGE ENCRYPTED FILE-----..." --backend age
# With context
kms decrypt "vault:v1:abc123..." --backend rustyvault --context "user=admin"
</code></pre>
<p><strong>Output</strong>:</p>
<pre><code>secret data
</code></pre>
<hr />
<h4 id="kms-generate-key---spec-spec"><a class="header" href="#kms-generate-key---spec-spec"><code>kms generate-key [--spec &lt;spec&gt;]</code></a></h4>
<p>Generate data encryption key (DEK) using KMS.</p>
<p><strong>Flags</strong>:</p>
<ul>
<li><code>--spec &lt;spec&gt;</code>: Key specification (<code>AES128</code> or <code>AES256</code>, default: <code>AES256</code>)</li>
<li><code>--backend &lt;backend&gt;</code>: KMS backend</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Generate AES-256 key
kms generate-key
# Generate AES-128 key
kms generate-key --spec AES128
# Specific backend
kms generate-key --backend rustyvault
</code></pre>
<p><strong>Output Format</strong>:</p>
<pre><code class="language-json">{
"plaintext": "base64-encoded-key",
"ciphertext": "vault:v1:encrypted-key",
"spec": "AES256"
}
</code></pre>
<hr />
<h4 id="kms-status"><a class="header" href="#kms-status"><code>kms status</code></a></h4>
<p>Show KMS backend status and configuration.</p>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Show status
kms status
# Filter to specific backend
kms status | where backend == "rustyvault"
</code></pre>
<p><strong>Output Format</strong>:</p>
<pre><code class="language-json">{
"backend": "rustyvault",
"status": "healthy",
"url": "http://localhost:8200",
"mount_point": "transit",
"version": "0.1.0"
}
</code></pre>
<hr />
<h3 id="environment-variables-1"><a class="header" href="#environment-variables-1">Environment Variables</a></h3>
<p><strong>RustyVault Backend</strong>:</p>
<pre><code class="language-bash">export RUSTYVAULT_ADDR="http://localhost:8200"
export RUSTYVAULT_TOKEN="your-token-here"
export RUSTYVAULT_MOUNT="transit"
</code></pre>
<p><strong>Age Backend</strong>:</p>
<pre><code class="language-bash">export AGE_RECIPIENT="age1xxxxxxxxx"
export AGE_IDENTITY="/path/to/key.txt"
</code></pre>
<p><strong>HTTP Backend (Cosmian)</strong>:</p>
<pre><code class="language-bash">export KMS_HTTP_URL="http://localhost:9998"
export KMS_HTTP_BACKEND="cosmian"
</code></pre>
<p><strong>AWS KMS</strong>:</p>
<pre><code class="language-bash">export AWS_REGION="us-east-1"
export AWS_ACCESS_KEY_ID="..."
export AWS_SECRET_ACCESS_KEY="..."
</code></pre>
<hr />
<h3 id="performance-comparison"><a class="header" href="#performance-comparison">Performance Comparison</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Operation</th><th>HTTP API</th><th>Plugin</th><th>Improvement</th></tr></thead><tbody>
<tr><td>Encrypt (RustyVault)</td><td>~50ms</td><td>~5ms</td><td><strong>10x faster</strong></td></tr>
<tr><td>Decrypt (RustyVault)</td><td>~50ms</td><td>~5ms</td><td><strong>10x faster</strong></td></tr>
<tr><td>Encrypt (Age)</td><td>~30ms</td><td>~3ms</td><td><strong>10x faster</strong></td></tr>
<tr><td>Decrypt (Age)</td><td>~30ms</td><td>~3ms</td><td><strong>10x faster</strong></td></tr>
<tr><td>Generate Key</td><td>~60ms</td><td>~8ms</td><td><strong>7.5x faster</strong></td></tr>
</tbody></table>
</div>
<hr />
<h2 id="plugin-nu_plugin_orchestrator"><a class="header" href="#plugin-nu_plugin_orchestrator">Plugin: nu_plugin_orchestrator</a></h2>
<p>Orchestrator operations plugin for status, validation, and task management.</p>
<h3 id="commands-2"><a class="header" href="#commands-2">Commands</a></h3>
<h4 id="orch-status---data-dir-dir"><a class="header" href="#orch-status---data-dir-dir"><code>orch status [--data-dir &lt;dir&gt;]</code></a></h4>
<p>Get orchestrator status from local files (no HTTP).</p>
<p><strong>Flags</strong>:</p>
<ul>
<li><code>--data-dir &lt;dir&gt;</code>: Data directory (default: <code>provisioning/platform/orchestrator/data</code>)</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Default data dir
orch status
# Custom dir
orch status --data-dir ./custom/data
# Pipeline usage
orch status | if $in.active_tasks &gt; 0 { echo "Tasks running" }
</code></pre>
<p><strong>Output Format</strong>:</p>
<pre><code class="language-json">{
"active_tasks": 5,
"completed_tasks": 120,
"failed_tasks": 2,
"pending_tasks": 3,
"uptime": "2d 4h 15m",
"health": "healthy"
}
</code></pre>
<hr />
<h4 id="orch-validate-workflowk---strict"><a class="header" href="#orch-validate-workflowk---strict"><code>orch validate &lt;workflow.k&gt; [--strict]</code></a></h4>
<p>Validate workflow KCL file.</p>
<p><strong>Arguments</strong>:</p>
<ul>
<li><code>workflow.k</code> (required): Path to KCL workflow file</li>
</ul>
<p><strong>Flags</strong>:</p>
<ul>
<li><code>--strict</code>: Enable strict validation (all checks, warnings as errors)</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># Basic validation
orch validate workflows/deploy.k
# Strict mode
orch validate workflows/deploy.k --strict
# Pipeline usage
ls workflows/*.k | each { |file| orch validate $file.name }
</code></pre>
<p><strong>Output Format</strong>:</p>
<pre><code class="language-json">{
"valid": true,
"workflow": {
"name": "deploy_k8s_cluster",
"version": "1.0.0",
"operations": 5
},
"warnings": [],
"errors": []
}
</code></pre>
<p><strong>Validation Checks</strong>:</p>
<ul>
<li>KCL syntax errors</li>
<li>Required fields present</li>
<li>Dependency graph valid (no cycles)</li>
<li>Resource limits within bounds</li>
<li>Provider configurations valid</li>
</ul>
<hr />
<h4 id="orch-tasks---status-status---limit-n"><a class="header" href="#orch-tasks---status-status---limit-n"><code>orch tasks [--status &lt;status&gt;] [--limit &lt;n&gt;]</code></a></h4>
<p>List orchestrator tasks.</p>
<p><strong>Flags</strong>:</p>
<ul>
<li><code>--status &lt;status&gt;</code>: Filter by status (<code>pending</code>, <code>running</code>, <code>completed</code>, <code>failed</code>)</li>
<li><code>--limit &lt;n&gt;</code>: Limit number of results (default: 100)</li>
<li><code>--data-dir &lt;dir&gt;</code>: Data directory (default from <code>ORCHESTRATOR_DATA_DIR</code>)</li>
</ul>
<p><strong>Examples</strong>:</p>
<pre><code class="language-nushell"># All tasks
orch tasks
# Pending tasks only
orch tasks --status pending
# Running tasks (limit to 10)
orch tasks --status running --limit 10
# Pipeline usage
orch tasks --status failed | each { |task| echo $"Failed: ($task.name)" }
</code></pre>
<p><strong>Output Format</strong>:</p>
<pre><code class="language-json">[
{
"task_id": "task_abc123",
"name": "deploy_kubernetes",
"status": "running",
"priority": 5,
"created_at": "2025-10-09T12:00:00Z",
"updated_at": "2025-10-09T12:05:00Z",
"progress": 45
}
]
</code></pre>
<hr />
<h3 id="environment-variables-2"><a class="header" href="#environment-variables-2">Environment Variables</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Variable</th><th>Description</th><th>Default</th></tr></thead><tbody>
<tr><td><code>ORCHESTRATOR_DATA_DIR</code></td><td>Data directory</td><td><code>provisioning/platform/orchestrator/data</code></td></tr>
</tbody></table>
</div>
<hr />
<h3 id="performance-comparison-1"><a class="header" href="#performance-comparison-1">Performance Comparison</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Operation</th><th>HTTP API</th><th>Plugin</th><th>Improvement</th></tr></thead><tbody>
<tr><td>Status</td><td>~30ms</td><td>~3ms</td><td><strong>10x faster</strong></td></tr>
<tr><td>Validate</td><td>~100ms</td><td>~10ms</td><td><strong>10x faster</strong></td></tr>
<tr><td>Tasks List</td><td>~50ms</td><td>~5ms</td><td><strong>10x faster</strong></td></tr>
</tbody></table>
</div>
<hr />
<h2 id="pipeline-examples"><a class="header" href="#pipeline-examples">Pipeline Examples</a></h2>
<h3 id="authentication-flow"><a class="header" href="#authentication-flow">Authentication Flow</a></h3>
<pre><code class="language-nushell"># Login and verify in one pipeline
auth login admin
| if $in.success { auth verify }
| if $in.mfa_required { auth mfa verify --code (input "MFA code: ") }
</code></pre>
<h3 id="kms-operations"><a class="header" href="#kms-operations">KMS Operations</a></h3>
<pre><code class="language-nushell"># Encrypt multiple secrets
["secret1", "secret2", "secret3"]
| each { |data| kms encrypt $data --backend rustyvault }
| save encrypted_secrets.json
# Decrypt and process
open encrypted_secrets.json
| each { |enc| kms decrypt $enc }
| each { |plain| echo $"Decrypted: ($plain)" }
</code></pre>
<h3 id="orchestrator-monitoring"><a class="header" href="#orchestrator-monitoring">Orchestrator Monitoring</a></h3>
<pre><code class="language-nushell"># Monitor running tasks
while true {
orch tasks --status running
| each { |task| echo $"($task.name): ($task.progress)%" }
sleep 5sec
}
</code></pre>
<h3 id="combined-workflow"><a class="header" href="#combined-workflow">Combined Workflow</a></h3>
<pre><code class="language-nushell"># Complete deployment workflow
auth login admin
| auth mfa verify --code (input "MFA: ")
| orch validate workflows/deploy.k
| if $in.valid {
orch tasks --status pending
| where priority &gt; 5
| each { |task| echo $"High priority: ($task.name)" }
}
</code></pre>
<hr />
<h2 id="troubleshooting"><a class="header" href="#troubleshooting">Troubleshooting</a></h2>
<h3 id="auth-plugin"><a class="header" href="#auth-plugin">Auth Plugin</a></h3>
<p><strong>“No active session”</strong>:</p>
<pre><code class="language-nushell">auth login &lt;username&gt;
</code></pre>
<p><strong>“Keyring error” (macOS)</strong>:</p>
<ul>
<li>Check Keychain Access permissions</li>
<li>Security &amp; Privacy → Privacy → Full Disk Access → Add Nushell</li>
</ul>
<p><strong>“Keyring error” (Linux)</strong>:</p>
<pre><code class="language-bash"># Install keyring service
sudo apt install gnome-keyring # Ubuntu/Debian
sudo dnf install gnome-keyring # Fedora
# Or use KWallet
sudo apt install kwalletmanager
</code></pre>
<p><strong>“MFA verification failed”</strong>:</p>
<ul>
<li>Check time synchronization (TOTP requires accurate clocks)</li>
<li>Use backup codes if TOTP not working</li>
<li>Re-enroll MFA if device lost</li>
</ul>
<hr />
<h3 id="kms-plugin"><a class="header" href="#kms-plugin">KMS Plugin</a></h3>
<p><strong>“RustyVault connection failed”</strong>:</p>
<pre><code class="language-bash"># Check RustyVault running
curl http://localhost:8200/v1/sys/health
# Set environment
export RUSTYVAULT_ADDR="http://localhost:8200"
export RUSTYVAULT_TOKEN="your-token"
</code></pre>
<p><strong>“Age encryption failed”</strong>:</p>
<pre><code class="language-bash"># Check Age keys
ls -la ~/.age/
# Generate new key if needed
age-keygen -o ~/.age/key.txt
# Set environment
export AGE_RECIPIENT="age1xxxxxxxxx"
export AGE_IDENTITY="$HOME/.age/key.txt"
</code></pre>
<p><strong>“AWS KMS access denied”</strong>:</p>
<pre><code class="language-bash"># Check AWS credentials
aws sts get-caller-identity
# Check KMS key policy
aws kms describe-key --key-id alias/provisioning
</code></pre>
<hr />
<h3 id="orchestrator-plugin"><a class="header" href="#orchestrator-plugin">Orchestrator Plugin</a></h3>
<p><strong>“Failed to read status”</strong>:</p>
<pre><code class="language-bash"># Check data directory exists
ls provisioning/platform/orchestrator/data/
# Create if missing
mkdir -p provisioning/platform/orchestrator/data
</code></pre>
<p><strong>“Workflow validation failed”</strong>:</p>
<pre><code class="language-nushell"># Use strict mode for detailed errors
orch validate workflows/deploy.k --strict
</code></pre>
<p><strong>“No tasks found”</strong>:</p>
<pre><code class="language-bash"># Check orchestrator running
ps aux | grep orchestrator
# Start orchestrator
cd provisioning/platform/orchestrator
./scripts/start-orchestrator.nu --background
</code></pre>
<hr />
<h2 id="development"><a class="header" href="#development">Development</a></h2>
<h3 id="building-from-source"><a class="header" href="#building-from-source">Building from Source</a></h3>
<pre><code class="language-bash">cd provisioning/core/plugins/nushell-plugins
# Clean build
cargo clean
# Build with debug info
cargo build -p nu_plugin_auth
cargo build -p nu_plugin_kms
cargo build -p nu_plugin_orchestrator
# Run tests
cargo test -p nu_plugin_auth
cargo test -p nu_plugin_kms
cargo test -p nu_plugin_orchestrator
# Run all tests
cargo test --all
</code></pre>
<h3 id="adding-to-cicd"><a class="header" href="#adding-to-cicd">Adding to CI/CD</a></h3>
<pre><code class="language-yaml">name: Build Nushell Plugins
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Rust
uses: actions-rs/toolchain@v1
with:
toolchain: stable
- name: Build Plugins
run: |
cd provisioning/core/plugins/nushell-plugins
cargo build --release --all
- name: Test Plugins
run: |
cd provisioning/core/plugins/nushell-plugins
cargo test --all
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: plugins
path: provisioning/core/plugins/nushell-plugins/target/release/nu_plugin_*
</code></pre>
<hr />
<h2 id="advanced-usage"><a class="header" href="#advanced-usage">Advanced Usage</a></h2>
<h3 id="custom-plugin-configuration"><a class="header" href="#custom-plugin-configuration">Custom Plugin Configuration</a></h3>
<p>Create <code>~/.config/nushell/plugin_config.nu</code>:</p>
<pre><code class="language-nushell"># Auth plugin defaults
$env.CONTROL_CENTER_URL = "https://control-center.example.com"
# KMS plugin defaults
$env.RUSTYVAULT_ADDR = "https://vault.example.com:8200"
$env.RUSTYVAULT_MOUNT = "transit"
# Orchestrator plugin defaults
$env.ORCHESTRATOR_DATA_DIR = "/opt/orchestrator/data"
</code></pre>
<h3 id="plugin-aliases"><a class="header" href="#plugin-aliases">Plugin Aliases</a></h3>
<p>Add to <code>~/.config/nushell/config.nu</code>:</p>
<pre><code class="language-nushell"># Auth shortcuts
alias login = auth login
alias logout = auth logout
# KMS shortcuts
alias encrypt = kms encrypt
alias decrypt = kms decrypt
# Orchestrator shortcuts
alias status = orch status
alias validate = orch validate
alias tasks = orch tasks
</code></pre>
<hr />
<h2 id="security-best-practices"><a class="header" href="#security-best-practices">Security Best Practices</a></h2>
<h3 id="authentication"><a class="header" href="#authentication">Authentication</a></h3>
<p><strong>DO</strong>: Use interactive password prompts
<strong>DO</strong>: Enable MFA for production environments
<strong>DO</strong>: Verify session before sensitive operations
<strong>DONT</strong>: Pass passwords in command line (visible in history)
<strong>DONT</strong>: Store tokens in plain text files</p>
<h3 id="kms-operations-1"><a class="header" href="#kms-operations-1">KMS Operations</a></h3>
<p><strong>DO</strong>: Use context (AAD) for encryption when available
<strong>DO</strong>: Rotate KMS keys regularly
<strong>DO</strong>: Use hardware-backed keys (WebAuthn, YubiKey) when possible
<strong>DONT</strong>: Share Age private keys
<strong>DONT</strong>: Log decrypted data</p>
<h3 id="orchestrator"><a class="header" href="#orchestrator">Orchestrator</a></h3>
<p><strong>DO</strong>: Validate workflows in strict mode before production
<strong>DO</strong>: Monitor task status regularly
<strong>DO</strong>: Use appropriate data directory permissions (700)
<strong>DONT</strong>: Run orchestrator as root
<strong>DONT</strong>: Expose data directory over network shares</p>
<hr />
<h2 id="faq"><a class="header" href="#faq">FAQ</a></h2>
<p><strong>Q: Why use plugins instead of HTTP API?</strong>
A: Plugins are 10x faster, have better Nushell integration, and eliminate HTTP overhead.</p>
<p><strong>Q: Can I use plugins without orchestrator running?</strong>
A: <code>auth</code> and <code>kms</code> work independently. <code>orch</code> requires access to orchestrator data directory.</p>
<p><strong>Q: How do I update plugins?</strong>
A: Rebuild and re-register: <code>cargo build --release --all &amp;&amp; plugin add target/release/nu_plugin_*</code></p>
<p><strong>Q: Are plugins cross-platform?</strong>
A: Yes, plugins work on macOS, Linux, and Windows (with appropriate keyring services).</p>
<p><strong>Q: Can I use multiple KMS backends simultaneously?</strong>
A: Yes, specify <code>--backend</code> flag for each operation.</p>
<p><strong>Q: How do I backup MFA enrollment?</strong>
A: Save backup codes securely (password manager, encrypted file). QR code can be re-scanned.</p>
<hr />
<h2 id="related-documentation"><a class="header" href="#related-documentation">Related Documentation</a></h2>
<ul>
<li><strong>Security System</strong>: <code>docs/architecture/ADR-009-security-system-complete.md</code></li>
<li><strong>JWT Auth</strong>: <code>docs/architecture/JWT_AUTH_IMPLEMENTATION.md</code></li>
<li><strong>Config Encryption</strong>: <code>docs/user/CONFIG_ENCRYPTION_GUIDE.md</code></li>
<li><strong>RustyVault Integration</strong>: <code>RUSTYVAULT_INTEGRATION_SUMMARY.md</code></li>
<li><strong>MFA Implementation</strong>: <code>docs/architecture/MFA_IMPLEMENTATION_SUMMARY.md</code></li>
</ul>
<hr />
<p><strong>Version</strong>: 1.0.0
<strong>Last Updated</strong>: 2025-10-09
<strong>Maintained By</strong>: Platform Team</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../user/extension-development.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/PLUGIN_INTEGRATION_GUIDE.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../user/extension-development.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/PLUGIN_INTEGRATION_GUIDE.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<!-- Livereload script (if served using the cli tool) -->
<script>
const wsProtocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
const wsAddress = wsProtocol + "//" + location.host + "/" + "__livereload";
const socket = new WebSocket(wsAddress);
socket.onmessage = function (event) {
if (event.data === "reload") {
socket.close();
location.reload();
}
};
window.onbeforeunload = function() {
socket.close();
}
</script>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Reference in New Issue Copy Permalink