forked from hswaw/hscloud
clustercfg: extract cfssl handling to separate function
parent
acd001bf83
commit
598a079f57
|
@ -1,3 +1,4 @@
|
||||||
|
# encoding: utf-8
|
||||||
import json
|
import json
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
|
@ -89,6 +90,22 @@ class CA(object):
|
||||||
with open(self._cert) as f:
|
with open(self._cert) as f:
|
||||||
return f.read()
|
return f.read()
|
||||||
|
|
||||||
|
def _cfssl_call(self, args, obj=None, stdin=None):
|
||||||
|
p = subprocess.Popen(['cfssl'] + args,
|
||||||
|
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
||||||
|
stderr=subprocess.PIPE)
|
||||||
|
if obj:
|
||||||
|
stdin = json.dumps(stdin)
|
||||||
|
|
||||||
|
outs, errs = p.communicate(stdin.encode())
|
||||||
|
if p.returncode != 0:
|
||||||
|
raise Exception(
|
||||||
|
'cfssl failed. stderr: %r, stdout: %r, code: %r' % (
|
||||||
|
errs, outs, p.returncode))
|
||||||
|
|
||||||
|
out = json.loads(outs)
|
||||||
|
return out
|
||||||
|
|
||||||
def _init_ca(self):
|
def _init_ca(self):
|
||||||
if self.ss.exists(self._secret_key):
|
if self.ss.exists(self._secret_key):
|
||||||
return
|
return
|
||||||
|
@ -97,11 +114,7 @@ class CA(object):
|
||||||
ca_csr['CN'] = self.cn
|
ca_csr['CN'] = self.cn
|
||||||
|
|
||||||
logger.info("{}: Generating CA...".format(self))
|
logger.info("{}: Generating CA...".format(self))
|
||||||
p = subprocess.Popen(['cfssl', 'gencert', '-initca', '-'],
|
out = self._cfssl_call(['gencert', '-initca', '-'], obj=ca_csr)
|
||||||
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
|
||||||
stderr=subprocess.PIPE)
|
|
||||||
outs, errs = p.communicate(json.dumps(ca_csr).encode())
|
|
||||||
out = json.loads(outs)
|
|
||||||
|
|
||||||
f = self.ss.open(self._secret_key, 'w')
|
f = self.ss.open(self._secret_key, 'w')
|
||||||
f.write(out['key'])
|
f.write(out['key'])
|
||||||
|
@ -132,11 +145,8 @@ class CA(object):
|
||||||
}
|
}
|
||||||
cfg.update(_ca_config)
|
cfg.update(_ca_config)
|
||||||
logger.info("{}: Generating key/CSR for {}".format(self, hosts))
|
logger.info("{}: Generating key/CSR for {}".format(self, hosts))
|
||||||
p = subprocess.Popen(['cfssl', 'genkey', '-'],
|
out = self._cfssl_call(['genkey', '-'], obj=cfg)
|
||||||
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
|
||||||
stderr=subprocess.PIPE)
|
|
||||||
outs, errs = p.communicate(json.dumps(cfg).encode())
|
|
||||||
out = json.loads(outs)
|
|
||||||
key, csr = out['key'], out['csr']
|
key, csr = out['key'], out['csr']
|
||||||
if save is not None:
|
if save is not None:
|
||||||
logging.info("{}: Saving new key to secret {}".format(self, save))
|
logging.info("{}: Saving new key to secret {}".format(self, save))
|
||||||
|
@ -150,12 +160,8 @@ class CA(object):
|
||||||
logging.info("{}: Signing CSR".format(self))
|
logging.info("{}: Signing CSR".format(self))
|
||||||
ca = self._cert
|
ca = self._cert
|
||||||
cakey = self.ss.plaintext(self._secret_key)
|
cakey = self.ss.plaintext(self._secret_key)
|
||||||
p = subprocess.Popen(['cfssl', 'sign', '-ca=' + ca, '-ca-key=' + cakey,
|
out = self._cfssl_call(['sign', '-ca=' + ca, '-ca-key=' + cakey,
|
||||||
'-profile=client-server', '-'],
|
'-profile=client-server', '-'], stdin=csr)
|
||||||
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
|
||||||
stderr=subprocess.PIPE)
|
|
||||||
outs, errs = p.communicate(csr.encode())
|
|
||||||
out = json.loads(outs)
|
|
||||||
cert = out['cert']
|
cert = out['cert']
|
||||||
if save is not None:
|
if save is not None:
|
||||||
name = os.path.join(self.cdir, save)
|
name = os.path.join(self.cdir, save)
|
||||||
|
|
Loading…
Reference in New Issue