mirror of https://gerrit.hackerspace.pl/hscloud
113 lines
2.6 KiB
Go
113 lines
2.6 KiB
Go
|
package main
|
||
|
|
||
|
import (
|
||
|
"crypto/tls"
|
||
|
"fmt"
|
||
|
"time"
|
||
|
|
||
|
"github.com/cloudflare/cfssl/csr"
|
||
|
"github.com/cloudflare/cfssl/signer"
|
||
|
"github.com/golang/glog"
|
||
|
"google.golang.org/grpc"
|
||
|
"google.golang.org/grpc/credentials"
|
||
|
)
|
||
|
|
||
|
func (p *prodvider) selfCreds() grpc.ServerOption {
|
||
|
glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)
|
||
|
|
||
|
// Create a key and CSR.
|
||
|
csrPEM, keyPEM, err := p.makeSelfCSR()
|
||
|
if err != nil {
|
||
|
glog.Exitf("Could not generate key and CSR for self: %v", err)
|
||
|
}
|
||
|
|
||
|
// Create a cert
|
||
|
certPEM, err := p.makeSelfCertificate(csrPEM)
|
||
|
if err != nil {
|
||
|
glog.Exitf("Could not sign certificate for self: %v", err)
|
||
|
}
|
||
|
|
||
|
serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
|
||
|
if err != nil {
|
||
|
glog.Exitf("Could not use gRPC certificate: %v", err)
|
||
|
}
|
||
|
|
||
|
signerCert, _ := p.sign.Certificate("", "")
|
||
|
serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)
|
||
|
|
||
|
return grpc.Creds(credentials.NewTLS(&tls.Config{
|
||
|
Certificates: []tls.Certificate{serverCert},
|
||
|
}))
|
||
|
}
|
||
|
|
||
|
func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
|
||
|
signerCert, _ := p.sign.Certificate("", "")
|
||
|
req := &csr.CertificateRequest{
|
||
|
CN: flagProdviderCN,
|
||
|
KeyRequest: &csr.BasicKeyRequest{
|
||
|
A: "rsa",
|
||
|
S: 4096,
|
||
|
},
|
||
|
Names: []csr.Name{
|
||
|
{
|
||
|
C: signerCert.Subject.Country[0],
|
||
|
ST: signerCert.Subject.Province[0],
|
||
|
L: signerCert.Subject.Locality[0],
|
||
|
O: signerCert.Subject.Organization[0],
|
||
|
OU: signerCert.Subject.OrganizationalUnit[0],
|
||
|
},
|
||
|
},
|
||
|
}
|
||
|
|
||
|
g := &csr.Generator{
|
||
|
Validator: func(req *csr.CertificateRequest) error { return nil },
|
||
|
}
|
||
|
|
||
|
return g.ProcessRequest(req)
|
||
|
}
|
||
|
|
||
|
func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
|
||
|
req := signer.SignRequest{
|
||
|
Hosts: []string{},
|
||
|
Request: string(csr),
|
||
|
Profile: "server",
|
||
|
}
|
||
|
return p.sign.Sign(req)
|
||
|
}
|
||
|
|
||
|
func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
|
||
|
signerCert, _ := p.sign.Certificate("", "")
|
||
|
req := &csr.CertificateRequest{
|
||
|
CN: username,
|
||
|
KeyRequest: &csr.BasicKeyRequest{
|
||
|
A: "rsa",
|
||
|
S: 4096,
|
||
|
},
|
||
|
Names: []csr.Name{
|
||
|
{
|
||
|
C: signerCert.Subject.Country[0],
|
||
|
ST: signerCert.Subject.Province[0],
|
||
|
L: signerCert.Subject.Locality[0],
|
||
|
O: o,
|
||
|
OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
|
||
|
},
|
||
|
},
|
||
|
}
|
||
|
|
||
|
g := &csr.Generator{
|
||
|
Validator: func(req *csr.CertificateRequest) error { return nil },
|
||
|
}
|
||
|
|
||
|
return g.ProcessRequest(req)
|
||
|
}
|
||
|
|
||
|
func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
|
||
|
req := signer.SignRequest{
|
||
|
Hosts: []string{},
|
||
|
Request: string(csr),
|
||
|
Profile: "client",
|
||
|
NotAfter: notAfter,
|
||
|
}
|
||
|
return p.sign.Sign(req)
|
||
|
}
|