prodvider: emit client/server cert

Change-Id: I024782a7dfa6e16ff5f562a62ddd8fe3bf299c51

cluster/kube/lib/prodvider.libsonnet

@@ -9,7 +9,7 @@ local kube = import "../../../kube/kube.libsonnet";
 
         cfg:: {
             namespace: "prodvider",
-            image: "registry.k0.hswaw.net/q3k/prodvider:1596294699-1e1a4ddfc88008465aa38e4c037d2ba5d6ec8130",
+            image: "registry.k0.hswaw.net/q3k/prodvider:1596298570-f3312ef77ed0db94e20944efc6395750072f54d5",
 
             apiEndpoint: error "API endpoint must be set",
 

cluster/prodvider/hspki.go

@@ -15,11 +15,13 @@ import (
 	pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
 )
 
+// hspkiSigner returns a cfssl signer (CA) for HSPKI, by loading the CA
+// cert/key from Kubernetes.
 func (p *prodvider) hspkiSigner() (*local.Signer, error) {
 	policy := &config.Signing{
 		Profiles: map[string]*config.SigningProfile{
-			"client": &config.SigningProfile{
-				Usage:        []string{"signing", "key encipherment", "client auth"},
+			"client-server": &config.SigningProfile{
+				Usage:        []string{"signing", "key encipherment", "server auth", "client auth"},
 				ExpiryString: "30d",
 			},
 		},
@@ -44,6 +46,8 @@ func (p *prodvider) hspkiSigner() (*local.Signer, error) {
 	return local.NewSigner(priv, parsedCa, signer.DefaultSigAlgo(priv), policy)
 }
 
+// hspkiCreds returns a HSPKI certificate/key for an SSO user. The returned
+// certificate is valida for both server and client usage.
 func (p *prodvider) hspkiCreds(username string) (*pb.HSPKIKeys, error) {
 	principal := fmt.Sprintf("%s.sso.hswaw.net", username)
 
@@ -79,7 +83,7 @@ func (p *prodvider) hspkiCreds(username string) (*pb.HSPKIKeys, error) {
 	signReq := signer.SignRequest{
 		Hosts:    []string{},
 		Request:  string(csrPEM),
-		Profile:  "client",
+		Profile:  "client-server",
 		NotAfter: time.Now().Add(9 * time.Hour),
 	}