forked from hswaw/hscloud
prodvider: emit client/server cert
Change-Id: I024782a7dfa6e16ff5f562a62ddd8fe3bf299c51master
parent
f3312ef77e
commit
4ded56ab8a
|
@ -9,7 +9,7 @@ local kube = import "../../../kube/kube.libsonnet";
|
|||
|
||||
cfg:: {
|
||||
namespace: "prodvider",
|
||||
image: "registry.k0.hswaw.net/q3k/prodvider:1596294699-1e1a4ddfc88008465aa38e4c037d2ba5d6ec8130",
|
||||
image: "registry.k0.hswaw.net/q3k/prodvider:1596298570-f3312ef77ed0db94e20944efc6395750072f54d5",
|
||||
|
||||
apiEndpoint: error "API endpoint must be set",
|
||||
|
||||
|
|
|
@ -15,11 +15,13 @@ import (
|
|||
pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
|
||||
)
|
||||
|
||||
// hspkiSigner returns a cfssl signer (CA) for HSPKI, by loading the CA
|
||||
// cert/key from Kubernetes.
|
||||
func (p *prodvider) hspkiSigner() (*local.Signer, error) {
|
||||
policy := &config.Signing{
|
||||
Profiles: map[string]*config.SigningProfile{
|
||||
"client": &config.SigningProfile{
|
||||
Usage: []string{"signing", "key encipherment", "client auth"},
|
||||
"client-server": &config.SigningProfile{
|
||||
Usage: []string{"signing", "key encipherment", "server auth", "client auth"},
|
||||
ExpiryString: "30d",
|
||||
},
|
||||
},
|
||||
|
@ -44,6 +46,8 @@ func (p *prodvider) hspkiSigner() (*local.Signer, error) {
|
|||
return local.NewSigner(priv, parsedCa, signer.DefaultSigAlgo(priv), policy)
|
||||
}
|
||||
|
||||
// hspkiCreds returns a HSPKI certificate/key for an SSO user. The returned
|
||||
// certificate is valida for both server and client usage.
|
||||
func (p *prodvider) hspkiCreds(username string) (*pb.HSPKIKeys, error) {
|
||||
principal := fmt.Sprintf("%s.sso.hswaw.net", username)
|
||||
|
||||
|
@ -79,7 +83,7 @@ func (p *prodvider) hspkiCreds(username string) (*pb.HSPKIKeys, error) {
|
|||
signReq := signer.SignRequest{
|
||||
Hosts: []string{},
|
||||
Request: string(csrPEM),
|
||||
Profile: "client",
|
||||
Profile: "client-server",
|
||||
NotAfter: time.Now().Add(9 * time.Hour),
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue