diff --git a/cluster/kube/lib/prodvider.libsonnet b/cluster/kube/lib/prodvider.libsonnet index 3890f5ad..8eaa8347 100644 --- a/cluster/kube/lib/prodvider.libsonnet +++ b/cluster/kube/lib/prodvider.libsonnet @@ -9,7 +9,7 @@ local kube = import "../../../kube/kube.libsonnet"; cfg:: { namespace: "prodvider", - image: "registry.k0.hswaw.net/q3k/prodvider:1596294699-1e1a4ddfc88008465aa38e4c037d2ba5d6ec8130", + image: "registry.k0.hswaw.net/q3k/prodvider:1596298570-f3312ef77ed0db94e20944efc6395750072f54d5", apiEndpoint: error "API endpoint must be set", diff --git a/cluster/prodvider/hspki.go b/cluster/prodvider/hspki.go index 243a4241..e747889c 100644 --- a/cluster/prodvider/hspki.go +++ b/cluster/prodvider/hspki.go @@ -15,11 +15,13 @@ import ( pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto" ) +// hspkiSigner returns a cfssl signer (CA) for HSPKI, by loading the CA +// cert/key from Kubernetes. func (p *prodvider) hspkiSigner() (*local.Signer, error) { policy := &config.Signing{ Profiles: map[string]*config.SigningProfile{ - "client": &config.SigningProfile{ - Usage: []string{"signing", "key encipherment", "client auth"}, + "client-server": &config.SigningProfile{ + Usage: []string{"signing", "key encipherment", "server auth", "client auth"}, ExpiryString: "30d", }, }, @@ -44,6 +46,8 @@ func (p *prodvider) hspkiSigner() (*local.Signer, error) { return local.NewSigner(priv, parsedCa, signer.DefaultSigAlgo(priv), policy) } +// hspkiCreds returns a HSPKI certificate/key for an SSO user. The returned +// certificate is valida for both server and client usage. func (p *prodvider) hspkiCreds(username string) (*pb.HSPKIKeys, error) { principal := fmt.Sprintf("%s.sso.hswaw.net", username) @@ -79,7 +83,7 @@ func (p *prodvider) hspkiCreds(username string) (*pb.HSPKIKeys, error) { signReq := signer.SignRequest{ Hosts: []string{}, Request: string(csrPEM), - Profile: "client", + Profile: "client-server", NotAfter: time.Now().Add(9 * time.Hour), }