commit 3a6d67e0c4774f8f72d558caf81601c00025936b
author Serge Bazanski <q3k@hackerspace.pl> Fri Mar 31 22:36:27 2023 +0000
committer q3k <q3k@hackerspace.pl> Fri Mar 31 22:53:59 2023 +0000
tree 1692071de573e4aed1c27c69ebd48c95078263a5
parent 777aab92a9d4b1326c93608aab81bb6aae341b4f

cluster/prodvider: rewrite against x509 lib for ed25519 support

This gets rid of cfssl for the kubernetes bits of prodvider, instead
using plain crypto/x509. This also allows to support our new fancy
ED25519 CA.

Change-Id: If677b3f4523014f56ea802b87499d1c0eb6d92e9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1489
Reviewed-by: q3k <q3k@hackerspace.pl>

cluster/prodvider/kubernetes.go

diff --git a/cluster/prodvider/kubernetes.go b/cluster/prodvider/kubernetes.go
index d7ad535..4f73ce4 100644
--- a/cluster/prodvider/kubernetes.go
+++ b/cluster/prodvider/kubernetes.go
@@ -2,7 +2,6 @@
 
 import (
 	"context"
-	"encoding/pem"
 	"fmt"
 	"time"
 
@@ -19,62 +18,46 @@
 
 func (p *prodvider) kubernetesCreds(username string) (*pb.KubernetesKeys, error) {
 	o := fmt.Sprintf("sso:%s", username)
+	email := username + "@hackerspace.pl"
 
-	csrPEM, keyPEM, err := p.makeKubernetesCSR(username+"@hackerspace.pl", o)
+	keyRaw, certBytes, err := p.makeKubernetesCertificate(email, o, time.Now().Add(13*time.Hour))
 	if err != nil {
 		return nil, err
 	}
 
-	certPEM, err := p.makeKubernetesCertificate(csrPEM, time.Now().Add(13*time.Hour))
-	if err != nil {
-		return nil, err
-	}
-
-	caCert, _ := p.sign.Certificate("", "")
-	caPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw})
-
 	// Build certificate chain from new cert and intermediate CA.
-	chainPEM := append(certPEM, caPEM...)
+	chainPEM := append(serializeCert(certBytes), serializeCert(p.intermediateCACert.Raw)...)
 
 	glog.Infof("Generated k8s certificate for %q", username)
 	return &pb.KubernetesKeys{
 		Cluster: "k0.hswaw.net",
 		// APIServerCA
-		Ca: p.kubeCAPEM,
+		Ca: serializeCert(p.kubeCACert.Raw),
 		// Chain of new cert + intermediate CA
 		Cert: chainPEM,
-		Key:  keyPEM,
+		Key:  serializeKey(keyRaw),
 	}, nil
 }
 
 func (p *prodvider) kubernetesConnect() error {
-	csrPEM, keyPEM, err := p.makeKubernetesCSR("prodvider", "system:masters")
+	keyRaw, certBytes, err := p.makeKubernetesCertificate("prodvider", "system:masters", time.Now().Add(30*24*time.Hour))
 	if err != nil {
 		return err
 	}
 
-	certPEM, err := p.makeKubernetesCertificate(csrPEM, time.Now().Add(30*24*time.Hour))
-	if err != nil {
-		return err
-	}
-
-	caCert, _ := p.sign.Certificate("", "")
-
-	caPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw})
-
 	glog.Infof("Generated k8s certificate for self (system:masters)")
 
 	// Build certificate chain from our cert and intermediate CA.
-	chainPEM := append(certPEM, caPEM...)
+	chainPEM := append(serializeCert(certBytes), serializeCert(p.intermediateCACert.Raw)...)
 
 	config := &rest.Config{
 		Host: flagKubernetesHost,
 		TLSClientConfig: rest.TLSClientConfig{
 			// Chain to authenticate ourselves (us + intermediate CA).
 			CertData: chainPEM,
-			KeyData:  keyPEM,
+			KeyData:  serializeKey(keyRaw),
 			// APIServer CA for verification.
-			CAData: p.kubeCAPEM,
+			CAData: serializeCert(p.kubeCACert.Raw),
 		},
 	}