cluster/prodvider: rewrite against x509 lib for ed25519 support
This gets rid of cfssl for the kubernetes bits of prodvider, instead
using plain crypto/x509. This also allows to support our new fancy
ED25519 CA.
Change-Id: If677b3f4523014f56ea802b87499d1c0eb6d92e9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1489
Reviewed-by: q3k <q3k@hackerspace.pl>
diff --git a/cluster/prodvider/kubernetes.go b/cluster/prodvider/kubernetes.go
index d7ad535..4f73ce4 100644
--- a/cluster/prodvider/kubernetes.go
+++ b/cluster/prodvider/kubernetes.go
@@ -2,7 +2,6 @@
import (
"context"
- "encoding/pem"
"fmt"
"time"
@@ -19,62 +18,46 @@
func (p *prodvider) kubernetesCreds(username string) (*pb.KubernetesKeys, error) {
o := fmt.Sprintf("sso:%s", username)
+ email := username + "@hackerspace.pl"
- csrPEM, keyPEM, err := p.makeKubernetesCSR(username+"@hackerspace.pl", o)
+ keyRaw, certBytes, err := p.makeKubernetesCertificate(email, o, time.Now().Add(13*time.Hour))
if err != nil {
return nil, err
}
- certPEM, err := p.makeKubernetesCertificate(csrPEM, time.Now().Add(13*time.Hour))
- if err != nil {
- return nil, err
- }
-
- caCert, _ := p.sign.Certificate("", "")
- caPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw})
-
// Build certificate chain from new cert and intermediate CA.
- chainPEM := append(certPEM, caPEM...)
+ chainPEM := append(serializeCert(certBytes), serializeCert(p.intermediateCACert.Raw)...)
glog.Infof("Generated k8s certificate for %q", username)
return &pb.KubernetesKeys{
Cluster: "k0.hswaw.net",
// APIServerCA
- Ca: p.kubeCAPEM,
+ Ca: serializeCert(p.kubeCACert.Raw),
// Chain of new cert + intermediate CA
Cert: chainPEM,
- Key: keyPEM,
+ Key: serializeKey(keyRaw),
}, nil
}
func (p *prodvider) kubernetesConnect() error {
- csrPEM, keyPEM, err := p.makeKubernetesCSR("prodvider", "system:masters")
+ keyRaw, certBytes, err := p.makeKubernetesCertificate("prodvider", "system:masters", time.Now().Add(30*24*time.Hour))
if err != nil {
return err
}
- certPEM, err := p.makeKubernetesCertificate(csrPEM, time.Now().Add(30*24*time.Hour))
- if err != nil {
- return err
- }
-
- caCert, _ := p.sign.Certificate("", "")
-
- caPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: caCert.Raw})
-
glog.Infof("Generated k8s certificate for self (system:masters)")
// Build certificate chain from our cert and intermediate CA.
- chainPEM := append(certPEM, caPEM...)
+ chainPEM := append(serializeCert(certBytes), serializeCert(p.intermediateCACert.Raw)...)
config := &rest.Config{
Host: flagKubernetesHost,
TLSClientConfig: rest.TLSClientConfig{
// Chain to authenticate ourselves (us + intermediate CA).
CertData: chainPEM,
- KeyData: keyPEM,
+ KeyData: serializeKey(keyRaw),
// APIServer CA for verification.
- CAData: p.kubeCAPEM,
+ CAData: serializeCert(p.kubeCACert.Raw),
},
}