cluster/prodvider/certs.go - hscloud - Gitiles

 package main

 import (
 	"crypto/tls"
 	"fmt"
 	"time"

 	"github.com/cloudflare/cfssl/csr"
 	"github.com/cloudflare/cfssl/signer"
 	"github.com/golang/glog"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 )

 func (p *prodvider) selfCreds() grpc.ServerOption {
 	glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)

 	// Create a key and CSR.
 	csrPEM, keyPEM, err := p.makeSelfCSR()
 	if err != nil {
 		glog.Exitf("Could not generate key and CSR for self: %v", err)
 	}

 	// Create a cert
 	certPEM, err := p.makeSelfCertificate(csrPEM)
 	if err != nil {
 		glog.Exitf("Could not sign certificate for self: %v", err)
 	}

 	serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
 		glog.Exitf("Could not use gRPC certificate: %v", err)
 	}

 	signerCert, _ := p.sign.Certificate("", "")
 	serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)

 	return grpc.Creds(credentials.NewTLS(&tls.Config{
 		Certificates: []tls.Certificate{serverCert},
 	}))
 }

 func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
 	signerCert, _ := p.sign.Certificate("", "")
 	req := &csr.CertificateRequest{
 		CN: flagProdviderCN,
 		KeyRequest: &csr.BasicKeyRequest{
 			A: "rsa",
 			S: 4096,
 		},
 		Names: []csr.Name{
 			{
 				C:  signerCert.Subject.Country[0],
 				ST: signerCert.Subject.Province[0],
 				L:  signerCert.Subject.Locality[0],
 				O:  signerCert.Subject.Organization[0],
 				OU: signerCert.Subject.OrganizationalUnit[0],
 			},
 		},
 		Hosts: []string{flagProdviderCN},
 	}

 	g := &csr.Generator{
 		Validator: func(req *csr.CertificateRequest) error { return nil },
 	}

 	return g.ProcessRequest(req)
 }

 func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
 	req := signer.SignRequest{
 		Hosts:   []string{flagProdviderCN},
 		Request: string(csr),
 		Profile: "server",
 	}
 	return p.sign.Sign(req)
 }

 func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
 	signerCert, _ := p.sign.Certificate("", "")
 	req := &csr.CertificateRequest{
 		CN: username,
 		KeyRequest: &csr.BasicKeyRequest{
 			A: "rsa",
 			S: 4096,
 		},
 		Names: []csr.Name{
 			{
 				C:  signerCert.Subject.Country[0],
 				ST: signerCert.Subject.Province[0],
 				L:  signerCert.Subject.Locality[0],
 				O:  o,
 				OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
 			},
 		},
 	}

 	g := &csr.Generator{
 		Validator: func(req *csr.CertificateRequest) error { return nil },
 	}

 	return g.ProcessRequest(req)
 }

 func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
 	req := signer.SignRequest{
 		Hosts:    []string{},
 		Request:  string(csr),
 		Profile:  "client",
 		NotAfter: notAfter,
 	}
 	return p.sign.Sign(req)
 }
	package main

	import (
	"crypto/tls"
	"fmt"
	"time"

	"github.com/cloudflare/cfssl/csr"
	"github.com/cloudflare/cfssl/signer"
	"github.com/golang/glog"
	"google.golang.org/grpc"
	"google.golang.org/grpc/credentials"
	)

	func (p *prodvider) selfCreds() grpc.ServerOption {
	glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)

	// Create a key and CSR.
	csrPEM, keyPEM, err := p.makeSelfCSR()
	if err != nil {
	glog.Exitf("Could not generate key and CSR for self: %v", err)
	}

	// Create a cert
	certPEM, err := p.makeSelfCertificate(csrPEM)
	if err != nil {
	glog.Exitf("Could not sign certificate for self: %v", err)
	}

	serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
	if err != nil {
	glog.Exitf("Could not use gRPC certificate: %v", err)
	}

	signerCert, _ := p.sign.Certificate("", "")
	serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)

	return grpc.Creds(credentials.NewTLS(&tls.Config{
	Certificates: []tls.Certificate{serverCert},
	}))
	}

	func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
	signerCert, _ := p.sign.Certificate("", "")
	req := &csr.CertificateRequest{
	CN: flagProdviderCN,
	KeyRequest: &csr.BasicKeyRequest{
	A: "rsa",
	S: 4096,
	},
	Names: []csr.Name{
	{
	C: signerCert.Subject.Country[0],
	ST: signerCert.Subject.Province[0],
	L: signerCert.Subject.Locality[0],
	O: signerCert.Subject.Organization[0],
	OU: signerCert.Subject.OrganizationalUnit[0],
	},
	},
	Hosts: []string{flagProdviderCN},
	}

	g := &csr.Generator{
	Validator: func(req *csr.CertificateRequest) error { return nil },
	}

	return g.ProcessRequest(req)
	}

	func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
	req := signer.SignRequest{
	Hosts: []string{flagProdviderCN},
	Request: string(csr),
	Profile: "server",
	}
	return p.sign.Sign(req)
	}

	func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
	signerCert, _ := p.sign.Certificate("", "")
	req := &csr.CertificateRequest{
	CN: username,
	KeyRequest: &csr.BasicKeyRequest{
	A: "rsa",
	S: 4096,
	},
	Names: []csr.Name{
	{
	C: signerCert.Subject.Country[0],
	ST: signerCert.Subject.Province[0],
	L: signerCert.Subject.Locality[0],
	O: o,
	OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
	},
	},
	}

	g := &csr.Generator{
	Validator: func(req *csr.CertificateRequest) error { return nil },
	}

	return g.ProcessRequest(req)
	}

	func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
	req := signer.SignRequest{
	Hosts: []string{},
	Request: string(csr),
	Profile: "client",
	NotAfter: notAfter,
	}
	return p.sign.Sign(req)
	}