commit b13b7ffcdb3d37022d4cad4603b9bdacc6c54936
author Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 20:12:24 2019 +0200
committer Sergiusz Bazanski <q3k@hackerspace.pl> Fri Aug 30 23:08:18 2019 +0200
tree fa2309b04edc36fe855f9e344dae4a91ef376add
parent d16454badc639bcec7ab4b54e7fe6a897b6052af

prod{access,vider}: implement

Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

cluster/clustercfg/ca.py

diff --git a/cluster/clustercfg/ca.py b/cluster/clustercfg/ca.py
index 4d359c7..9ed2053 100644
--- a/cluster/clustercfg/ca.py
+++ b/cluster/clustercfg/ca.py
@@ -4,6 +4,7 @@
 import os
 from six import StringIO
 import subprocess
+import tempfile
 
 
 logger = logging.getLogger(__name__)
@@ -32,6 +33,20 @@
       "expiry": "168h"
     },
     "profiles": {
+      "intermediate": {
+        "expiry": "8760h",
+        "usages": [
+          "signing",
+          "key encipherment",
+          "cert sign",
+          "crl sign",
+          "server auth",
+          "client auth",
+        ],
+        "ca_constraint": {
+          "is_ca": True,
+        },
+      },
       "server": {
         "expiry": "8760h",
         "usages": [
@@ -156,12 +171,17 @@
 
         return key, csr
 
-    def sign(self, csr, save=None):
+    def sign(self, csr, save=None, profile='client-server'):
         logging.info("{}: Signing CSR".format(self))
         ca = self._cert
         cakey = self.ss.plaintext(self._secret_key)
+
+        config = tempfile.NamedTemporaryFile(mode='w')
+        json.dump(_ca_config, config)
+        config.flush()
+
         out = self._cfssl_call(['sign', '-ca=' + ca, '-ca-key=' + cakey,
-                                '-profile=client-server', '-'], stdin=csr)
+                                '-profile='+profile, '-config='+config.name, '-'], stdin=csr)
         cert = out['cert']
         if save is not None:
             name = os.path.join(self.cdir, save)
@@ -170,6 +190,7 @@
             f.write(cert)
             f.close()
 
+        config.close()
         return cert
 
     def upload(self, c, remote_cert):
@@ -181,7 +202,7 @@
 
 
 class ManagedCertificate(object):
-    def __init__(self, ca, name, hosts, o=None, ou=None):
+    def __init__(self, ca, name, hosts, o=None, ou=None, profile='client-server'):
         self.ca = ca
 
         self.hosts = hosts
@@ -190,6 +211,7 @@
         self.cert = '{}.cert'.format(name)
         self.o = o
         self.ou = ou
+        self.profile = profile
 
         self.ensure()
 
@@ -230,7 +252,7 @@
 
         logger.info("{}: Generating...".format(self))
         key, csr = self.ca.gen_key(self.hosts, o=self.o, ou=self.ou, save=self.key)
-        self.ca.sign(csr, save=self.cert)
+        self.ca.sign(csr, save=self.cert, profile=self.profile)
 
     def upload(self, c, remote_cert, remote_key, concat_ca=False):
         logger.info("Uploading Cert {} to {} & {}".format(self, remote_cert, remote_key))