*: developer machine HSPKI credentials In addition to k8s certificates, prodaccess now issues HSPKI certificates, with DN=$username.sso.hswaw.net. These are installed into XDG_CONFIG_HOME (or os equiv). //go/pki will now automatically attempt to load these certificates. This means you can now run any pki-dependant tool with -hspki_disable, and with automatic mTLS! Change-Id: I5b28e193e7c968d621bab0d42aabd6f0510fed6d

commit: f3312ef77ed0db94e20944efc6395750072f54d5 [log] [tgz]
author: Serge Bazanski <q3k@hackerspace.pl> Sat Aug 01 17:15:52 2020 +0200
committer: Serge Bazanski <q3k@hackerspace.pl> Sat Aug 01 17:15:52 2020 +0200
tree: f82574f21b6f7415e4aea49ea92b7785eb7c6aba
parent: 1e1a4ddfc88008465aa38e4c037d2ba5d6ec8130 [diff]
diff --git a/cluster/prodaccess/BUILD.bazel b/cluster/prodaccess/BUILD.bazel
index 5124ffc..6c72082 100644
--- a/cluster/prodaccess/BUILD.bazel
+++ b/cluster/prodaccess/BUILD.bazel

@@ -3,6 +3,7 @@
 go_library(
     name = "go_default_library",
     srcs = [
+        "hspki.go",
         "kubernetes.go",
         "prodaccess.go",
     ],
@@ -11,6 +12,7 @@
     deps = [
         "//cluster/certs:go_default_library",
         "//cluster/prodvider/proto:go_default_library",
+        "//go/pki:go_default_library",
         "@com_github_golang_glog//:go_default_library",
         "@org_golang_google_grpc//:go_default_library",
         "@org_golang_google_grpc//credentials:go_default_library",

diff --git a/cluster/prodaccess/hspki.go b/cluster/prodaccess/hspki.go
new file mode 100644
index 0000000..2fcfaf0
--- /dev/null
+++ b/cluster/prodaccess/hspki.go

@@ -0,0 +1,33 @@
+package main
+
+import (
+	"io/ioutil"
+	"os"
+
+	"github.com/golang/glog"
+
+	pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
+	"code.hackerspace.pl/hscloud/go/pki"
+)
+
+func useHSPKIKeys(keys *pb.HSPKIKeys) {
+	path, err := pki.DeveloperCredentialsLocation()
+	err = os.MkdirAll(path, 0700)
+	if err != nil {
+		glog.Exitf("mkdir %q: %v", path, err)
+	}
+
+	for _, el := range []struct {
+		target string
+		data   []byte
+	}{
+		{path + "/ca.crt", keys.Ca},
+		{path + "/tls.crt", keys.Cert},
+		{path + "/tls.key", keys.Key},
+	} {
+		err := ioutil.WriteFile(el.target, el.data, 400)
+		if err != nil {
+			glog.Exitf("Failed to write %q: %v", el.target, err)
+		}
+	}
+}

diff --git a/cluster/prodaccess/prodaccess.go b/cluster/prodaccess/prodaccess.go
index e0e8ec2..1153bab 100644
--- a/cluster/prodaccess/prodaccess.go
+++ b/cluster/prodaccess/prodaccess.go

@@ -99,6 +99,9 @@
 	}
 
 	useKubernetesKeys(res.KubernetesKeys)
+	fmt.Printf("-> Kubernetes credentials installed\n")
+	useHSPKIKeys(res.HspkiKeys)
+	fmt.Printf("-> HSPKI credentials installed\n")
 
 	return true
 }
commit	f3312ef77ed0db94e20944efc6395750072f54d5	[log] [tgz]
author	Serge Bazanski <q3k@hackerspace.pl>	Sat Aug 01 17:15:52 2020 +0200
committer	Serge Bazanski <q3k@hackerspace.pl>	Sat Aug 01 17:15:52 2020 +0200
tree	f82574f21b6f7415e4aea49ea92b7785eb7c6aba
parent	1e1a4ddfc88008465aa38e4c037d2ba5d6ec8130 [diff]