*: developer machine HSPKI credentials
In addition to k8s certificates, prodaccess now issues HSPKI
certificates, with DN=$username.sso.hswaw.net. These are installed into
XDG_CONFIG_HOME (or os equiv).
//go/pki will now automatically attempt to load these certificates. This
means you can now run any pki-dependant tool with -hspki_disable, and
with automatic mTLS!
Change-Id: I5b28e193e7c968d621bab0d42aabd6f0510fed6d
diff --git a/cluster/prodaccess/hspki.go b/cluster/prodaccess/hspki.go
new file mode 100644
index 0000000..2fcfaf0
--- /dev/null
+++ b/cluster/prodaccess/hspki.go
@@ -0,0 +1,33 @@
+package main
+
+import (
+ "io/ioutil"
+ "os"
+
+ "github.com/golang/glog"
+
+ pb "code.hackerspace.pl/hscloud/cluster/prodvider/proto"
+ "code.hackerspace.pl/hscloud/go/pki"
+)
+
+func useHSPKIKeys(keys *pb.HSPKIKeys) {
+ path, err := pki.DeveloperCredentialsLocation()
+ err = os.MkdirAll(path, 0700)
+ if err != nil {
+ glog.Exitf("mkdir %q: %v", path, err)
+ }
+
+ for _, el := range []struct {
+ target string
+ data []byte
+ }{
+ {path + "/ca.crt", keys.Ca},
+ {path + "/tls.crt", keys.Cert},
+ {path + "/tls.key", keys.Key},
+ } {
+ err := ioutil.WriteFile(el.target, el.data, 400)
+ if err != nil {
+ glog.Exitf("Failed to write %q: %v", el.target, err)
+ }
+ }
+}