Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / b13b7ffcdb3d37022d4cad4603b9bdacc6c54936 / . / cluster / prodvider / certs.go
blob: bed0e48bd207d8e842fa5fe80cac66f8b3d31aa6 [file] [log] [blame]
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +0200[diff] [blame^]1package main
2
3import (
4 "crypto/tls"
5 "fmt"
6 "time"
7
8 "github.com/cloudflare/cfssl/csr"
9 "github.com/cloudflare/cfssl/signer"
10 "github.com/golang/glog"
11 "google.golang.org/grpc"
12 "google.golang.org/grpc/credentials"
13)
14
15func (p *prodvider) selfCreds() grpc.ServerOption {
16 glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)
17
18 // Create a key and CSR.
19 csrPEM, keyPEM, err := p.makeSelfCSR()
20 if err != nil {
21 glog.Exitf("Could not generate key and CSR for self: %v", err)
22 }
23
24 // Create a cert
25 certPEM, err := p.makeSelfCertificate(csrPEM)
26 if err != nil {
27 glog.Exitf("Could not sign certificate for self: %v", err)
28 }
29
30 serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
31 if err != nil {
32 glog.Exitf("Could not use gRPC certificate: %v", err)
33 }
34
35 signerCert, _ := p.sign.Certificate("", "")
36 serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)
37
38 return grpc.Creds(credentials.NewTLS(&tls.Config{
39 Certificates: []tls.Certificate{serverCert},
40 }))
41}
42
43func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
44 signerCert, _ := p.sign.Certificate("", "")
45 req := &csr.CertificateRequest{
46 CN: flagProdviderCN,
47 KeyRequest: &csr.BasicKeyRequest{
48 A: "rsa",
49 S: 4096,
50 },
51 Names: []csr.Name{
52 {
53 C: signerCert.Subject.Country[0],
54 ST: signerCert.Subject.Province[0],
55 L: signerCert.Subject.Locality[0],
56 O: signerCert.Subject.Organization[0],
57 OU: signerCert.Subject.OrganizationalUnit[0],
58 },
59 },
60 }
61
62 g := &csr.Generator{
63 Validator: func(req *csr.CertificateRequest) error { return nil },
64 }
65
66 return g.ProcessRequest(req)
67}
68
69func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
70 req := signer.SignRequest{
71 Hosts: []string{},
72 Request: string(csr),
73 Profile: "server",
74 }
75 return p.sign.Sign(req)
76}
77
78func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
79 signerCert, _ := p.sign.Certificate("", "")
80 req := &csr.CertificateRequest{
81 CN: username,
82 KeyRequest: &csr.BasicKeyRequest{
83 A: "rsa",
84 S: 4096,
85 },
86 Names: []csr.Name{
87 {
88 C: signerCert.Subject.Country[0],
89 ST: signerCert.Subject.Province[0],
90 L: signerCert.Subject.Locality[0],
91 O: o,
92 OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
93 },
94 },
95 }
96
97 g := &csr.Generator{
98 Validator: func(req *csr.CertificateRequest) error { return nil },
99 }
100
101 return g.ProcessRequest(req)
102}
103
104func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
105 req := signer.SignRequest{
106 Hosts: []string{},
107 Request: string(csr),
108 Profile: "client",
109 NotAfter: notAfter,
110 }
111 return p.sign.Sign(req)
112}