blob: 309af1f7d8934650340f8bcd62452a2d1ee5c9ad [file] [log] [blame]
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +02001package main
2
3import (
4 "crypto/tls"
5 "fmt"
6 "time"
7
8 "github.com/cloudflare/cfssl/csr"
9 "github.com/cloudflare/cfssl/signer"
10 "github.com/golang/glog"
11 "google.golang.org/grpc"
12 "google.golang.org/grpc/credentials"
13)
14
15func (p *prodvider) selfCreds() grpc.ServerOption {
16 glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)
17
18 // Create a key and CSR.
19 csrPEM, keyPEM, err := p.makeSelfCSR()
20 if err != nil {
21 glog.Exitf("Could not generate key and CSR for self: %v", err)
22 }
23
24 // Create a cert
25 certPEM, err := p.makeSelfCertificate(csrPEM)
26 if err != nil {
27 glog.Exitf("Could not sign certificate for self: %v", err)
28 }
29
30 serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
31 if err != nil {
32 glog.Exitf("Could not use gRPC certificate: %v", err)
33 }
34
35 signerCert, _ := p.sign.Certificate("", "")
36 serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)
37
38 return grpc.Creds(credentials.NewTLS(&tls.Config{
39 Certificates: []tls.Certificate{serverCert},
40 }))
41}
42
43func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
44 signerCert, _ := p.sign.Certificate("", "")
45 req := &csr.CertificateRequest{
46 CN: flagProdviderCN,
47 KeyRequest: &csr.BasicKeyRequest{
48 A: "rsa",
49 S: 4096,
50 },
51 Names: []csr.Name{
52 {
53 C: signerCert.Subject.Country[0],
54 ST: signerCert.Subject.Province[0],
55 L: signerCert.Subject.Locality[0],
56 O: signerCert.Subject.Organization[0],
57 OU: signerCert.Subject.OrganizationalUnit[0],
58 },
59 },
Serge Bazanskif0acf162020-10-03 16:49:51 +020060 Hosts: []string{flagProdviderCN},
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +020061 }
62
63 g := &csr.Generator{
64 Validator: func(req *csr.CertificateRequest) error { return nil },
65 }
66
67 return g.ProcessRequest(req)
68}
69
70func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
71 req := signer.SignRequest{
Serge Bazanskif0acf162020-10-03 16:49:51 +020072 Hosts: []string{flagProdviderCN},
Sergiusz Bazanskib13b7ff2019-08-29 20:12:24 +020073 Request: string(csr),
74 Profile: "server",
75 }
76 return p.sign.Sign(req)
77}
78
79func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
80 signerCert, _ := p.sign.Certificate("", "")
81 req := &csr.CertificateRequest{
82 CN: username,
83 KeyRequest: &csr.BasicKeyRequest{
84 A: "rsa",
85 S: 4096,
86 },
87 Names: []csr.Name{
88 {
89 C: signerCert.Subject.Country[0],
90 ST: signerCert.Subject.Province[0],
91 L: signerCert.Subject.Locality[0],
92 O: o,
93 OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
94 },
95 },
96 }
97
98 g := &csr.Generator{
99 Validator: func(req *csr.CertificateRequest) error { return nil },
100 }
101
102 return g.ProcessRequest(req)
103}
104
105func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
106 req := signer.SignRequest{
107 Hosts: []string{},
108 Request: string(csr),
109 Profile: "client",
110 NotAfter: notAfter,
111 }
112 return p.sign.Sign(req)
113}