Blame - cluster/prodvider/certs.go - hscloud

blob: 309af1f7d8934650340f8bcd62452a2d1ee5c9ad [file] [log] [blame]

Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	1	package main
				2
				3	import (
				4	"crypto/tls"
				5	"fmt"
				6	"time"
				7
				8	"github.com/cloudflare/cfssl/csr"
				9	"github.com/cloudflare/cfssl/signer"
				10	"github.com/golang/glog"
				11	"google.golang.org/grpc"
				12	"google.golang.org/grpc/credentials"
				13	)
				14
				15	func (p *prodvider) selfCreds() grpc.ServerOption {
				16	glog.Infof("Bootstrapping certificate for self (%q)...", flagProdviderCN)
				17
				18	// Create a key and CSR.
				19	csrPEM, keyPEM, err := p.makeSelfCSR()
				20	if err != nil {
				21	glog.Exitf("Could not generate key and CSR for self: %v", err)
				22	}
				23
				24	// Create a cert
				25	certPEM, err := p.makeSelfCertificate(csrPEM)
				26	if err != nil {
				27	glog.Exitf("Could not sign certificate for self: %v", err)
				28	}
				29
				30	serverCert, err := tls.X509KeyPair(certPEM, keyPEM)
				31	if err != nil {
				32	glog.Exitf("Could not use gRPC certificate: %v", err)
				33	}
				34
				35	signerCert, _ := p.sign.Certificate("", "")
				36	serverCert.Certificate = append(serverCert.Certificate, signerCert.Raw)
				37
				38	return grpc.Creds(credentials.NewTLS(&tls.Config{
				39	Certificates: []tls.Certificate{serverCert},
				40	}))
				41	}
				42
				43	func (p *prodvider) makeSelfCSR() ([]byte, []byte, error) {
				44	signerCert, _ := p.sign.Certificate("", "")
				45	req := &csr.CertificateRequest{
				46	CN: flagProdviderCN,
				47	KeyRequest: &csr.BasicKeyRequest{
				48	A: "rsa",
				49	S: 4096,
				50	},
				51	Names: []csr.Name{
				52	{
				53	C: signerCert.Subject.Country[0],
				54	ST: signerCert.Subject.Province[0],
				55	L: signerCert.Subject.Locality[0],
				56	O: signerCert.Subject.Organization[0],
				57	OU: signerCert.Subject.OrganizationalUnit[0],
				58	},
				59	},
Serge Bazanski	f0acf16	2020-10-03 16:49:51 +0200	[diff] [blame]	60	Hosts: []string{flagProdviderCN},
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	61	}
				62
				63	g := &csr.Generator{
				64	Validator: func(req *csr.CertificateRequest) error { return nil },
				65	}
				66
				67	return g.ProcessRequest(req)
				68	}
				69
				70	func (p *prodvider) makeSelfCertificate(csr []byte) ([]byte, error) {
				71	req := signer.SignRequest{
Serge Bazanski	f0acf16	2020-10-03 16:49:51 +0200	[diff] [blame]	72	Hosts: []string{flagProdviderCN},
Sergiusz Bazanski	b13b7ff	2019-08-29 20:12:24 +0200	[diff] [blame]	73	Request: string(csr),
				74	Profile: "server",
				75	}
				76	return p.sign.Sign(req)
				77	}
				78
				79	func (p *prodvider) makeKubernetesCSR(username, o string) ([]byte, []byte, error) {
				80	signerCert, _ := p.sign.Certificate("", "")
				81	req := &csr.CertificateRequest{
				82	CN: username,
				83	KeyRequest: &csr.BasicKeyRequest{
				84	A: "rsa",
				85	S: 4096,
				86	},
				87	Names: []csr.Name{
				88	{
				89	C: signerCert.Subject.Country[0],
				90	ST: signerCert.Subject.Province[0],
				91	L: signerCert.Subject.Locality[0],
				92	O: o,
				93	OU: fmt.Sprintf("Prodvider Kubernetes Cert for %s/%s", username, o),
				94	},
				95	},
				96	}
				97
				98	g := &csr.Generator{
				99	Validator: func(req *csr.CertificateRequest) error { return nil },
				100	}
				101
				102	return g.ProcessRequest(req)
				103	}
				104
				105	func (p *prodvider) makeKubernetesCertificate(csr []byte, notAfter time.Time) ([]byte, error) {
				106	req := signer.SignRequest{
				107	Hosts: []string{},
				108	Request: string(csr),
				109	Profile: "client",
				110	NotAfter: notAfter,
				111	}
				112	return p.sign.Sign(req)
				113	}