From 1dfd090f693681052cdb3e4e3ea81135be5c1f56 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Sat, 21 Nov 2020 14:54:52 +0100 Subject: [PATCH] Make cert algo configurable (for linkerd ecdsa) --- modules/initca.nix | 12 +++++++++--- modules/linkerd-certs.nix | 2 ++ modules/pki.nix | 6 +++--- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/modules/initca.nix b/modules/initca.nix index 2bfd9a6..325a954 100644 --- a/modules/initca.nix +++ b/modules/initca.nix @@ -1,12 +1,18 @@ -{ pkgs ? import {}, ca ? null, name ? "ca", hosts ? [], ...}: +{ + pkgs ? import {}, + ca ? null, + name ? "ca", + algo ? "rsa", + hosts ? [], + ...}: with pkgs; let ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON { inherit hosts; CN = "${name}"; key = { - algo = "rsa"; - size = 2048; + inherit algo; + size = if algo == "ecdsa" then 256 else 2048; }; names = [ { diff --git a/modules/linkerd-certs.nix b/modules/linkerd-certs.nix index aed1e80..63bf92d 100644 --- a/modules/linkerd-certs.nix +++ b/modules/linkerd-certs.nix @@ -3,12 +3,14 @@ let identity = import ./initca.nix { inherit pkgs; name = "linkerd-identity-ca"; + algo = "ecdsa"; hosts = [ "identity.linkerd.cluster.local" ]; }; webhook = import ./initca.nix { inherit pkgs; name = "linkerd-webhook-ca"; + algo = "ecdsa"; hosts = [ "webhook.linkerd.cluster.local" ]; }; in { diff --git a/modules/pki.nix b/modules/pki.nix index 4664c31..b73706c 100644 --- a/modules/pki.nix +++ b/modules/pki.nix @@ -1,4 +1,4 @@ -{ pkgs, ca ? "" }: +{ pkgs, ca ? "", algo ? "rsa" }: let initca = import ./initca.nix { inherit pkgs ca; }; @@ -33,8 +33,8 @@ let csr = { CN = "${args.cn}"; key = { - algo = "rsa"; - size = 2048; + inherit algo; + size = if algo == "ecdsa" then 256 else 2048; }; names = [ {