oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add expression for generating linkerd trust anchors

Browse Source
This commit is contained in:
Jonas Juselius
2020-11-12 10:06:54 +01:00
parent 9e79911b1d
commit 55aaad91be
2 changed files with 37 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
modules/initca.nix
View File

@@ -1,28 +1,29 @@
{ pkgs ? import <nixpkgs> {}, ca ? "", name ? "ca", ...}: { pkgs ? import <nixpkgs> {}, ca ? null, name ? "ca", hosts ? [], ...}:
with pkgs; with pkgs;
let let
ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON {
inherit hosts;
CN = "${name}";
key = {
algo = "rsa";
size = 2048;
};
names = [
{
CN = "${name}";
O = "NixOS";
OU = "${name}.pki.caSpec";
L = "generated";
}
];
}
);
ca' = ca' =
let
ca_csr = pkgs.writeText "${name}-csr.json" (builtins.toJSON {
key = {
algo = "rsa";
size = 2048;
};
names = [
{
CN = "${name}";
O = "NixOS";
OU = "${name}.pki.caSpec";
L = "generated";
}
];
});
in
pkgs.runCommand "initca" { pkgs.runCommand "initca" {
buildInputs = [ pkgs.cfssl ]; buildInputs = [ pkgs.cfssl ];
} '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \ } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca;
mkdir -p $out; cp *.pem $out''; mkdir -p $out; cp *.pem $out '';
initca = if ca != "" then ca else ca'; initca = if ca != null then ca else ca';
in in
# make ca derivation sha depend on initca cfssl output # make ca derivation sha depend on initca cfssl output
pkgs.stdenv.mkDerivation { pkgs.stdenv.mkDerivation {

16
modules/linkerd-certs.nix Normal file
View File

@@ -0,0 +1,16 @@
{ pkgs, ... }:
let
identity = import ./initca.nix {
inherit pkgs;
name = "linkerd-identity-ca";
hosts = [ "identity.linkerd.cluster.local" ];
};
webhook = import ./initca.nix {
inherit pkgs;
name = "linkerd-webhook-ca";
hosts = [ "webhook.linkerd.cluster.local" ];
};
in {
inherit identity webhook;
}