Works!

2017-08-18 11:31:07 +02:00
parent e2c2c6b811
commit 85a045577d
13 changed files with 458 additions and 236 deletions
--- a/base/pki.nix
+++ b/base/pki.nix
@@ -11,26 +11,17 @@ let
                  "expiry": "43800h",
                  "usages": [
                      "signing",
-                  "key encipherment",
-                  "server auth"
-                      ]
+                      "key encipherment",
+                      "server auth"
+                  ]
              },
              "client": {
                  "expiry": "43800h",
                  "usages": [
                      "signing",
-                  "key encipherment",
-                  "client auth"
-                      ]
-              },
-              "peer": {
-                  "expiry": "43800h",
-                  "usages": [
-                      "signing",
-                  "key encipherment",
-                  "server auth",
-                  "client auth"
-                      ]
+                      "key encipherment",
+                      "client auth"
+                  ]
              }
          }
      }
@@ -82,4 +73,52 @@ in
      buildInputs = [ pkgs.cfssl ];
    } (cfssl cert.csr cert.profile);

+  # server-cert = mkCert {
+  #     name = "kubernetes";
+  #     csr = csr {
+  #       cn = "kubernetes";
+  #       hosts = ''"kubernetes", "k8s0-0", "etcd0", "localhost", "10.253.18.100"'';
+  #     };
+  #     profile = "server";
+  # };
+
+  # etcd0-cert = mkCert {
+  #   name = "etcd0";
+  #   csr = csr {
+  #     cn = "etcd0";
+  #     hosts = ''"etcd0", "k8s0-0", "localhost", "10.253.18.100"'';
+  #   };
+  #   profile = "peer";
+  # };
+
+  # etcd1-cert = mkCert {
+  #   name = "etcd1";
+  #   csr = csr {
+  #     cn = "etcd1";
+  #     hosts = ''"etcd1", "k8s0-1", "localhost", "10.253.18.101"'';
+  #   };
+  #   profile = "peer";
+  # };
+
+  # client-cert = mkCert {
+  #   name = "client";
+  #   csr = csr {
+  #     cn = "client";
+  #     hosts = '''';
+  #   };
+  #   profile = "client";
+  # };
+
+  # server_key = "${server-cert}/cert-key.pem";
+  # server_cert = "${server-cert}/cert.pem";
+
+  # etcd0_key = "${etcd0-cert}/cert-key.pem";
+  # etcd0_cert = "${etcd0-cert}/cert.pem";
+
+  # etcd1_key = "${etcd1-cert}/cert-key.pem";
+  # etcd1_cert = "${etcd1-cert}/cert.pem";
+
+  # client_key = "${client-cert}/cert-key.pem";
+  # client_cert = "${client-cert}/cert.pem";
+
  }