Generate certificates from nix.

2017-07-11 11:38:10 +02:00
parent f6af7aaf12
commit be8082a927
2 changed files with 127 additions and 11 deletions
--- a/base/pki.nix
+++ b/base/pki.nix
@@ -0,0 +1,127 @@
+# {pkgs, ...}:
+with import <nixpkgs> {};
+let
+  ca-config = pkgs.writeText "ca-config.json" ''
+  {
+      "signing": {
+          "default": {
+              "expiry": "43800h"
+          },
+          "profiles": {
+              "server": {
+                  "expiry": "43800h",
+                  "usages": [
+                      "signing",
+                  "key encipherment",
+                  "server auth"
+                      ]
+              },
+              "client": {
+                  "expiry": "43800h",
+                  "usages": [
+                      "signing",
+                  "key encipherment",
+                  "client auth"
+                      ]
+              },
+              "peer": {
+                  "expiry": "43800h",
+                  "usages": [
+                      "signing",
+                  "key encipherment",
+                  "server auth",
+                  "client auth"
+                      ]
+              }
+          }
+      }
+  }
+  '';
+  csr = args: pkgs.writeText "${args.cn}-cert.json" ''
+    {
+    "CN": "${args.cn}",
+    "hosts": [ ${args.hosts} ],
+    "key": {
+        "algo": "rsa",
+        "size": 2048
+    },
+    "names": [
+        {
+            "C": "NO",
+            "L": "Tromsø",
+            "O": "Serit IT Partner Tromsø AS",
+            "OU": "",
+            "ST": ""
+        }
+    ]
+    }
+  '';
+
+  ca-csr = csr  { cn = "kubernetes"; hosts = ""; };
+  ca = pkgs.runCommand "ca-cert" {
+      buildInputs = [ pkgs.cfssl ];
+    } '' cfssl genkey -initca ${ca-csr} | cfssljson -bare ca; \
+         mkdir -p $out; cp *.pem $out'';
+  ca_cert = "${ca}/ca.pem";
+  ca_key = "${ca}/ca-key.pem";
+
+  cfssl = name: profile: ''
+    cfssl gencert -ca ${ca_cert} -ca-key ${ca_key} \
+    -config=${ca-config} -profile=${profile} ${name} | cfssljson -bare cert; \
+    mkdir -p $out; cp *.pem $out
+  '';
+  mkCert = cert:
+    pkgs.runCommand "${cert.name}-cert" {
+      buildInputs = [ pkgs.cfssl ];
+    } (cfssl cert.csr cert.profile);
+
+  server-csr = csr {
+    cn = "kubernetes";
+    hosts = ''"kubernetes", "k8s0-0", "10.253.18.100"'';
+  };
+  server_cert = "${ca}/cert.pem";
+  server_key = "${ca}/cert-key.pem";
+
+  etcd0-csr = csr {
+    cn = "etcd0";
+    hosts = ''"etcd0", "10.253.18.100"'';
+  };
+  etcd0_cert = "${ca}/cert.pem";
+  etcd0_key = "${ca}/cert-key.pem";
+
+  etcd1-csr = csr {
+    cn = "etcd1";
+    hosts = ''"etcd1", "10.253.18.101"'';
+  };
+  etcd1_cert = "${ca}/cert.pem";
+  etcd1_key = "${ca}/cert-key.pem";
+
+  client-csr = csr {
+    cn = "client";
+    hosts = '''';
+  };
+  client_cert = "${ca}/cert.pem";
+  client_key = "${ca}/cert-key.pem";
+in
+rec {
+  server-cert = mkCert {
+      name = "kubernetes";
+      csr = server-csr;
+      profile = "server";
+  };
+  etcd0-cert = mkCert {
+      name = "etcd0";
+      csr = etcd0-csr;
+      profile = "peer";
+  };
+  etcd1-cert = mkCert {
+      name = "etcd1";
+      csr = etcd1-csr;
+      profile = "peer";
+  };
+  client-cert = mkCert {
+      name = "client";
+      csr = client-csr;
+      profile = "client";
+  };
+}