oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
66d29be22ca2ee86c226b726bce2fd501b910ac0
platform/lib/pki.nix
Jonas Juselius 66d29be22c Secure certificates after generation
2019-02-23 15:34:28 +01:00

145 lines
2.9 KiB
Nix
Raw Blame History

{ pkgs ? import <nixpkgs> {} }: rec {
ca-config = pkgs.writeText "ca-config.json" ''
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
'';
gencsr = args: pkgs.writeText "${args.name}-csr.json" ''
{
"CN": "${args.cn}",
"hosts": [ ${args.hosts} ],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "${args.o}"
}
]
}
'';
initca' =
let
ca_csr = gencsr {
name = "kubernetes";
cn = "kubernetes";
o = "kubernetes";
hosts = "";
};
in
pkgs.runCommand "initca" {
buildInputs = [ pkgs.cfssl ];
} '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \
mkdir -p $out; cp *.pem $out'';
# make ca derivation sha depend on initca cfssl output
initca = pkgs.stdenv.mkDerivation {
name = "ca";
src = initca';
buildCommand = ''
mkdir -p $out;
cp -r $src/* $out
'';
};
ca = {
key = "${initca}/ca-key.pem";
cert = "${initca}/ca.pem";
};
cfssl = conf: ''
cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \
-config=${ca-config} -profile=kubernetes ${conf.csr} | \
cfssljson -bare cert; \
mkdir -p $out; cp *.pem $out
'';
toSet = cert:
{
key = "${cert}/cert-key.pem";
cert = "${cert}/cert.pem";
};
gencert = conf:
pkgs.runCommand "${conf.name}" {
buildInputs = [ pkgs.cfssl ];
} (cfssl conf);
admin = gencert rec {
name = "admin";
csr = gencsr {
inherit name;
cn = "admin";
o = "system:masters";
hosts = "";
};
};
apiserver = hosts:
gencert rec {
name = "kubernetes";
csr = gencsr {
inherit name hosts;
cn = "kubernetes";
o = "kubernetes";
};
};
etcd = hosts: gencert rec {
name = "etcd";
csr = gencsr {
inherit name hosts;
cn = "etcd";
o = "kubernetes";
};
};
trust = name: hosts: gencert rec {
inherit name;
csr = gencsr {
inherit name hosts;
cn = name;
o = name;
};
};
kube-proxy = gencert rec {
name = "kube-proxy";
csr = gencsr {
inherit name;
cn = "system:kube-proxy";
o = "system:node-proxier";
hosts = "";
};
};
worker = instance:
gencert rec {
name = instance.name;
csr = gencsr {
inherit name;
cn = "system:node:${instance.name}";
o = "system:nodes";
hosts = ''"${instance.name}","${instance.ip}"'';
};
};
}
Reference in New Issue View Git Blame Copy Permalink