Add template support for gcp provisioner.
This commit is contained in:
Mariano Cano
parent
32646c49bf
commit
e60ea419cc
1 changed files with 24 additions and 8 deletions
|
|
@ -15,6 +15,7 @@ import (
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/certificates/errs"
|
"github.com/smallstep/certificates/errs"
|
||||||
|
"github.com/smallstep/certificates/x509util"
|
||||||
"github.com/smallstep/cli/jose"
|
"github.com/smallstep/cli/jose"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -76,14 +77,15 @@ func newGCPConfig() *gcpConfig {
|
||||||
// https://cloud.google.com/compute/docs/instances/verifying-instance-identity
|
// https://cloud.google.com/compute/docs/instances/verifying-instance-identity
|
||||||
type GCP struct {
|
type GCP struct {
|
||||||
*base
|
*base
|
||||||
Type string `json:"type"`
|
Type string `json:"type"`
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
ServiceAccounts []string `json:"serviceAccounts"`
|
ServiceAccounts []string `json:"serviceAccounts"`
|
||||||
ProjectIDs []string `json:"projectIDs"`
|
ProjectIDs []string `json:"projectIDs"`
|
||||||
DisableCustomSANs bool `json:"disableCustomSANs"`
|
DisableCustomSANs bool `json:"disableCustomSANs"`
|
||||||
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
|
DisableTrustOnFirstUse bool `json:"disableTrustOnFirstUse"`
|
||||||
InstanceAge Duration `json:"instanceAge,omitempty"`
|
InstanceAge Duration `json:"instanceAge,omitempty"`
|
||||||
Claims *Claims `json:"claims,omitempty"`
|
Claims *Claims `json:"claims,omitempty"`
|
||||||
|
Options *ProvisionerOptions `json:"options,omitempty"`
|
||||||
claimer *Claimer
|
claimer *Claimer
|
||||||
config *gcpConfig
|
config *gcpConfig
|
||||||
keyStore *keyStore
|
keyStore *keyStore
|
||||||
|
|
@ -215,6 +217,11 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
}
|
}
|
||||||
|
|
||||||
ce := claims.Google.ComputeEngine
|
ce := claims.Google.ComputeEngine
|
||||||
|
|
||||||
|
// Template options
|
||||||
|
data := x509util.NewTemplateData()
|
||||||
|
data.SetToken(claims)
|
||||||
|
|
||||||
// Enforce known common name and default DNS if configured.
|
// Enforce known common name and default DNS if configured.
|
||||||
// By default we we'll accept the CN and SANs in the CSR.
|
// By default we we'll accept the CN and SANs in the CSR.
|
||||||
// There's no way to trust them other than TOFU.
|
// There's no way to trust them other than TOFU.
|
||||||
|
|
@ -231,9 +238,18 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
|
||||||
so = append(so, ipAddressesValidator(nil))
|
so = append(so, ipAddressesValidator(nil))
|
||||||
so = append(so, emailAddressesValidator(nil))
|
so = append(so, emailAddressesValidator(nil))
|
||||||
so = append(so, urisValidator(nil))
|
so = append(so, urisValidator(nil))
|
||||||
|
|
||||||
|
// Template SANs
|
||||||
|
data.SetSANs([]string{dnsName1, dnsName2})
|
||||||
|
}
|
||||||
|
|
||||||
|
templateOptions, err := CustomTemplateOptions(p.Options, data, x509util.DefaultIIDLeafTemplate)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSign")
|
||||||
}
|
}
|
||||||
|
|
||||||
return append(so,
|
return append(so,
|
||||||
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName),
|
newProvisionerExtensionOption(TypeGCP, p.Name, claims.Subject, "InstanceID", ce.InstanceID, "InstanceName", ce.InstanceName),
|
||||||
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue