forked from TrueCloudLab/certificates
Add template support to K8sSA provisioners.
This commit is contained in:
parent
13b704aeed
commit
00fd41a3d0
4 changed files with 25 additions and 6 deletions
|
@ -10,6 +10,7 @@ import (
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/certificates/errs"
|
"github.com/smallstep/certificates/errs"
|
||||||
|
"github.com/smallstep/certificates/x509util"
|
||||||
"github.com/smallstep/cli/crypto/pemutil"
|
"github.com/smallstep/cli/crypto/pemutil"
|
||||||
"github.com/smallstep/cli/jose"
|
"github.com/smallstep/cli/jose"
|
||||||
"golang.org/x/crypto/ed25519"
|
"golang.org/x/crypto/ed25519"
|
||||||
|
@ -42,8 +43,9 @@ type K8sSA struct {
|
||||||
*base
|
*base
|
||||||
Type string `json:"type"`
|
Type string `json:"type"`
|
||||||
Name string `json:"name"`
|
Name string `json:"name"`
|
||||||
Claims *Claims `json:"claims,omitempty"`
|
|
||||||
PubKeys []byte `json:"publicKeys,omitempty"`
|
PubKeys []byte `json:"publicKeys,omitempty"`
|
||||||
|
Claims *Claims `json:"claims,omitempty"`
|
||||||
|
Options *ProvisionerOptions `json:"options,omitempty"`
|
||||||
claimer *Claimer
|
claimer *Claimer
|
||||||
audiences Audiences
|
audiences Audiences
|
||||||
//kauthn kauthn.AuthenticationV1Interface
|
//kauthn kauthn.AuthenticationV1Interface
|
||||||
|
@ -208,7 +210,15 @@ func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Certificate templates: on K8sSA the default template is the certificate
|
||||||
|
// request.
|
||||||
|
templateOptions, err := CustomTemplateOptions(p.Options, x509util.NewTemplateData(), x509util.CertificateRequestTemplate)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
|
||||||
|
}
|
||||||
|
|
||||||
return []SignOption{
|
return []SignOption{
|
||||||
|
templateOptions,
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeK8sSA, p.Name, ""),
|
newProvisionerExtensionOption(TypeK8sSA, p.Name, ""),
|
||||||
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
||||||
|
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"encoding/asn1"
|
"encoding/asn1"
|
||||||
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
@ -76,6 +77,12 @@ func (e Extension) Set(c *x509.Certificate) {
|
||||||
// object identifier or OID.
|
// object identifier or OID.
|
||||||
type ObjectIdentifier asn1.ObjectIdentifier
|
type ObjectIdentifier asn1.ObjectIdentifier
|
||||||
|
|
||||||
|
// MarshalJSON implements the json.Marshaler interface and returns the string
|
||||||
|
// version of the asn1.ObjectIdentifier.
|
||||||
|
func (o ObjectIdentifier) MarshalJSON() ([]byte, error) {
|
||||||
|
return json.Marshal(asn1.ObjectIdentifier(o).String())
|
||||||
|
}
|
||||||
|
|
||||||
// UnmarshalJSON implements the json.Unmarshaler interface and coverts a strings
|
// UnmarshalJSON implements the json.Unmarshaler interface and coverts a strings
|
||||||
// like "2.5.29.17" into an ASN1 object identifier.
|
// like "2.5.29.17" into an ASN1 object identifier.
|
||||||
func (o *ObjectIdentifier) UnmarshalJSON(data []byte) error {
|
func (o *ObjectIdentifier) UnmarshalJSON(data []byte) error {
|
||||||
|
|
|
@ -3,7 +3,6 @@ package x509util
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"fmt"
|
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"text/template"
|
"text/template"
|
||||||
|
|
||||||
|
@ -43,7 +42,6 @@ func WithTemplate(text string, data TemplateData) Option {
|
||||||
if err := tmpl.Execute(buf, data); err != nil {
|
if err := tmpl.Execute(buf, data); err != nil {
|
||||||
return errors.Wrapf(err, "error executing template")
|
return errors.Wrapf(err, "error executing template")
|
||||||
}
|
}
|
||||||
fmt.Println(buf.String())
|
|
||||||
o.CertBuffer = buf
|
o.CertBuffer = buf
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -113,3 +113,7 @@ const DefaultRootTemplate = `{
|
||||||
"maxPathLen": 1
|
"maxPathLen": 1
|
||||||
}
|
}
|
||||||
}`
|
}`
|
||||||
|
|
||||||
|
// CertificateRequestTemplate is a template that will sign the given certificate
|
||||||
|
// request.
|
||||||
|
const CertificateRequestTemplate = `{{ toJson .CR }}`
|
||||||
|
|
Loading…
Reference in a new issue