From 436be67bfd03650b43c797896a25bdd548fe7091 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mika=C3=ABl=20Cluseau?= Date: Thu, 25 Sep 2025 23:19:35 +0200 Subject: [PATCH] move tls_dir to render context funcs because it needs template host IPs --- .../cluster-render-context.go | 30 ----------- cmd/dkl-local-server/render-context.go | 50 +++++++++++++++++++ 2 files changed, 50 insertions(+), 30 deletions(-) diff --git a/cmd/dkl-local-server/cluster-render-context.go b/cmd/dkl-local-server/cluster-render-context.go index 24293a1..e3f0a84 100644 --- a/cmd/dkl-local-server/cluster-render-context.go +++ b/cmd/dkl-local-server/cluster-render-context.go @@ -178,36 +178,6 @@ func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any { s = string(kc.Cert) return }, - - "tls_dir": func(dir, cluster, caName, name, profile, label, reqJson string) (s string, err error) { - ca, err := getUsableClusterCA(cluster, caName) - if err != nil { - return - } - - kc, err := getKeyCert(cluster, caName, name, profile, label, reqJson) - if err != nil { - return - } - - return asYaml([]config.FileDef{ - { - Path: path.Join(dir, "ca.crt"), - Mode: 0644, - Content: string(ca.Cert), - }, - { - Path: path.Join(dir, "tls.crt"), - Mode: 0644, - Content: string(kc.Cert), - }, - { - Path: path.Join(dir, "tls.key"), - Mode: 0600, - Content: string(kc.Key), - }, - }) - }, } } diff --git a/cmd/dkl-local-server/render-context.go b/cmd/dkl-local-server/render-context.go index 83ccea0..8b4b362 100644 --- a/cmd/dkl-local-server/render-context.go +++ b/cmd/dkl-local-server/render-context.go @@ -5,6 +5,7 @@ import ( "crypto/sha1" "crypto/sha256" "encoding/hex" + "encoding/json" "fmt" "io" "log" @@ -13,10 +14,12 @@ import ( "os" "path" "path/filepath" + "strings" "text/template" "time" cfsslconfig "github.com/cloudflare/cfssl/config" + "github.com/cloudflare/cfssl/csr" restful "github.com/emicklei/go-restful" yaml "gopkg.in/yaml.v2" @@ -165,6 +168,21 @@ func (ctx *renderContext) Tag() (string, error) { func (ctx *renderContext) TemplateFuncs() map[string]any { funcs := templateFuncs(ctx.SSLConfig) + // FIXME duplicate from cluster-render-context + getKeyCert := func(cluster, caName, name, profile, label, reqJson string) (kc KeyCert, err error) { + certReq := &csr.CertificateRequest{ + KeyRequest: csr.NewKeyRequest(), + } + + err = json.Unmarshal([]byte(reqJson), certReq) + if err != nil { + log.Print("CSR unmarshal failed on: ", reqJson) + return + } + + return getUsableKeyCert(cluster, caName, name, profile, label, certReq, ctx.SSLConfig) + } + for name, method := range map[string]any{ "host_ip": func() (s string) { return ctx.Host.IPs[0] @@ -177,6 +195,38 @@ func (ctx *renderContext) TemplateFuncs() map[string]any { return hex.EncodeToString(ba[:]) }, + "tls_dir": func(dir, cluster, caName, name, profile, label, reqJson string) (s string, err error) { + ca, err := getUsableClusterCA(cluster, caName) + if err != nil { + return + } + + reqJson = strings.ReplaceAll(reqJson, "${host_ip}", ctx.Host.IPs[0]) + + kc, err := getKeyCert(cluster, caName, name, profile, label, reqJson) + if err != nil { + return + } + + return asYaml([]config.FileDef{ + { + Path: path.Join(dir, "ca.crt"), + Mode: 0644, + Content: string(ca.Cert), + }, + { + Path: path.Join(dir, "tls.crt"), + Mode: 0644, + Content: string(kc.Cert), + }, + { + Path: path.Join(dir, "tls.key"), + Mode: 0600, + Content: string(kc.Key), + }, + }) + }, + "ssh_user_ca": func(path, cluster string) (s string, err error) { userCA, err := sshCAPubKey(cluster) return asYaml([]config.FileDef{{