add public key template functions

cmd/dkl-local-server/cluster-render-context.go

@@ -1,8 +1,11 @@
 package main
 
 import (
+	"crypto"
 	"crypto/rand"
+	"crypto/x509"
 	"encoding/base32"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -12,6 +15,7 @@ import (
 
 	cfsslconfig "github.com/cloudflare/cfssl/config"
 	"github.com/cloudflare/cfssl/csr"
+	"github.com/cloudflare/cfssl/helpers"
 	yaml "gopkg.in/yaml.v2"
 
 	"novit.tech/direktil/pkg/bootstrapconfig"
@@ -19,6 +23,14 @@ import (
 )
 
 func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
+	getKey := func(cluster, caName string) (key crypto.Signer, err error) {
+		ca, err := getUsableClusterCA(cluster, caName)
+		if err != nil {
+			return
+		}
+		key, err = helpers.ParsePrivateKeyPEM(ca.Key)
+		return
+	}
 	getKeyCert := func(cluster, caName, name, profile, label, reqJson string) (kc KeyCert, err error) {
 		certReq := &csr.CertificateRequest{
 			KeyRequest: csr.NewKeyRequest(),
@@ -133,6 +145,22 @@ func templateFuncs(sslCfg *cfsslconfig.Config) map[string]any {
 			return
 		},
 
+		"tls_pubkey": func(cluster, caName string) (s string, err error) {
+			priv, err := getKey(cluster, caName)
+			if err != nil {
+				return
+			}
+
+			ba, err := x509.MarshalPKIXPublicKey(priv.Public())
+			if err != nil {
+				err = fmt.Errorf("marshal public key failed: %w", err)
+				return
+			}
+
+			s = base64.StdEncoding.EncodeToString(ba)
+			return
+		},
+
 		"tls_crt": func(cluster, caName, name, profile, label, reqJson string) (s string, err error) {
 			kc, err := getKeyCert(cluster, caName, name, profile, label, reqJson)
 			if err != nil {