Generate certificates for the aggregation layer.

2026-01-09 18:19:34 -05:00
parent c0ace47d95
commit fd1ea9e890
13 changed files with 204 additions and 43 deletions
--- a/nix/kubernetes/keys/package/tls-key/package.nix
+++ b/nix/kubernetes/keys/package/tls-key/package.nix
@@ -12,6 +12,8 @@
  openssl,
  k8s,
  key_name,
+  ca_name,
+  ca_config,
  ...
 }:
 stdenv.mkDerivation (finalAttrs: {
@@ -22,18 +24,18 @@ stdenv.mkDerivation (finalAttrs: {
  unpackPhase = "true";

  buildPhase = ''
-    cp ${k8s.ca}/ca.crt ${k8s.ca}/ca.key ./
+    cp ${k8s.ca."${ca_name}"}/${ca_name}-ca.crt ${k8s.ca."${ca_name}"}/${ca_name}-ca.key ./

    openssl genrsa -out "${key_name}.key" 4096

    openssl req -new -key "${key_name}.key" -sha256 \
-            -config "${../k8s-ca/files/ca.conf}" -section ${key_name} \
+            -config "${ca_config}" -section ${key_name} \
            -out "${key_name}.csr"

    openssl x509 -req -days 3653 -in "${key_name}.csr" \
            -copy_extensions copyall \
-            -sha256 -CA "./ca.crt" \
-            -CAkey "./ca.key" \
+            -sha256 -CA "./${ca_name}-ca.crt" \
+            -CAkey "./${ca_name}-ca.key" \
            -CAcreateserial \
            -out "${key_name}.crt"
  '';