def get_certificate(self, name, opts):
if self.keypairs[name]["certificate"]:
return self.keypairs[name]["certificate"]
else:
if self.path:
with open(os.path.join(self.path, "{}.pem".format(name)), "rb") as fp:
certificate = x509.load_pem_x509_certificate(fp.read(), default_backend())
else:
ca_key = self.get_certificate_authority_key()
ca_certificate = self.get_certificate_authority_certificate()
builder = x509.CertificateBuilder()
builder = builder.serial_number(int(uuid.uuid4()))
builder = builder.not_valid_before(datetime.datetime.today() - datetime.timedelta(1, 0, 0))
builder = builder.not_valid_after(datetime.datetime(2018, 8, 2))
builder = builder.public_key(ca_key.public_key())
builder = builder.subject_name(x509.Name([
x509.NameAttribute(x509.NameOID.COUNTRY_NAME, "US"),
x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, "CO"),
x509.NameAttribute(x509.NameOID.LOCALITY_NAME, "Denver"),
x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, "Eldarion, Inc."),
x509.NameAttribute(x509.NameOID.COMMON_NAME, "kube-{}".format(name)),
]))
builder = builder.issuer_name(ca_certificate.issuer)
if opts.get("sans"):
builder = builder.add_extension(
x509.SubjectAlternativeName(opts["sans"]),
critical=False,
)
builder = builder.add_extension(
x509.BasicConstraints(
ca=False,
path_length=None
),
critical=False,
)
certificate = builder.sign(
private_key=ca_key,
algorithm=hashes.SHA256(),
backend=default_backend(),
)
self.keypairs[name]["certificate"] = certificate
return certificate
评论列表
文章目录
