Provides cfssl server and client LWRP
Ubuntu 14.04
| Key | Type | Description |
|---|---|---|
| ['cfssl']['server']['config'] | Hash | Main config |
| ['cfssl']['server']['csr'] | Hash | Lasyman's CA generation |
| ['cfssl']['server']['ca'] | String | Path to CA cert file |
| ['cfssl']['server']['ca-key'] | String | Path to CA key file |
| ['cfssl']['server']['config-file'] | String | Path to config file on disk |
Use wrapper cookbook for getting certs in place, pass your config in attribute hash (node['cfssl']['server']['config'])
Example for use with authsign:
{
'signing' => {
'default' => {
'usages' => [
'any'
],
'expiry' => '10h',
'auth_key' => 'ca-auth'
}
},
'auth_keys' => {
'ca-auth' => {
'type' => 'standard',
'key' => '0123456789ABCDEF0123456789ABCDEF'
}
}
}
You can use ['cfssl']['server']['csr'] to have cookbook generate certs for you
This recipe demonstrates the use of LWRP cfssl_gencert which is similar to cfssl's subcommand, but allows to use a remote, with HMAC auth like:
cfssl_gencert 'default' do
action :create
key_path < where to place new key>
cert_path < where to place new cert>
subject <subject for your new cert>
server <cfssl master server http url>
shared_key <HMAC preshared key, optional. Enables use of authsign>
end
It's totaly up to you how to pass those parameters to gencert - use databags or attributes.
- cfssl profiles
- more tests
- circleci integration
Author:: OneTwoTrip ([email protected])