Created
February 21, 2025 16:21
-
-
Save rafalkrupinski/e434cb2fc37db46af7e0f260b4c50030 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import * as pulumi from '@pulumi/pulumi'; | |
| import * as tls from '@pulumi/tls'; | |
| export interface CAArgs { | |
| readonly subject: tls.types.input.SelfSignedCertSubject; | |
| readonly validityPeriodHours: pulumi.Input<number>; | |
| } | |
| export class RootCA extends pulumi.ComponentResource { | |
| public readonly privateKeyPem: pulumi.Output<string>; | |
| public readonly certPem: pulumi.Output<string>; | |
| constructor(name: string, args: CAArgs, opts?: pulumi.ComponentResourceOptions) { | |
| super('oeklo:resource:rootCA', name, args, opts); | |
| const {subject, validityPeriodHours} = args; | |
| const caPrivateKey = new tls.PrivateKey('caKey', { | |
| algorithm: 'ECDSA', | |
| ecdsaCurve: 'P521', | |
| }); | |
| this.privateKeyPem = caPrivateKey.privateKeyPem; | |
| const caCert = new tls.SelfSignedCert( | |
| name, | |
| { | |
| privateKeyPem: caPrivateKey.privateKeyPem, | |
| allowedUses: [ | |
| 'key_encipherment', | |
| 'cert_signing', 'crl_signing', 'digital_signature'], | |
| isCaCertificate: true, | |
| validityPeriodHours, | |
| subject, | |
| } as tls.SelfSignedCertArgs, | |
| ); | |
| this.certPem = caCert.certPem; | |
| this.registerOutputs(); | |
| } | |
| } | |
| interface LocallySignedKeyPairArgs { | |
| ca: RootCA; | |
| subject: tls.types.input.CertRequestSubject; | |
| validityPeriodHours: number; | |
| allowedUses: string[]; | |
| } | |
| export class LocallySignedKeyPair extends pulumi.ComponentResource { | |
| public readonly privateKeyPem: pulumi.Output<string>; | |
| public readonly certPem: pulumi.Output<string>; | |
| constructor(name: string, args: LocallySignedKeyPairArgs, opts?: pulumi.ComponentResourceOptions) { | |
| super('oeklo:resource:locallySignedKeyPair', name, args, opts); | |
| const sopts = {parent: this}; | |
| const {subject, validityPeriodHours, allowedUses} = args; | |
| const key = new tls.PrivateKey(name, { | |
| algorithm: 'ECDSA', | |
| ecdsaCurve: 'P256', | |
| }, sopts); | |
| this.privateKeyPem = key.privateKeyPem; | |
| const req = new tls.CertRequest(name, { | |
| privateKeyPem: key.privateKeyPem, | |
| subject, | |
| }, sopts); | |
| const cert = new tls.LocallySignedCert(name, { | |
| caCertPem: args.ca.certPem, | |
| caPrivateKeyPem: args.ca.privateKeyPem, | |
| certRequestPem: req.certRequestPem, | |
| validityPeriodHours, | |
| allowedUses, | |
| }, sopts); | |
| this.certPem = cert.certPem; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment