feat: add CA sync service account, roles, role bindings, and cron job for certificate rotation management
This commit is contained in:
parent
7f1462658b
commit
0c0254b03d
153
manifests/cert-manager/ca-sync.yaml
Normal file
153
manifests/cert-manager/ca-sync.yaml
Normal file
@ -0,0 +1,153 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: ca-sync
|
||||||
|
namespace: ca-installer
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: ca-cert-reader
|
||||||
|
namespace: cert-manager
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
resourceNames: ["internal-ca-cert"]
|
||||||
|
verbs: ["get"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: ca-sync-read-cert
|
||||||
|
namespace: cert-manager
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ca-sync
|
||||||
|
namespace: ca-installer
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: ca-cert-reader
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: Role
|
||||||
|
metadata:
|
||||||
|
name: ca-configmap-writer
|
||||||
|
namespace: ca-installer
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["configmaps"]
|
||||||
|
resourceNames: ["ca-installer-files"]
|
||||||
|
verbs: ["get", "patch", "update"]
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["deployments"]
|
||||||
|
resourceNames: ["ca-installer"]
|
||||||
|
verbs: ["get", "patch"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: ca-sync-write-configmap
|
||||||
|
namespace: ca-installer
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ca-sync
|
||||||
|
namespace: ca-installer
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: ca-configmap-writer
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: CronJob
|
||||||
|
metadata:
|
||||||
|
name: ca-sync
|
||||||
|
namespace: ca-installer
|
||||||
|
spec:
|
||||||
|
schedule: "0 3 * * *" # daily at 3am
|
||||||
|
jobTemplate:
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
serviceAccountName: ca-sync
|
||||||
|
restartPolicy: OnFailure
|
||||||
|
containers:
|
||||||
|
- name: sync
|
||||||
|
image: bitnami/kubectl:latest
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Get current CA cert from cert-manager namespace
|
||||||
|
kubectl get secret internal-ca-cert -n cert-manager \
|
||||||
|
-o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/ca.crt
|
||||||
|
|
||||||
|
# Get fingerprint of new vs existing cert
|
||||||
|
NEW_FP=$(openssl x509 -noout -fingerprint -in /tmp/ca.crt)
|
||||||
|
CURRENT_B64=$(kubectl get configmap ca-installer-files -n ca-installer \
|
||||||
|
-o jsonpath='{.data.ca\.crt}' | base64 | tr -d '\n')
|
||||||
|
echo "$CURRENT_B64" | base64 -d > /tmp/ca-current.crt
|
||||||
|
CURRENT_FP=$(openssl x509 -noout -fingerprint -in /tmp/ca-current.crt 2>/dev/null || echo "none")
|
||||||
|
|
||||||
|
if [ "$NEW_FP" = "$CURRENT_FP" ]; then
|
||||||
|
echo "CA cert unchanged, skipping update"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "CA cert changed, updating ConfigMap..."
|
||||||
|
NEW_B64=$(base64 /tmp/ca.crt | tr -d '\n')
|
||||||
|
|
||||||
|
cat > /tmp/ca.mobileconfig << MOBILEEOF
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>PayloadContent</key>
|
||||||
|
<array>
|
||||||
|
<dict>
|
||||||
|
<key>PayloadCertificateFileName</key>
|
||||||
|
<string>homelab-ca.crt</string>
|
||||||
|
<key>PayloadContent</key>
|
||||||
|
<data>${NEW_B64}</data>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string>Installs the Homelab internal CA certificate</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Homelab Internal CA</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>home.arpa.ca.cert</string>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>com.apple.security.root</string>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>e546899f-249d-4334-ae04-bd1092ca299b</string>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
</array>
|
||||||
|
<key>PayloadDescription</key>
|
||||||
|
<string>Trust the Homelab internal certificate authority</string>
|
||||||
|
<key>PayloadDisplayName</key>
|
||||||
|
<string>Homelab CA Trust</string>
|
||||||
|
<key>PayloadIdentifier</key>
|
||||||
|
<string>home.arpa.ca.profile</string>
|
||||||
|
<key>PayloadRemovalDisallowed</key>
|
||||||
|
<false/>
|
||||||
|
<key>PayloadType</key>
|
||||||
|
<string>Configuration</string>
|
||||||
|
<key>PayloadUUID</key>
|
||||||
|
<string>729e611e-5f03-4f63-a41c-b9b2973c2311</string>
|
||||||
|
<key>PayloadVersion</key>
|
||||||
|
<integer>1</integer>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
||||||
|
MOBILEEOF
|
||||||
|
|
||||||
|
kubectl create configmap ca-installer-files -n ca-installer \
|
||||||
|
--from-file=ca.crt=/tmp/ca.crt \
|
||||||
|
--from-file=ca.mobileconfig=/tmp/ca.mobileconfig \
|
||||||
|
--dry-run=client -o yaml | kubectl apply -f -
|
||||||
|
|
||||||
|
kubectl rollout restart deployment/ca-installer -n ca-installer
|
||||||
|
echo "Done"
|
||||||
Loading…
x
Reference in New Issue
Block a user