feat: add CA sync service account, roles, role bindings, and cron job for certificate rotation management
This commit is contained in:
parent
7f1462658b
commit
0c0254b03d
153
manifests/cert-manager/ca-sync.yaml
Normal file
153
manifests/cert-manager/ca-sync.yaml
Normal file
@ -0,0 +1,153 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: ca-sync
|
||||
namespace: ca-installer
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: ca-cert-reader
|
||||
namespace: cert-manager
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames: ["internal-ca-cert"]
|
||||
verbs: ["get"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: ca-sync-read-cert
|
||||
namespace: cert-manager
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ca-sync
|
||||
namespace: ca-installer
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: ca-cert-reader
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: ca-configmap-writer
|
||||
namespace: ca-installer
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
resourceNames: ["ca-installer-files"]
|
||||
verbs: ["get", "patch", "update"]
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["deployments"]
|
||||
resourceNames: ["ca-installer"]
|
||||
verbs: ["get", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: ca-sync-write-configmap
|
||||
namespace: ca-installer
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ca-sync
|
||||
namespace: ca-installer
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: ca-configmap-writer
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: ca-sync
|
||||
namespace: ca-installer
|
||||
spec:
|
||||
schedule: "0 3 * * *" # daily at 3am
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: ca-sync
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- name: sync
|
||||
image: bitnami/kubectl:latest
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
set -e
|
||||
|
||||
# Get current CA cert from cert-manager namespace
|
||||
kubectl get secret internal-ca-cert -n cert-manager \
|
||||
-o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/ca.crt
|
||||
|
||||
# Get fingerprint of new vs existing cert
|
||||
NEW_FP=$(openssl x509 -noout -fingerprint -in /tmp/ca.crt)
|
||||
CURRENT_B64=$(kubectl get configmap ca-installer-files -n ca-installer \
|
||||
-o jsonpath='{.data.ca\.crt}' | base64 | tr -d '\n')
|
||||
echo "$CURRENT_B64" | base64 -d > /tmp/ca-current.crt
|
||||
CURRENT_FP=$(openssl x509 -noout -fingerprint -in /tmp/ca-current.crt 2>/dev/null || echo "none")
|
||||
|
||||
if [ "$NEW_FP" = "$CURRENT_FP" ]; then
|
||||
echo "CA cert unchanged, skipping update"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "CA cert changed, updating ConfigMap..."
|
||||
NEW_B64=$(base64 /tmp/ca.crt | tr -d '\n')
|
||||
|
||||
cat > /tmp/ca.mobileconfig << MOBILEEOF
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>PayloadContent</key>
|
||||
<array>
|
||||
<dict>
|
||||
<key>PayloadCertificateFileName</key>
|
||||
<string>homelab-ca.crt</string>
|
||||
<key>PayloadContent</key>
|
||||
<data>${NEW_B64}</data>
|
||||
<key>PayloadDescription</key>
|
||||
<string>Installs the Homelab internal CA certificate</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>Homelab Internal CA</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>home.arpa.ca.cert</string>
|
||||
<key>PayloadType</key>
|
||||
<string>com.apple.security.root</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>e546899f-249d-4334-ae04-bd1092ca299b</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</array>
|
||||
<key>PayloadDescription</key>
|
||||
<string>Trust the Homelab internal certificate authority</string>
|
||||
<key>PayloadDisplayName</key>
|
||||
<string>Homelab CA Trust</string>
|
||||
<key>PayloadIdentifier</key>
|
||||
<string>home.arpa.ca.profile</string>
|
||||
<key>PayloadRemovalDisallowed</key>
|
||||
<false/>
|
||||
<key>PayloadType</key>
|
||||
<string>Configuration</string>
|
||||
<key>PayloadUUID</key>
|
||||
<string>729e611e-5f03-4f63-a41c-b9b2973c2311</string>
|
||||
<key>PayloadVersion</key>
|
||||
<integer>1</integer>
|
||||
</dict>
|
||||
</plist>
|
||||
MOBILEEOF
|
||||
|
||||
kubectl create configmap ca-installer-files -n ca-installer \
|
||||
--from-file=ca.crt=/tmp/ca.crt \
|
||||
--from-file=ca.mobileconfig=/tmp/ca.mobileconfig \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
|
||||
kubectl rollout restart deployment/ca-installer -n ca-installer
|
||||
echo "Done"
|
||||
Loading…
x
Reference in New Issue
Block a user