153 lines
5.2 KiB
YAML

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ca-sync
namespace: ca-installer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ca-cert-reader
namespace: cert-manager
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["internal-ca-cert"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ca-sync-read-cert
namespace: cert-manager
subjects:
- kind: ServiceAccount
name: ca-sync
namespace: ca-installer
roleRef:
kind: Role
name: ca-cert-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ca-configmap-writer
namespace: ca-installer
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ca-installer-files"]
verbs: ["get", "patch", "update"]
- apiGroups: ["apps"]
resources: ["deployments"]
resourceNames: ["ca-installer"]
verbs: ["get", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ca-sync-write-configmap
namespace: ca-installer
subjects:
- kind: ServiceAccount
name: ca-sync
namespace: ca-installer
roleRef:
kind: Role
name: ca-configmap-writer
apiGroup: rbac.authorization.k8s.io
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: ca-sync
namespace: ca-installer
spec:
schedule: "0 3 * * *" # daily at 3am
jobTemplate:
spec:
template:
spec:
serviceAccountName: ca-sync
restartPolicy: OnFailure
containers:
- name: sync
image: bitnami/kubectl:latest
command:
- /bin/sh
- -c
- |
set -e
# Get current CA cert from cert-manager namespace
kubectl get secret internal-ca-cert -n cert-manager \
-o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/ca.crt
# Get fingerprint of new vs existing cert
NEW_FP=$(openssl x509 -noout -fingerprint -in /tmp/ca.crt)
CURRENT_B64=$(kubectl get configmap ca-installer-files -n ca-installer \
-o jsonpath='{.data.ca\.crt}' | base64 | tr -d '\n')
echo "$CURRENT_B64" | base64 -d > /tmp/ca-current.crt
CURRENT_FP=$(openssl x509 -noout -fingerprint -in /tmp/ca-current.crt 2>/dev/null || echo "none")
if [ "$NEW_FP" = "$CURRENT_FP" ]; then
echo "CA cert unchanged, skipping update"
exit 0
fi
echo "CA cert changed, updating ConfigMap..."
NEW_B64=$(base64 /tmp/ca.crt | tr -d '\n')
cat > /tmp/ca.mobileconfig << MOBILEEOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadCertificateFileName</key>
<string>homelab-ca.crt</string>
<key>PayloadContent</key>
<data>${NEW_B64}</data>
<key>PayloadDescription</key>
<string>Installs the Homelab internal CA certificate</string>
<key>PayloadDisplayName</key>
<string>Homelab Internal CA</string>
<key>PayloadIdentifier</key>
<string>home.arpa.ca.cert</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>e546899f-249d-4334-ae04-bd1092ca299b</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Trust the Homelab internal certificate authority</string>
<key>PayloadDisplayName</key>
<string>Homelab CA Trust</string>
<key>PayloadIdentifier</key>
<string>home.arpa.ca.profile</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>729e611e-5f03-4f63-a41c-b9b2973c2311</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
MOBILEEOF
kubectl create configmap ca-installer-files -n ca-installer \
--from-file=ca.crt=/tmp/ca.crt \
--from-file=ca.mobileconfig=/tmp/ca.mobileconfig \
--dry-run=client -o yaml | kubectl apply -f -
kubectl rollout restart deployment/ca-installer -n ca-installer
echo "Done"