infra
/
ignition
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ignition/fetchcert.sh

55 lines
2.2 KiB
Bash
Raw Permalink Blame History

#!/bin/sh
# vim: set sw=4 ts=4 sts=4 et :
namespace=$2
secret=$3
keyout=/etc/pki/nginx/private/server.key
crtout=/etc/pki/nginx/server.crt
tmpdir=$(mktemp -d)
trap 'rm -rf "${tmpdir}"' INT TERM QUIT EXIT
cat > "${tmpdir}"/ca.crt <<EOF
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIyMDgwMTAyNTUzM1oXDTMyMDcyOTAyNTUzM1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMs6
2PUOzIClsAgPv1Mn9CTwzSFMntAn7OppwK5BQ4E5Vd1yMjz3p0uA1ZINv1ORorG0
mLl95C7y+CWUGPx+stHKQr/40sLGyypbX+AfjoPzHiDbIcbZEff8X5RwKqzmT9V7
Yt29KewADod0z+fqNYa62MJDaUunfwaV8kKFU/WJM8IKv2eJxAtWzvK3iHAFhx0j
Xo4TlyINL9V9UMKLf12w6CA3G41uZIBCN3G7aJEm++eGoMdrPZUXlbCpbSztO85/
hbulVs+0hCIxWiI+mRmB5OoWlRYL4jA45oK/RtpEqSwZ95zlGNAChmH7rb0pTtNf
N0/C2wKAEL4POLx9kscCAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFHYActCjEWdtsA+Ju25gxJh/vaLQMBUGA1UdEQQO
MAyCCmt1YmVybmV0ZXMwDQYJKoZIhvcNAQELBQADggEBAAfkYHecXUwyqvMSXmqr
ETqEzDCBini14s89VDhaDHOXBID9TKMVyeePdEYcPAJz3wo8fbx/+TL37K6hEuo+
7bUaamaumznsjg9L0Hth19GvuRKMXJlEpndRmE5K9hnaDLr94MLg9n1qGcEOt6tw
O6X5qqHf9AuuL39vt1+kSw6PeZZFZNMDZ8BdiTssw4btjQ2bsWu0wSiOSz/F8iRf
2vN5An5dheroDsFs4dZ9gnJ69TmqV1YqQxfRWqCxzfNJbgVm6AoBPwhL1JRuAU4N
3nCNoM9n2tLFDojT4un1778UVU91PtcBVdM9Nq+RC2jhXIyLBqsEK0ofOqFYqj3F
0EQ=
-----END CERTIFICATE-----
EOF
curl -fsSL \
-H 'Accept: application/json' \
-H "Authorization: Bearer $(cat /etc/fetchcert/token)" \
--cacert "${tmpdir}"/ca.crt \
https://kubernetes.pyrocufflink.blue:6443/api/v1/namespaces/${namespace}/secrets/${secret} \
-o "${tmpdir}"/secret.json \
|| exit
jq -r '.data["tls.key"]' "${tmpdir}"/secret.json \
| base64 -d > "${tmpdir}"/server.key
jq -r '.data["tls.crt"]' "${tmpdir}"/secret.json | \
base64 -d > "${tmpdir}"/server.crt
if [ "$(b2sum < "${tmpdir}"/server.crt)" != "$(b2sum < "${crtout}")" ]; then
install -m u=rw,go= -o 101 -g 101 "${tmpdir}"/server.key "${keyout}"
install -m u=rw,go=r -o root -g root "${tmpdir}"/server.crt "${crtout}"
chcon -t container_file_t "${keyout}" "${crtout}"
echo 'Certificate updated, reloading nginx ...' >&2
podman exec -it systemd-nginx nginx -s reload
fi
Reference in New Issue View Git Blame Copy Permalink