infra/kubernetes/misc/CronJob-proxmox-cert.yaml

apiVersion: batch/v1
kind: CronJob
metadata:
  name: proxmox-cert
  namespace: default
spec:
  jobTemplate:
    spec:
      template:
        spec:
          volumes:
          - secret:
              secretName: proxmox-gmem-ca
            name: cert
          containers:
            - command:
                - /bin/bash
                - -c
                - >
                  curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/start"

                  curl -k -X POST https://${BASE_URL}/api2/json/nodes/proxmox/certificates/custom
                  -H "Authorization: PVEAPIToken=${TOKEN_ID}=${TOKEN_SECRET}"
                  -H "Content-Type: application/x-www-form-urlencoded"
                  --data-urlencode "key=$(cat /data/tls.key)"
                  --data-urlencode "restart=1"
                  --data-urlencode "force=1"
                  --data-urlencode "certificates=$(cat /data/tls.crt)"

                  curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/$?"
              envFrom:
                - configMapRef:
                    name: proxmox-cert
                - secretRef:
                    name: proxmox-cert
              image: git.gmem.ca/arch/kutils
              name: upload-certificate
              volumeMounts:
              - mountPath: /data
                name: cert
          restartPolicy: Never
  schedule: "0 0 1 * *"
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: proxmox-gmem-ca
  namespace: default
spec:
  # Secret names are always required.
  secretName: proxmox-gmem-ca

  duration: 2160h # 90d
  renewBefore: 360h # 15d

  dnsNames:
    - proxmox.gmem.ca
  issuerRef:
    name: le-issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: ClusterIssuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io
---
apiVersion: v1
data:
  BASE_URL: proxmox.gmem.ca
kind: ConfigMap
metadata:
  name: proxmox-cert
  namespace: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: proxmox-cert
  namespace: default
spec:
  destination:
    create: true
    name: proxmox-cert
  mount: kv
  path: default/proxmox-cert
  refreshAfter: 30s
  type: kv-v2
  vaultAuthRef: vault
Proxmox certificate refresh cron 2024-07-20 12:51:24 +01:00			`apiVersion: batch/v1`
			`kind: CronJob`
			`metadata:`
			`name: proxmox-cert`
			`namespace: default`
			`spec:`
			`jobTemplate:`
			`spec:`
			`template:`
			`spec:`
			`volumes:`
			`- secret:`
			`secretName: proxmox-gmem-ca`
			`name: cert`
			`containers:`
			`- command:`
			`- /bin/bash`
			`- -c`
			`- >`
			`curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/start"`

			`curl -k -X POST https://${BASE_URL}/api2/json/nodes/proxmox/certificates/custom`
			`-H "Authorization: PVEAPIToken=${TOKEN_ID}=${TOKEN_SECRET}"`
			`-H "Content-Type: application/x-www-form-urlencoded"`
			`--data-urlencode "key=$(cat /data/tls.key)"`
			`--data-urlencode "restart=1"`
			`--data-urlencode "force=1"`
			`--data-urlencode "certificates=$(cat /data/tls.crt)"`

			`curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/$?"`
			`envFrom:`
			`- configMapRef:`
			`name: proxmox-cert`
			`- secretRef:`
			`name: proxmox-cert`
			`image: git.gmem.ca/arch/kutils`
			`name: upload-certificate`
			`volumeMounts:`
			`- mountPath: /data`
			`name: cert`
			`restartPolicy: Never`
			`schedule: "0 0 1 * *"`
			`---`
			`apiVersion: cert-manager.io/v1`
			`kind: Certificate`
			`metadata:`
			`name: proxmox-gmem-ca`
			`namespace: default`
			`spec:`
			`# Secret names are always required.`
			`secretName: proxmox-gmem-ca`

			`duration: 2160h # 90d`
			`renewBefore: 360h # 15d`

			`dnsNames:`
			`- proxmox.gmem.ca`
			`issuerRef:`
			`name: le-issuer`
			`# We can reference ClusterIssuers by changing the kind here.`
			`# The default value is Issuer (i.e. a locally namespaced Issuer)`
			`kind: ClusterIssuer`
			`# This is optional since cert-manager will default to this value however`
			`# if you are using an external issuer, change this to that issuer group.`
			`group: cert-manager.io`
			`---`
			`apiVersion: v1`
			`data:`
			`BASE_URL: proxmox.gmem.ca`
			`kind: ConfigMap`
			`metadata:`
			`name: proxmox-cert`
			`namespace: default`
			`---`
			`apiVersion: secrets.hashicorp.com/v1beta1`
			`kind: VaultStaticSecret`
			`metadata:`
			`name: proxmox-cert`
			`namespace: default`
			`spec:`
			`destination:`
			`create: true`
			`name: proxmox-cert`
			`mount: kv`
			`path: default/proxmox-cert`
			`refreshAfter: 30s`
			`type: kv-v2`
			`vaultAuthRef: vault`