Proxmox certificate refresh cron

kubernetes/cloudflare/config.yaml

@@ -15,8 +15,8 @@ ingress:
   service: http://nitter.nitter.svc.cluster.local:8081
 - hostname: git.gmem.ca
   service: https://homelab.gmem.ca
-- hostname: proxmox.gmem.ca
-  service: https://homelab.gmem.ca
+- hostname: proxmox-access.gmem.ca
+  service: https://proxmox.gmem.ca
 - hostname: tokyo.gmem.ca
   service: https://homelab.gmem.ca
 - hostname: ibiza.gmem.ca

kubernetes/misc/CronJob-proxmox-cert.yaml

@@ -0,0 +1,88 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: proxmox-cert
+  namespace: default
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+          - secret:
+              secretName: proxmox-gmem-ca
+            name: cert
+          containers:
+            - command:
+                - /bin/bash
+                - -c
+                - >
+                  curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/start"
+
+                  curl -k -X POST https://${BASE_URL}/api2/json/nodes/proxmox/certificates/custom
+                  -H "Authorization: PVEAPIToken=${TOKEN_ID}=${TOKEN_SECRET}"
+                  -H "Content-Type: application/x-www-form-urlencoded"
+                  --data-urlencode "key=$(cat /data/tls.key)"
+                  --data-urlencode "restart=1"
+                  --data-urlencode "force=1"
+                  --data-urlencode "certificates=$(cat /data/tls.crt)"
+
+                  curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/$?"
+              envFrom:
+                - configMapRef:
+                    name: proxmox-cert
+                - secretRef:
+                    name: proxmox-cert
+              image: git.gmem.ca/arch/kutils
+              name: upload-certificate
+              volumeMounts:
+              - mountPath: /data
+                name: cert
+          restartPolicy: Never
+  schedule: "0 0 1 * *"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: proxmox-gmem-ca
+  namespace: default
+spec:
+  # Secret names are always required.
+  secretName: proxmox-gmem-ca
+
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+
+  dnsNames:
+    - proxmox.gmem.ca
+  issuerRef:
+    name: le-issuer
+    # We can reference ClusterIssuers by changing the kind here.
+    # The default value is Issuer (i.e. a locally namespaced Issuer)
+    kind: ClusterIssuer
+    # This is optional since cert-manager will default to this value however
+    # if you are using an external issuer, change this to that issuer group.
+    group: cert-manager.io
+---
+apiVersion: v1
+data:
+  BASE_URL: proxmox.gmem.ca
+kind: ConfigMap
+metadata:
+  name: proxmox-cert
+  namespace: default
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: proxmox-cert
+  namespace: default
+spec:
+  destination:
+    create: true
+    name: proxmox-cert
+  mount: kv
+  path: default/proxmox-cert
+  refreshAfter: 30s
+  type: kv-v2
+  vaultAuthRef: vault

kubernetes/misc/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
 - Namespace-misc.yaml
 - VaultAuth.yaml
 - CronJob-router-cert.yaml
+- CronJob-proxmox-cert.yaml