From af58f99a0820cc3d4259ba251ebe43d03e09f7b2 Mon Sep 17 00:00:00 2001 From: Gabriel Simmer Date: Sat, 20 Jul 2024 12:51:24 +0100 Subject: [PATCH] Proxmox certificate refresh cron --- kubernetes/cloudflare/config.yaml | 4 +- kubernetes/misc/CronJob-proxmox-cert.yaml | 88 +++++++++++++++++++++++ kubernetes/misc/kustomization.yaml | 1 + 3 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 kubernetes/misc/CronJob-proxmox-cert.yaml diff --git a/kubernetes/cloudflare/config.yaml b/kubernetes/cloudflare/config.yaml index d4a75be..3c86ad4 100644 --- a/kubernetes/cloudflare/config.yaml +++ b/kubernetes/cloudflare/config.yaml @@ -15,8 +15,8 @@ ingress: service: http://nitter.nitter.svc.cluster.local:8081 - hostname: git.gmem.ca service: https://homelab.gmem.ca -- hostname: proxmox.gmem.ca - service: https://homelab.gmem.ca +- hostname: proxmox-access.gmem.ca + service: https://proxmox.gmem.ca - hostname: tokyo.gmem.ca service: https://homelab.gmem.ca - hostname: ibiza.gmem.ca diff --git a/kubernetes/misc/CronJob-proxmox-cert.yaml b/kubernetes/misc/CronJob-proxmox-cert.yaml new file mode 100644 index 0000000..dd0c194 --- /dev/null +++ b/kubernetes/misc/CronJob-proxmox-cert.yaml @@ -0,0 +1,88 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: proxmox-cert + namespace: default +spec: + jobTemplate: + spec: + template: + spec: + volumes: + - secret: + secretName: proxmox-gmem-ca + name: cert + containers: + - command: + - /bin/bash + - -c + - > + curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/start" + + curl -k -X POST https://${BASE_URL}/api2/json/nodes/proxmox/certificates/custom + -H "Authorization: PVEAPIToken=${TOKEN_ID}=${TOKEN_SECRET}" + -H "Content-Type: application/x-www-form-urlencoded" + --data-urlencode "key=$(cat /data/tls.key)" + --data-urlencode "restart=1" + --data-urlencode "force=1" + --data-urlencode "certificates=$(cat /data/tls.crt)" + + curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/$?" + envFrom: + - configMapRef: + name: proxmox-cert + - secretRef: + name: proxmox-cert + image: git.gmem.ca/arch/kutils + name: upload-certificate + volumeMounts: + - mountPath: /data + name: cert + restartPolicy: Never + schedule: "0 0 1 * *" +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: proxmox-gmem-ca + namespace: default +spec: + # Secret names are always required. + secretName: proxmox-gmem-ca + + duration: 2160h # 90d + renewBefore: 360h # 15d + + dnsNames: + - proxmox.gmem.ca + issuerRef: + name: le-issuer + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: ClusterIssuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +--- +apiVersion: v1 +data: + BASE_URL: proxmox.gmem.ca +kind: ConfigMap +metadata: + name: proxmox-cert + namespace: default +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: proxmox-cert + namespace: default +spec: + destination: + create: true + name: proxmox-cert + mount: kv + path: default/proxmox-cert + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/misc/kustomization.yaml b/kubernetes/misc/kustomization.yaml index a64389f..9f2f291 100644 --- a/kubernetes/misc/kustomization.yaml +++ b/kubernetes/misc/kustomization.yaml @@ -7,3 +7,4 @@ resources: - Namespace-misc.yaml - VaultAuth.yaml - CronJob-router-cert.yaml +- CronJob-proxmox-cert.yaml