fetchcert: Add script to fetch certs from K8s
Since Fedora CoreOS machines are not managed by Ansible, we need another way to keep the HTTPS certificate up-to-date. To that end, I've added the `fetchcert.sh` script, along with a corresponding systemd service and timer unit, that will fetch the latest certificate from the Secret resource managed by the Kubernetes API. The script authenticates with a long-lived bearer token associated with a particular Kubernetes service account and downloads the current Secret to a local file. If the certificate in the Secret is different than the one already in place, the certificate and key files are updated and nginx is reloaded.
This commit is contained in:
36
fetchcert.service
Normal file
36
fetchcert.service
Normal file
@@ -0,0 +1,36 @@
|
||||
[Unit]
|
||||
Description=Fetch HTTPS certificate from Kubernetes Secret API
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/bin/sh /etc/fetchcert/fetchcert.sh default pyrocufflink-cert
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc/pki/nginx
|
||||
CapabilityBoundingSet=CAP_CHOWN
|
||||
DeviceAllow=
|
||||
DevicePolicy=closed
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateUsers=yes
|
||||
PrivateTmp=yes
|
||||
ProcSubset=pid
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged @resources
|
||||
Reference in New Issue
Block a user