Since Fedora CoreOS machines are not managed by Ansible, we need another
way to keep the HTTPS certificate up-to-date. To that end, I've added
the `fetchcert.sh` script, along with a corresponding systemd service
and timer unit, that will fetch the latest certificate from the Secret
resource managed by the Kubernetes API. The script authenticates with
a long-lived bearer token associated with a particular Kubernetes
service account and downloads the current Secret to a local file. If
the certificate in the Secret is different than the one already in
place, the certificate and key files are updated and nginx is reloaded.
To keep the API key a secret, we're encrypting the environment file in
the repository with GnuPG. The decrypted copy only lives in the work
tree and is never committed. Changes have to be re-encrypted and
committed.
The first host running Fedora CoreOS (FCOS) is
*k8s-aarch64-n0.pyrocufflink.blue*. This is a Raspberry Pi 4 that is a
specialized member of the Kubernetes cluster. It hosts the Zigbee2MQTT
and ZWaveJS2MQTT containers, and has the Zigbee and ZWave controller USB
devices attached.
Dustin