Since Fedora CoreOS machines are not managed by Ansible, we need another
way to keep the HTTPS certificate up-to-date. To that end, I've added
the `fetchcert.sh` script, along with a corresponding systemd service
and timer unit, that will fetch the latest certificate from the Secret
resource managed by the Kubernetes API. The script authenticates with
a long-lived bearer token associated with a particular Kubernetes
service account and downloads the current Secret to a local file. If
the certificate in the Secret is different than the one already in
place, the certificate and key files are updated and nginx is reloaded.
To keep the API key a secret, we're encrypting the environment file in
the repository with GnuPG. The decrypted copy only lives in the work
tree and is never committed. Changes have to be re-encrypted and
committed.
When developing Butane/Ignition files, I frequently forget to update the
parent files after making a change to an included file. This causes a
lot of wasted time re-provisioning, only to discover that my change
did not take effect. To alleviate this, we'll use `make` with some
macro magic to scan the Butane files for their dependencies, and let it
generate whatever Ignition files need updating any time a dependant file
changes.
I've also added a "publish" step to the Makefile, since I also
frequently forget to upload the regenerated Ignition files to the
server, causing the same headaches.
Dustin