Dustin C. Hatch
d907b47db1
Since Fedora CoreOS machines are not managed by Ansible, we need another way to keep the HTTPS certificate up-to-date. To that end, I've added the `fetchcert.sh` script, along with a corresponding systemd service and timer unit, that will fetch the latest certificate from the Secret resource managed by the Kubernetes API. The script authenticates with a long-lived bearer token associated with a particular Kubernetes service account and downloads the current Secret to a local file. If the certificate in the Secret is different than the one already in place, the certificate and key files are updated and nginx is reloaded.
10 lines
154 B
SYSTEMD
10 lines
154 B
SYSTEMD
[Unit]
|
|
Description=Periodically fetch certificate from Kubernetes
|
|
|
|
[Timer]
|
|
OnCalendar=*-*-* 0:0:0
|
|
RandomizedDelaySec=8h
|
|
|
|
[Install]
|
|
WantedBy=timers.target
|