Dustin C. Hatch
d907b47db1
Since Fedora CoreOS machines are not managed by Ansible, we need another way to keep the HTTPS certificate up-to-date. To that end, I've added the `fetchcert.sh` script, along with a corresponding systemd service and timer unit, that will fetch the latest certificate from the Secret resource managed by the Kubernetes API. The script authenticates with a long-lived bearer token associated with a particular Kubernetes service account and downloads the current Secret to a local file. If the certificate in the Secret is different than the one already in place, the certificate and key files are updated and nginx is reloaded.
23 lines
416 B
YAML
23 lines
416 B
YAML
variant: fcos
|
|
version: 1.4.0
|
|
|
|
storage:
|
|
files:
|
|
- path: /etc/fetchcert/fetchcert.sh
|
|
mode: 0755
|
|
contents:
|
|
local: fetchcert.sh
|
|
- path: /etc/systemd/system/fetchcert.service
|
|
mode: 0644
|
|
contents:
|
|
local: fetchcert.service
|
|
- path: /etc/systemd/system/fetchcert.timer
|
|
mode: 0644
|
|
contents:
|
|
local: fetchcert.timer
|
|
|
|
systemd:
|
|
units:
|
|
- name: fetchcert.timer
|
|
enabled: true
|