Dustin C. Hatch
d907b47db1
Since Fedora CoreOS machines are not managed by Ansible, we need another way to keep the HTTPS certificate up-to-date. To that end, I've added the `fetchcert.sh` script, along with a corresponding systemd service and timer unit, that will fetch the latest certificate from the Secret resource managed by the Kubernetes API. The script authenticates with a long-lived bearer token associated with a particular Kubernetes service account and downloads the current Secret to a local file. If the certificate in the Secret is different than the one already in place, the certificate and key files are updated and nginx is reloaded.
23 lines
399 B
YAML
23 lines
399 B
YAML
variant: fcos
|
|
version: 1.4.0
|
|
|
|
ignition:
|
|
config:
|
|
merge:
|
|
- local: fetchcert.ign
|
|
|
|
storage:
|
|
files:
|
|
- path: /etc/containers/systemd/nginx.container
|
|
mode: 0644
|
|
contents:
|
|
local: nginx.container
|
|
- path: /etc/nginx/nginx.conf
|
|
mode: 0644
|
|
contents:
|
|
local: nginx.conf
|
|
directories:
|
|
- path: /etc/nginx/conf.d
|
|
- path: /etc/nginx/default.d
|
|
- path: /etc/pki/nginx
|