113 lines
3.3 KiB
Makefile
113 lines
3.3 KiB
Makefile
|
###############################################################################
|
||
|
|
||
|
WD = /var/lib/dags/acme
|
||
|
CERTS_DIR = $(WD)/certs
|
||
|
DOMAIN = monotremata.xyz
|
||
|
DOMAIN_CERTS_DIR = $(CERTS_DIR)/$(DOMAIN)
|
||
|
|
||
|
###############################################################################
|
||
|
|
||
|
ACME_CA_FILE = $(DOMAIN_CERTS_DIR)/ca.cer
|
||
|
ACME_FULLCHAIN_FILE = $(DOMAIN_CERTS_DIR)/fullchain.cer"
|
||
|
ACME_KEY_FILE = $(DOMAIN_CERTS_DIR)/$(DOMAIN).key"
|
||
|
|
||
|
###############################################################################
|
||
|
|
||
|
JSON_SECRET = $(WD)/secret.json
|
||
|
SECRET_UPDATED = $(WD)/secret_updated
|
||
|
|
||
|
###############################################################################
|
||
|
|
||
|
K8S_CA_FILE = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
|
||
|
K8S_TOKEN_FILE = /var/run/secrets/kubernetes.io/serviceaccount/token)
|
||
|
K8S_TOKEN = $(shell cat $(K8S_TOKEN_FILE))
|
||
|
K8S_APISERVER = $(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT_HTTPS)
|
||
|
K8S_SECRERTS_URL="https://${K8S_APISERVER}/api/v1/namespaces/${CERT_NAMESPACE}/secret
|
||
|
|
||
|
###############################################################################
|
||
|
|
||
|
.PHONY: all sync_certs
|
||
|
|
||
|
all: sync_certs $(SECRET_UPDATED)
|
||
|
|
||
|
###############################################################################
|
||
|
|
||
|
RSYNCD_HOST = narwhal
|
||
|
RSYNCD_USER = user
|
||
|
REMOTE_ACME_PATH=rsync://$(RSYNCD_USER)@$(RSYNCD_HOST)/acme
|
||
|
RSYNC_OPTS=--archive --delete --acls --xattrs --compress --verbose --human-readable
|
||
|
|
||
|
sync_certs:
|
||
|
mkdir -p $(CERTS_DIR)
|
||
|
rsync \
|
||
|
$(RSYNC_OPTS) \
|
||
|
$(REMOTE_ACME_PATH) \
|
||
|
$(CERTS_DIR)
|
||
|
|
||
|
$(ACME_CA_FILE): sync_certs
|
||
|
$(ACME_FULLCHAIN_FILE): sync_certs
|
||
|
$(ACME_KEY_FILE): sync_certs
|
||
|
|
||
|
###############################################################################
|
||
|
|
||
|
$(JSON_SECRET): $(ACME_KEY_FILE) $(ACME_FULLCHAIN_FILE) $(ACME_KEY_FILE)
|
||
|
jq --null-input --raw-output \
|
||
|
--arg kind "Secret" \
|
||
|
--arg name "$(SECRET_NAME)" \
|
||
|
--arg cacert "$$(base64 -w 0 $(ACME_CA_FILE))" \
|
||
|
--arg tlscert "$$(base64 -w 0 $(ACME_FULLCHAIN_FILE))" \
|
||
|
--arg tlskey "$$(base64 -w 0 $(ACME_KEY_FILE))" \
|
||
|
'{
|
||
|
kind: $$kind,
|
||
|
metadata: {name: $$name},
|
||
|
data: {
|
||
|
"ca.crt": $$cacert,
|
||
|
"tls.crt": $$tlscert,
|
||
|
"tls.key": $$tlskey
|
||
|
}
|
||
|
}' > $@
|
||
|
|
||
|
###############################################################################
|
||
|
|
||
|
select_status_code = grep 'HTTP/' | awk '{printf $$2}'
|
||
|
|
||
|
define k8s_api
|
||
|
curl \
|
||
|
-i \
|
||
|
-X $(1) \
|
||
|
--cacert "$(K8S_CA_FILE)" \
|
||
|
-H "Authorization: Bearer $(K8S_TOKEN)" \
|
||
|
-H 'Accept: application/json' \
|
||
|
-H "Content-Type: application/json"
|
||
|
endef
|
||
|
|
||
|
define get_secret
|
||
|
$(call k8s_api,GET) $(K8S_SECRERTS_URL)/$(SECRET_NAME) | \
|
||
|
$(select_status_code)
|
||
|
endef
|
||
|
|
||
|
define post_secret
|
||
|
$(call k8s_api,POST) $(K8S_SECRERTS_URL) --data @$(1) | \
|
||
|
$(select_status_code)
|
||
|
endef
|
||
|
|
||
|
define put_secret
|
||
|
$(call k8s_api,PUT) $(K8S_SECRERTS_URL)/$(SECRET_NAME) --data @$(1) |
|
||
|
$(select_status_code)
|
||
|
endef
|
||
|
|
||
|
$(SECRET_UPDATED): $(JSON_SECRET)
|
||
|
mkdir -p $(@D)
|
||
|
GET_STATUS_CODE=$$($(call get_secret)) \
|
||
|
if [ "$${GET_STATUS_CODE}" = "404" ]; then \
|
||
|
echo "adding cert" \
|
||
|
POST_STATUS_CODE=$$($(call post_secret,$^)) \
|
||
|
[ "$${POST_STATUS_CODE}" = "200" ] && touch $@ \
|
||
|
elif [ "$${GET_STATUS_CODE}" = "200" ]; then \
|
||
|
echo "updating existing cert" \
|
||
|
PUT_STATUS_CODE=$$($(call put_secret,$^)) \
|
||
|
[ "$${PUT_STATUS_CODE}" = "200" ] && touch $@ \
|
||
|
fi
|
||
|
|
||
|
###############################################################################
|