suricata's rsync acme

2023-01-05 18:31:38 +01:00 · 2023-01-05 18:31:38 +01:00 · 162a56ede1
parent b4440061ff
commit 162a56ede1
1 changed files with 112 additions and 0 deletions
--- a/suricata/acme_rsync/Makefile
+++ b/suricata/acme_rsync/Makefile
@ -0,0 +1,112 @@
+###############################################################################
+
+WD = /var/lib/dags/acme
+CERTS_DIR = $(WD)/certs
+DOMAIN = monotremata.xyz
+DOMAIN_CERTS_DIR = $(CERTS_DIR)/$(DOMAIN)
+
+###############################################################################
+
+ACME_CA_FILE = $(DOMAIN_CERTS_DIR)/ca.cer
+ACME_FULLCHAIN_FILE = $(DOMAIN_CERTS_DIR)/fullchain.cer"
+ACME_KEY_FILE = $(DOMAIN_CERTS_DIR)/$(DOMAIN).key"
+
+###############################################################################
+
+JSON_SECRET = $(WD)/secret.json
+SECRET_UPDATED = $(WD)/secret_updated
+
+###############################################################################
+
+K8S_CA_FILE = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+K8S_TOKEN_FILE = /var/run/secrets/kubernetes.io/serviceaccount/token)
+K8S_TOKEN = $(shell cat $(K8S_TOKEN_FILE))
+K8S_APISERVER = $(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT_HTTPS)
+K8S_SECRERTS_URL="https://${K8S_APISERVER}/api/v1/namespaces/${CERT_NAMESPACE}/secret
+
+###############################################################################
+
+.PHONY: all sync_certs
+
+all: sync_certs $(SECRET_UPDATED)
+
+###############################################################################
+
+RSYNCD_HOST = narwhal
+RSYNCD_USER = user
+REMOTE_ACME_PATH=rsync://$(RSYNCD_USER)@$(RSYNCD_HOST)/acme
+RSYNC_OPTS=--archive --delete --acls --xattrs --compress --verbose --human-readable
+
+sync_certs:
+	mkdir -p $(CERTS_DIR)
+	rsync \
+		$(RSYNC_OPTS) \
+		$(REMOTE_ACME_PATH) \
+		$(CERTS_DIR)
+
+$(ACME_CA_FILE): sync_certs
+$(ACME_FULLCHAIN_FILE): sync_certs
+$(ACME_KEY_FILE): sync_certs
+
+###############################################################################
+
+$(JSON_SECRET): $(ACME_KEY_FILE) $(ACME_FULLCHAIN_FILE) $(ACME_KEY_FILE)
+	jq --null-input --raw-output \
+		--arg kind "Secret" \
+		--arg name "$(SECRET_NAME)" \
+		--arg cacert "$$(base64 -w 0 $(ACME_CA_FILE))" \
+		--arg tlscert "$$(base64 -w 0 $(ACME_FULLCHAIN_FILE))" \
+		--arg tlskey "$$(base64 -w 0 $(ACME_KEY_FILE))" \
+		'{
+			kind: $$kind,
+			metadata: {name: $$name},
+			data: {
+				"ca.crt": $$cacert,
+				"tls.crt": $$tlscert,
+				"tls.key": $$tlskey
+			}
+		}' > $@
+
+###############################################################################
+
+select_status_code = grep 'HTTP/' | awk '{printf $$2}'
+
+define k8s_api
+	curl \
+		-i \
+		-X $(1) \
+		--cacert "$(K8S_CA_FILE)" \
+		-H "Authorization: Bearer $(K8S_TOKEN)" \
+		-H 'Accept: application/json' \
+		-H "Content-Type: application/json"
+endef
+
+define get_secret
+	$(call k8s_api,GET) $(K8S_SECRERTS_URL)/$(SECRET_NAME) | \
+	$(select_status_code)
+endef
+
+define post_secret
+	$(call k8s_api,POST) $(K8S_SECRERTS_URL) --data @$(1) | \
+	$(select_status_code)
+endef
+
+define put_secret
+	$(call k8s_api,PUT) $(K8S_SECRERTS_URL)/$(SECRET_NAME) --data @$(1) |
+	$(select_status_code)
+endef
+
+$(SECRET_UPDATED): $(JSON_SECRET)
+	mkdir -p $(@D)
+	GET_STATUS_CODE=$$($(call get_secret)) \
+	if [ "$${GET_STATUS_CODE}" = "404" ]; then \
+		echo "adding cert" \
+		POST_STATUS_CODE=$$($(call post_secret,$^)) \
+		[ "$${POST_STATUS_CODE}" = "200" ] && touch $@ \
+	elif [ "$${GET_STATUS_CODE}" = "200" ]; then \
+		echo "updating existing cert" \
+		PUT_STATUS_CODE=$$($(call put_secret,$^)) \
+		[ "$${PUT_STATUS_CODE}" = "200" ] && touch $@ \
+	fi
+
+###############################################################################