diff --git a/suricata/acme_rsync/Makefile b/suricata/acme_rsync/Makefile new file mode 100644 index 0000000..cbd2fbe --- /dev/null +++ b/suricata/acme_rsync/Makefile @@ -0,0 +1,112 @@ +############################################################################### + +WD = /var/lib/dags/acme +CERTS_DIR = $(WD)/certs +DOMAIN = monotremata.xyz +DOMAIN_CERTS_DIR = $(CERTS_DIR)/$(DOMAIN) + +############################################################################### + +ACME_CA_FILE = $(DOMAIN_CERTS_DIR)/ca.cer +ACME_FULLCHAIN_FILE = $(DOMAIN_CERTS_DIR)/fullchain.cer" +ACME_KEY_FILE = $(DOMAIN_CERTS_DIR)/$(DOMAIN).key" + +############################################################################### + +JSON_SECRET = $(WD)/secret.json +SECRET_UPDATED = $(WD)/secret_updated + +############################################################################### + +K8S_CA_FILE = /var/run/secrets/kubernetes.io/serviceaccount/ca.crt +K8S_TOKEN_FILE = /var/run/secrets/kubernetes.io/serviceaccount/token) +K8S_TOKEN = $(shell cat $(K8S_TOKEN_FILE)) +K8S_APISERVER = $(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT_HTTPS) +K8S_SECRERTS_URL="https://${K8S_APISERVER}/api/v1/namespaces/${CERT_NAMESPACE}/secret + +############################################################################### + +.PHONY: all sync_certs + +all: sync_certs $(SECRET_UPDATED) + +############################################################################### + +RSYNCD_HOST = narwhal +RSYNCD_USER = user +REMOTE_ACME_PATH=rsync://$(RSYNCD_USER)@$(RSYNCD_HOST)/acme +RSYNC_OPTS=--archive --delete --acls --xattrs --compress --verbose --human-readable + +sync_certs: + mkdir -p $(CERTS_DIR) + rsync \ + $(RSYNC_OPTS) \ + $(REMOTE_ACME_PATH) \ + $(CERTS_DIR) + +$(ACME_CA_FILE): sync_certs +$(ACME_FULLCHAIN_FILE): sync_certs +$(ACME_KEY_FILE): sync_certs + +############################################################################### + +$(JSON_SECRET): $(ACME_KEY_FILE) $(ACME_FULLCHAIN_FILE) $(ACME_KEY_FILE) + jq --null-input --raw-output \ + --arg kind "Secret" \ + --arg name "$(SECRET_NAME)" \ + --arg cacert "$$(base64 -w 0 $(ACME_CA_FILE))" \ + --arg tlscert "$$(base64 -w 0 $(ACME_FULLCHAIN_FILE))" \ + --arg tlskey "$$(base64 -w 0 $(ACME_KEY_FILE))" \ + '{ + kind: $$kind, + metadata: {name: $$name}, + data: { + "ca.crt": $$cacert, + "tls.crt": $$tlscert, + "tls.key": $$tlskey + } + }' > $@ + +############################################################################### + +select_status_code = grep 'HTTP/' | awk '{printf $$2}' + +define k8s_api + curl \ + -i \ + -X $(1) \ + --cacert "$(K8S_CA_FILE)" \ + -H "Authorization: Bearer $(K8S_TOKEN)" \ + -H 'Accept: application/json' \ + -H "Content-Type: application/json" +endef + +define get_secret + $(call k8s_api,GET) $(K8S_SECRERTS_URL)/$(SECRET_NAME) | \ + $(select_status_code) +endef + +define post_secret + $(call k8s_api,POST) $(K8S_SECRERTS_URL) --data @$(1) | \ + $(select_status_code) +endef + +define put_secret + $(call k8s_api,PUT) $(K8S_SECRERTS_URL)/$(SECRET_NAME) --data @$(1) | + $(select_status_code) +endef + +$(SECRET_UPDATED): $(JSON_SECRET) + mkdir -p $(@D) + GET_STATUS_CODE=$$($(call get_secret)) \ + if [ "$${GET_STATUS_CODE}" = "404" ]; then \ + echo "adding cert" \ + POST_STATUS_CODE=$$($(call post_secret,$^)) \ + [ "$${POST_STATUS_CODE}" = "200" ] && touch $@ \ + elif [ "$${GET_STATUS_CODE}" = "200" ]; then \ + echo "updating existing cert" \ + PUT_STATUS_CODE=$$($(call put_secret,$^)) \ + [ "$${PUT_STATUS_CODE}" = "200" ] && touch $@ \ + fi + +###############################################################################