[ci skip] update tls auto renew script to use technitium

.drone.yml

@@ -93,6 +93,8 @@ steps:
     image: alpine
     environment:
       TF_VAR_prod: "true"
+      TECHNITIUM_API_KEY:
+        from_secret: TECHNITIUM_API_KEY
     commands:
       - "apk update && apk add git certbot expect curl gzip"
       # Install terraform cli

modules/kubernetes/setup_tls_secret/renew.sh

@@ -6,10 +6,7 @@ set config_dir "$le_dir/out/config"
 set pwd [pwd]
 set technitium_token "REDACTED_TECHNITIUM_TOKEN"
 
-# contents for certbot-auth
-set auth_contents {#!/usr/bin/env sh
-    # Generate API token from DNS web console
-    API_TOKEN="REDACTED_TECHNITIUM_TOKEN"
+spawn certbot certonly --manual --preferred-challenge=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.viktorbarzin.me -d viktorbarzin.me --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email
 
     # Create challenge TXT record
     curl "http://technitium-web.technitium.svc.cluster.local:5380/api/zones/records/add?token=$API_TOKEN&domain=_acme-challenge.\$CERTBOT_DOMAIN&type=TXT&ttl=60&text=\$CERTBOT_VALIDATION"
@@ -37,10 +34,22 @@ send "echo \"$cleanup_contents\" > /root/certbot-cleanup.sh \r"
 send "chmod 700 /root/certbot-cleanup.sh \r"
 send "exit \r"
 
-exit 0
-spawn certbot certonly --manual --preferred-challenges=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual-auth-hook /root/certbot-auth.sh --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email --manual-cleanup-hook /root/certbot-cleanup.sh -d viktorbarzin.me -d *.viktorbarzin.me
+# Force deployment recreation
+# exec terraform taint module.kubernetes_cluster.module.bind.module.bind-public-deployment.kubernetes_deployment.bind
+exec terraform taint module.kubernetes_cluster.module.technitium.kubernetes_deployment.technitium
+# set current_time [clock seconds]
+# set formatted_time [clock format $current_time -format "+%Y-%m-%dT%TZ"]
+# exec curl -X PATCH https://10.0.20.100:6443/apis/apps/v1/namespaces/technitium/deployments/technitium -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -k -d '{\"spec\": {\"template\": {\"metadata\": { \"annotations\": {\"kubectl.kubernetes.io/restartedAt\": \"'$(date +%Y-%m-%dT%TZ)'\" }}}}}' 
+# exec curl -X PATCH https://10.0.20.100:6443/apis/apps/v1/namespaces/technitium/deployments/technitium -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type: application/strategic-merge-patch+json" -k -d "{\"spec\": {\"template\": {\"metadata\": { \"annotations\": {\"kubectl.kubernetes.io/restartedAt\": \"$formatted_time\" }}}}}"
+# exec terraform taint module.kubernetes_cluster.module.technitium.module.technitium.kubernetes_deployment.technitium
+# Apply changes to configmap and redeploy
+exec >@stdout 2>@stderr terraform apply -auto-approve -target=module.kubernetes_cluster.module.technitium
 
-############# Old way of auth
+# Wait for deployment update
+# TODO: better to use k8s api. What we want is `kubectl rollout status deployment -l app=bind-public` as a curl
+# exec bash -c 'while [[ $(kubectl get pods -l app=bind-public -o \'jsonpath={..status.conditions[\?(\@.type=="Ready")].status}\') != "True" ]]; do echo "waiting pod..." && sleep 1; done'
+exec >@stdout echo 'Waiting for redeployment of technitium...'
+exec sleep 10
 
 # spawn certbot certonly --manual --preferred-challenge=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.viktorbarzin.me -d viktorbarzin.me --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email
 

modules/kubernetes/setup_tls_secret/renew2.sh

@@ -5,15 +5,16 @@ set -e
 
 export le_dir="/tmp/le/"
 export config_dir="$le_dir/out/config"
-export technitium_token="REDACTED_TECHNITIUM_TOKEN"
+export technitium_token="$TECHNITIUM_API_KEY"
 export certbot_auth="$le_dir/certbot_auth.sh"
 export certbot_cleanup="$le_dir/certbot_cleanup.sh"
 
 mkdir $le_dir
+echo "Creating $certbot_auth"
 cat << EOF > $certbot_auth
 #!/usr/bin/env sh
 # Generate API token from DNS web console
-API_TOKEN="REDACTED_TECHNITIUM_TOKEN"
+API_TOKEN="$technitium_token"
 
 # Create challenge TXT record
 curl "http://technitium-web.technitium.svc.cluster.local:5380/api/zones/records/add?token=\$API_TOKEN&domain=_acme-challenge.\$CERTBOT_DOMAIN&type=TXT&ttl=60&text=\$CERTBOT_VALIDATION"
@@ -26,10 +27,11 @@ chmod 700 $certbot_auth
 cat $certbot_auth
 
 
+echo "Creating $certbot_cleanup"
 cat << EOF > $certbot_cleanup
 #!/usr/bin/env sh
 # Generate API token from DNS web console
-API_TOKEN="REDACTED_TECHNITIUM_TOKEN"
+API_TOKEN="$technitium_token"
 
 # Delete challenge TXT record
 curl "http://technitium-web.technitium.svc.cluster.local:5380/api/zones/records/delete?token=\$API_TOKEN&domain=_acme-challenge.\$CERTBOT_DOMAIN&type=TXT&text=\$CERTBOT_VALIDATION"
@@ -39,6 +41,7 @@ chmod 700 $certbot_cleanup
 cat $certbot_cleanup
 
 
+echo "Executing certbot renew command"
 certbot certonly --manual --preferred-challenges=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual-auth-hook $certbot_auth --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email --manual-cleanup-hook $certbot_cleanup -d viktorbarzin.me -d *.viktorbarzin.me
 
 exec cp --remove-destination $config_dir/live/viktorbarzin.me/fullchain.pem ./secrets