From f7fdec2032b32e4990c75af3b294fd52c09b491b Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 9 Oct 2023 11:25:08 +0000 Subject: [PATCH] [ci skip] update tls auto renew script to use technitium --- .drone.yml | 2 ++ modules/kubernetes/setup_tls_secret/renew.sh | 23 +++++++++++++------ modules/kubernetes/setup_tls_secret/renew2.sh | 9 +++++--- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/.drone.yml b/.drone.yml index c8259d98..e5aa8612 100644 --- a/.drone.yml +++ b/.drone.yml @@ -93,6 +93,8 @@ steps: image: alpine environment: TF_VAR_prod: "true" + TECHNITIUM_API_KEY: + from_secret: TECHNITIUM_API_KEY commands: - "apk update && apk add git certbot expect curl gzip" # Install terraform cli diff --git a/modules/kubernetes/setup_tls_secret/renew.sh b/modules/kubernetes/setup_tls_secret/renew.sh index 410cea6a..a1946d65 100755 --- a/modules/kubernetes/setup_tls_secret/renew.sh +++ b/modules/kubernetes/setup_tls_secret/renew.sh @@ -6,10 +6,7 @@ set config_dir "$le_dir/out/config" set pwd [pwd] set technitium_token "REDACTED_TECHNITIUM_TOKEN" -# contents for certbot-auth -set auth_contents {#!/usr/bin/env sh - # Generate API token from DNS web console - API_TOKEN="REDACTED_TECHNITIUM_TOKEN" +spawn certbot certonly --manual --preferred-challenge=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.viktorbarzin.me -d viktorbarzin.me --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email # Create challenge TXT record curl "http://technitium-web.technitium.svc.cluster.local:5380/api/zones/records/add?token=$API_TOKEN&domain=_acme-challenge.\$CERTBOT_DOMAIN&type=TXT&ttl=60&text=\$CERTBOT_VALIDATION" @@ -37,10 +34,22 @@ send "echo \"$cleanup_contents\" > /root/certbot-cleanup.sh \r" send "chmod 700 /root/certbot-cleanup.sh \r" send "exit \r" -exit 0 -spawn certbot certonly --manual --preferred-challenges=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual-auth-hook /root/certbot-auth.sh --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email --manual-cleanup-hook /root/certbot-cleanup.sh -d viktorbarzin.me -d *.viktorbarzin.me +# Force deployment recreation +# exec terraform taint module.kubernetes_cluster.module.bind.module.bind-public-deployment.kubernetes_deployment.bind +exec terraform taint module.kubernetes_cluster.module.technitium.kubernetes_deployment.technitium +# set current_time [clock seconds] +# set formatted_time [clock format $current_time -format "+%Y-%m-%dT%TZ"] +# exec curl -X PATCH https://10.0.20.100:6443/apis/apps/v1/namespaces/technitium/deployments/technitium -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -k -d '{\"spec\": {\"template\": {\"metadata\": { \"annotations\": {\"kubectl.kubernetes.io/restartedAt\": \"'$(date +%Y-%m-%dT%TZ)'\" }}}}}' +# exec curl -X PATCH https://10.0.20.100:6443/apis/apps/v1/namespaces/technitium/deployments/technitium -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type: application/strategic-merge-patch+json" -k -d "{\"spec\": {\"template\": {\"metadata\": { \"annotations\": {\"kubectl.kubernetes.io/restartedAt\": \"$formatted_time\" }}}}}" +# exec terraform taint module.kubernetes_cluster.module.technitium.module.technitium.kubernetes_deployment.technitium +# Apply changes to configmap and redeploy +exec >@stdout 2>@stderr terraform apply -auto-approve -target=module.kubernetes_cluster.module.technitium -############# Old way of auth +# Wait for deployment update +# TODO: better to use k8s api. What we want is `kubectl rollout status deployment -l app=bind-public` as a curl +# exec bash -c 'while [[ $(kubectl get pods -l app=bind-public -o \'jsonpath={..status.conditions[\?(\@.type=="Ready")].status}\') != "True" ]]; do echo "waiting pod..." && sleep 1; done' +exec >@stdout echo 'Waiting for redeployment of technitium...' +exec sleep 10 # spawn certbot certonly --manual --preferred-challenge=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.viktorbarzin.me -d viktorbarzin.me --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email diff --git a/modules/kubernetes/setup_tls_secret/renew2.sh b/modules/kubernetes/setup_tls_secret/renew2.sh index bc9624d7..ec0a5db3 100755 --- a/modules/kubernetes/setup_tls_secret/renew2.sh +++ b/modules/kubernetes/setup_tls_secret/renew2.sh @@ -5,15 +5,16 @@ set -e export le_dir="/tmp/le/" export config_dir="$le_dir/out/config" -export technitium_token="REDACTED_TECHNITIUM_TOKEN" +export technitium_token="$TECHNITIUM_API_KEY" export certbot_auth="$le_dir/certbot_auth.sh" export certbot_cleanup="$le_dir/certbot_cleanup.sh" mkdir $le_dir +echo "Creating $certbot_auth" cat << EOF > $certbot_auth #!/usr/bin/env sh # Generate API token from DNS web console -API_TOKEN="REDACTED_TECHNITIUM_TOKEN" +API_TOKEN="$technitium_token" # Create challenge TXT record curl "http://technitium-web.technitium.svc.cluster.local:5380/api/zones/records/add?token=\$API_TOKEN&domain=_acme-challenge.\$CERTBOT_DOMAIN&type=TXT&ttl=60&text=\$CERTBOT_VALIDATION" @@ -26,10 +27,11 @@ chmod 700 $certbot_auth cat $certbot_auth +echo "Creating $certbot_cleanup" cat << EOF > $certbot_cleanup #!/usr/bin/env sh # Generate API token from DNS web console -API_TOKEN="REDACTED_TECHNITIUM_TOKEN" +API_TOKEN="$technitium_token" # Delete challenge TXT record curl "http://technitium-web.technitium.svc.cluster.local:5380/api/zones/records/delete?token=\$API_TOKEN&domain=_acme-challenge.\$CERTBOT_DOMAIN&type=TXT&text=\$CERTBOT_VALIDATION" @@ -39,6 +41,7 @@ chmod 700 $certbot_cleanup cat $certbot_cleanup +echo "Executing certbot renew command" certbot certonly --manual --preferred-challenges=dns --email me@viktorbarzin.me --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --manual-auth-hook $certbot_auth --config-dir $config_dir --work-dir $le_dir/workdir --logs-dir $le_dir/logsdir --no-eff-email --manual-cleanup-hook $certbot_cleanup -d viktorbarzin.me -d *.viktorbarzin.me exec cp --remove-destination $config_dir/live/viktorbarzin.me/fullchain.pem ./secrets