added sync-certs-job

2025-06-05 11:51:05 +00:00
parent 077be73b69
commit c5726df9c4
8 changed files with 235 additions and 34 deletions
--- a/casa-limbosolutions-com/icarus/README.md
+++ b/casa-limbosolutions-com/icarus/README.md
@@ -0,0 +1,29 @@
+# casa.limbosolutions.com at icarus
+
+Use icarus cluster context to all documentation and scrips on this folder. [Check Instructions](#icarus-cluster---access) for how to setup required user and roles on icurus and client kubeconfig.
+
+## certificates (wildcard)
+
+```bash
+kubectl apply -f ./certs.yaml
+```
+
+```bash
+#check certificates
+kubectl get cert -n casa-limbosolutions-com
+```
+
+## Icarus cluster - access
+
+On user computer.  
+*Access to k3s context not required.*
+
+```bash
+# create private key
+openssl genrsa -out ../../.env.d/kube/casa@icarus-user.key 2048
+
+# create csr
+openssl req -new -key ../../.env.d/kube/casa@icarus-user.key -out ../../.env.d/kube/casa@icarus-user.csr -subj "/CN=casa/O=limbosolutions"
+```
+
+Follow instructions to [setup user and roles on icarus k3s cluster](./k3s-admin.md), and setup kubectl config [kube config](./k3s-kubctl-config.md).
--- a/casa-limbosolutions-com/icarus/certs.yaml
+++ b/casa-limbosolutions-com/icarus/certs.yaml
@@ -0,0 +1,14 @@
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: casa-limbosolutions-com
+  namespace: casa-limbosolutions-com
+spec:
+  secretName: casa-limbosolutions-com-tls
+  dnsNames:
+  - "casa.limbosolutions.com"
+  - "*.casa.limbosolutions.com"
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-prod
--- a/casa-limbosolutions-com/icarus/k3s-admin.md
+++ b/casa-limbosolutions-com/icarus/k3s-admin.md
@@ -0,0 +1,95 @@
+# casa on Icarus - admin
+
+Requires kubernetes admin user access to icarus. All documentation and scripts must be executed on icarus context with an admin account.
+
+Currently using an symbolic on icarus project on my dev device to this file.
+
+## kubernetes Namespace
+
+```bash
+# delete namespace
+kubectl create namespace casa-limbosolutions-com
+```
+
+```bash
+# delete namespace
+kubectl delete namespace casa-limbosolutions-com
+```
+
+## Roles and Bindings
+
+``` yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: casa-limbosolutions-com
+  name: casa-limbosolutions-com
+rules:
+  - apiGroups: 
+      - ""
+      - cert-manager.io # to access deployments certs from cert-manager
+      - apps # to access deployments
+      - networking.k8s.io # to access ingresses
+    resources: 
+      - pods
+      - services
+      - secrets
+      - certificates
+      - deployments
+      - configmaps
+      - ingresses
+      - persistentvolumeclaims
+    verbs: 
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - deletecollection
+```
+
+``` yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: casa-limbosolutions-com-rb  # Replace with your role binding name
+  namespace: casa-limbosolutions-com     # Replace with your namespace
+subjects:
+- kind: User                   # or "ServiceAccount" for service accounts
+  name: casa           # Replace with the username or service account name
+  apiGroup: rbac.authorization.k8s.io
+  namespace: casa-limbosolutions-com
+roleRef:
+  kind: ClusterRole
+  name: casa-limbosolutions-com          # The name of the role you created
+  apiGroup: rbac.authorization.k8s.io
+```
+
+### kubernetes User
+
+```bash
+#Deploy csr to k3s
+cat <<EOF | kubectl apply -f -
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: casa-user-csr
+spec:
+  request: $(cat ../.env.d/.kube/casa@icarus-user.csr | base64 | tr -d '\n')
+  signerName: kubernetes.io/kube-apiserver-client
+  usages:
+  - client auth
+EOF
+```
+
+```bash
+# Approve csr
+kubectl certificate approve casa-user-csr
+```
+
+```bash
+# Download kubernet user crt
+kubectl get csr casa-user-csr -o jsonpath='{.status.certificate}' | base64 --decode > ./.env.d/casa@icarus-user.crt
+```
--- a/casa-limbosolutions-com/sync-certs-job/README.md
+++ b/casa-limbosolutions-com/sync-certs-job/README.md
@@ -0,0 +1 @@
+
--- a/casa-limbosolutions-com/sync-certs-job/docker-compose.yaml
+++ b/casa-limbosolutions-com/sync-certs-job/docker-compose.yaml
@@ -0,0 +1,74 @@
+
+configs:
+  sync-certs-sh:
+    content: |
+      #!/bin/bash
+      ##############################################################################################################################
+      # notes:
+      # --certificate-authority="$${KUBERNETES_CRT_AUTHORITY}" not working, dont hnow why, so using --insecure-skip-tls-verify
+      ##############################################################################################################################
+      
+      
+      set -e
+      mkdir -p /tmp/.kube
+
+      echo "Trace: Setup kube"
+      base64 -d <<< "${KUBERNETES_CRT_AUTHORITY_DATA}" > "$${KUBERNETES_CRT_AUTHORITY}"
+      base64 -d <<< "${KUBERNETES_CLIENT_CRT_DATA}" > "$${KUBERNETES_CLIENT_CRT}"
+      base64 -d <<< "${KUBERNETES_CLIENT_KEY_DATA}" > "$${KUBERNETES_CLIENT_KEY}"
+
+      # while true ; do
+      #   sleep 5
+      # done
+
+   
+      echo "Trace: Fetching secrets"
+      CERT_NAMES=$(kubectl get secrets \
+        -n casa-limbosolutions-com \
+        --server="$${KUBERNETES_SERVER}" \
+        --client-key="$${KUBERNETES_CLIENT_KEY}" \
+        --client-certificate="$${KUBERNETES_CLIENT_CRT}" \
+        --insecure-skip-tls-verify \
+        -o json | jq -r '.items[].metadata.name')
+
+      for CERT_NAME in $$CERT_NAMES; do
+        echo "Trace: Syncing certificate: $$CERT_NAME"
+        kubectl get secret "$$CERT_NAME" \
+          -n casa-limbosolutions-com \
+          --server="$${KUBERNETES_SERVER}" \
+          --client-key="$${KUBERNETES_CLIENT_KEY}" \
+          --client-certificate="$${KUBERNETES_CLIENT_CRT}" \
+          --insecure-skip-tls-verify \
+          -o json | \
+          jq -r '.data | to_entries[] | "\(.key) \(.value)"' | \
+          while IFS=' ' read -r KEY VALUE; do
+            echo "Processing key: $$KEY"
+            # Decode the base64 value and save it to the appropriate file
+            echo "Trace: Saving key: $$KEY"
+            echo "$$VALUE" | base64 -d > "/etc/ssl/certs/casa-limbosolutions-com-certs/$${CERT_NAME}_$${KEY}"
+          done
+      done
+     
+      echo "Info: Certificates synced successfully."  
+
+services:
+  kubectl:
+    image: bitnami/kubectl:latest
+    environment:
+      KUBERNETES_SERVER: ${KUBERNETES_SERVER}
+      KUBERNETES_CRT_AUTHORITY: /tmp/.kube/ca.crt
+      KUBERNETES_CLIENT_CRT: /tmp/.kube/client.crt
+      KUBERNETES_CLIENT_KEY: /tmp/.kube/client.key
+    container_name: sync-certs-job
+    entrypoint: bash -c /app/sync-certs.sh
+    configs:
+      - source: sync-certs-sh
+        target: /app/sync-certs.sh
+        mode: 0755
+    volumes:
+      - casa-certs:/etc/ssl/certs/casa-limbosolutions-com-certs:rw
+volumes:
+  casa-certs:
+    name: casa-limbosolutions-com-certs
+    external: true # Atention permission must be set to 1001:1001 (using chown on nginx container command)
+
--- a/services/nginx/docker-compose.yaml
+++ b/services/nginx/docker-compose.yaml
@@ -1,4 +1,13 @@
 version: '3'
+
+configs:
+  run-sh:
+    content: |
+      #!/bin/sh
+      # patch security so kubctl on sync-certs-job can write to the mounted volume
+      chown -R 1001:1001 /etc/ssl/certs/casa-limbosolutions-com-certs
+      while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"
+
 services:
  nginx:
    build:
@@ -6,23 +15,26 @@ services:
    pull_policy: build
    image: homesrv/nginx:latest
    volumes:
-      - casa-certs:/etc/ssl
+      - casa-limbosolutions-com-certs:/etc/ssl/certs/casa-limbosolutions-com-certs
    ports:
      - 443:443
      - 80:80
    networks:
      - public
      - private
-    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
    restart: unless-stopped
+    command: /bin/sh -c '/run.sh'
+    configs:
+      - source: run-sh
+        target: /run.sh
+        mode: 0755
 volumes:
  nginx-conf.d:
-  casa-certs:
-    name: casa-certs
-    external: true

-  # etc_ssl:
-  #   name: nginx_etc_ssl 
+  casa-limbosolutions-com-certs:
+    name: casa-limbosolutions-com-certs
+    external: false     
+
 networks:
  public:
    name: reverseproxy_public
--- a/services/nginx/docker/nginx.conf.d/has.conf
+++ b/services/nginx/docker/nginx.conf.d/has.conf
@@ -13,8 +13,8 @@ server {
 server {

    listen 443 ssl;
-    ssl_certificate /etc/ssl/tls.crt;
-    ssl_certificate_key /etc/ssl/tls.key;
+    ssl_certificate /etc/ssl/certs/casa-limbosolutions-com-certs/casa-limbosolutions-com-tls_tls.crt;
+    ssl_certificate_key /etc/ssl/certs/casa-limbosolutions-com-certs/casa-limbosolutions-com-tls_tls.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

--- a/services/rclone-certs/docker-compose.yaml
+++ b/services/rclone-certs/docker-compose.yaml
@@ -1,24 +0,0 @@
-version: '3.8'
-
-services:
-  rclone:
-    image: rclone/rclone:latest
-    container_name: rclone
-    environment:
-      - TZ=UTC
-      - RCLONE_CONFIG_S3_TYPE=s3
-      - RCLONE_CONFIG_S3_PROVIDER=SeaweedFS
-      - RCLONE_CONFIG_S3_ACCESS_KEY_ID=${RCLONE_S3_ACCESS_KEY_ID}
-      - RCLONE_CONFIG_S3_SECRET_ACCESS_KEY=${RCLONE_S3_SECRET_ACCESS_KEY}
-      - RCLONE_CONFIG_S3_ENDPOINT=${RCLONE_S3_ENDPOINT}
-      - RCLONE_CONFIG_S3_BUCKET=${RCLONE_S3_BUCKET}
-      
-    volumes:
-      - casa-certs:/certs
-    command: sync s3:/casa.certs /certs
-    restart: no
-volumes:
-  casa-certs:
-    name: casa-certs
-    external: false
-