Finn
c94e0e0163
All checks were successful
/ diff-and-deploy (push) Successful in 1m59s
Apparently there's an alert that goes off if a cert expiring in less than 7 days is used to authenticate to k8s
86 lines
2.2 KiB
Python
86 lines
2.2 KiB
Python
#!/usr/bin/env python3
|
|
import subprocess
|
|
import logging
|
|
import base64
|
|
import os
|
|
import requests
|
|
import json
|
|
|
|
logging.basicConfig(level=logging.DEBUG)
|
|
|
|
with open("/var/lib/rancher/k3s/server/tls/server-ca.crt") as f:
|
|
ca = base64.b64encode(f.read().encode()).decode()
|
|
|
|
forgejo_token = os.getenv("FORGEJO_TOKEN")
|
|
|
|
|
|
def run(cmd: list[str], stdin=None) -> str:
|
|
logging.debug("executing %s", cmd)
|
|
p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE)
|
|
out = p.communicate(stdin)
|
|
if p.returncode != 0:
|
|
logging.critical("{} exited with code {}", cmd, p.returncode)
|
|
os.exit(1)
|
|
return out[0]
|
|
|
|
|
|
def update_cert(k8s_name: str, owner: str, repo: str):
|
|
key = run(["openssl", "genrsa", "4096"])
|
|
req = run(
|
|
["openssl", "req", "-key", "/dev/stdin", "-new", "-nodes", "-subj", f"/CN={k8s_name}"], stdin=key
|
|
)
|
|
cert = run(
|
|
[
|
|
"openssl",
|
|
"x509",
|
|
"-req",
|
|
"-CA",
|
|
"/var/lib/rancher/k3s/server/tls/client-ca.nochain.crt",
|
|
"-CAkey",
|
|
"/var/lib/rancher/k3s/server/tls/client-ca.key",
|
|
"-CAcreateserial",
|
|
"-days",
|
|
"10",
|
|
],
|
|
stdin=req,
|
|
)
|
|
|
|
keyb64 = base64.b64encode(key).decode()
|
|
certb64 = base64.b64encode(cert).decode()
|
|
|
|
kubeconfig = f"""
|
|
apiVersion: v1
|
|
clusters:
|
|
- cluster:
|
|
certificate-authority-data: {ca}
|
|
server: https://10.5.1.110:6443
|
|
name: default
|
|
contexts:
|
|
- context:
|
|
cluster: default
|
|
user: default
|
|
name: default
|
|
current-context: default
|
|
kind: Config
|
|
preferences: {"{}"}
|
|
users:
|
|
- name: default
|
|
user:
|
|
client-certificate-data: {certb64}
|
|
client-key-data: {keyb64}
|
|
"""
|
|
logging.info(f"updating secret for {owner}/{repo}")
|
|
requests.put(
|
|
f"https://git.janky.solutions/api/v1/repos/{owner}/{repo}/actions/secrets/KUBERNETES_CLIENT_CONFIG",
|
|
data=json.dumps(
|
|
{"data": kubeconfig},
|
|
),
|
|
headers={
|
|
"Authorization": f"token {forgejo_token}",
|
|
"Content-Type": "application/json",
|
|
},
|
|
).raise_for_status()
|
|
|
|
|
|
for entry in json.loads(os.getenv("REPO_MAPPINGS")):
|
|
update_cert(**entry)
|