🐛 truenas-certs-deploy

2025-09-17 18:24:14 +02:00 · 2023-03-16 23:53:53 +01:00
parent 610d7cb303
commit a7167773e6
4 changed files with 17 additions and 12 deletions
--- a/kubernetes/apps/default/truenas/certs-deploy/helmrelease.yaml
+++ b/kubernetes/apps/default/truenas/certs-deploy/helmrelease.yaml
@@ -86,7 +86,7 @@ spec:
          - name: SECRET_DOMAIN
            value: ${SECRET_DOMAIN}
          - name: CERTS_DEPLOY_S3_ENABLED
-            value: "True"
+            value: "False"
        envFrom:
          - secretRef:
              name: truenas-certs-deploy-secret
--- a/kubernetes/apps/default/truenas/certs-deploy/secret.sops.yaml
+++ b/kubernetes/apps/default/truenas/certs-deploy/secret.sops.yaml
@@ -6,6 +6,7 @@ metadata:
 type: Opaque
 stringData:
    TRUENAS_API_KEY: ENC[AES256_GCM,data:0B0eF5hqqwDuv61BFxirXqxrIEtABYCRnHv97XiiyIEEKM2+DH/L0VknFczxEZIbdhERip30is4irI8mUhJOT9S2,iv:JlHKJhRd/UPJh354GyUftnrFBHLZLhIRGSfYbxKriCs=,tag:njMr8GG+YCjKpZvK3pFWsQ==,type:str]
+    TRUENAS_REMOTE_API_KEY: ENC[AES256_GCM,data:hHsW9mHIVj9JQqJb/xdTwC0I9ro7OqVT5owjVS00VDplhl81f3zjSN7B+HL3YOVYg2VrjoJ/1Gukk7F413CXcqI7,iv:b2SAPCAmbcvfam9Kt6ess5musA7jawiQPVwxMKwJpmE=,tag:ILIgoNmSFXPGs6zRHi/u7Q==,type:str]
    PUSHOVER_API_KEY: ENC[AES256_GCM,data:cyk9BKRm/sSP9/y58+P1T6KMog+FqD/088NFgJ9E,iv:4d9NorzBh+XpvV0oAk6eC+d5adcDkoqwpg/iX1tI6J0=,tag:PAWmAMz6p6wXjTtMSBeJwQ==,type:str]
    PUSHOVER_USER_KEY: ENC[AES256_GCM,data:TDSEIhc63jIoquDRBAeU987nfDHIhrmie41m5iA/,iv:3pHGEh9tJgeBr0B6DIT0sKtfedEZSXkAsFd+7oaIb2U=,tag:6SMb0MQzXfQNNlGsVbr3AA==,type:str]
    SSH_KEY: ENC[AES256_GCM,data:/u/tzgpNhYeTfO3Y1V5DsXXWHcnpGCpmSQmcHmhtiQHeuWJJyCy9cObf6Hm8BQjmYPSnUwCGMC1GQM8rjHBiWDXVMK5IXiQlpd5gFxxH8LK8DjfMy8hiNLEe40dkYB044mfGJbyfBEK3AaGURVHlgfzGQiXMWbqSL9BGGr3hhvfuWyrpFxJSDC8CmJ0Swu9Fw8J6LliTwMG1LQAJUNd8ZJkV5qFpbHG0LDlYYI2ebjQspS8tsQuwsE4ewPrVeD2YDY81klcFnshHLD1fR7HHCNtEpMUfV9lstDVqm12JAFWGN0wFoxDR5C+JBZLgEtFwjq2hE6OZ858D5h+jwCYEVmrW3hWVK7aTYjoSmPxDaiZ5Ro7YcXSilMuSSi3IacS3iWQP6VXFfKDZTD4C527ZlJRgMQFKAvGb6FcJj2NhpcmMM9fDLsSF4VFsEYBkkp/GM+TZHqeIp+kOFvNcDwZwgqwgfu8VCB0ogwpvyTr8rpdoS8phH6P8hFO5Nzxx3HEV3cHIbiXFOrDFO2xzM1YdaAJs2sOvVm5+uTl/XJqg6kXLCzoe1LZAoK4MIVFCk2U2rItGN05wLPUTMopJuEUvHxrCg79AQToIZCD2v9Xl7HucyXR386yuL9VrS341Euc8bPELDwPNgJLxnsGRDp8xUN1CsvZWxcVxpw4k+jdXHZKd110WMKcfUMaYcKPxupdu/qDqvR6DhpywpBxPhgJL1/f8V7T09t2KCdUa81rwTsPVuK9B1H3Q/YYc8h99nBUZaYrIQk+WQtbgKYvzz204I7lev+lliPkie7H6umDWw3NADoOQqvF84kxAfO4jUbvTIeLeFSik6p0RNN3CdTnK5hNEdtpbk4+KuHSw6WBB9aTFcm3JkHGZsEuYVXWNoEgbIEjL17JLXm2FV0kNJil+vbQ5qcan5H7aKm1vcHgXylDGmKPU2QzSpXSSSwTMxOeAKGrPVIusT+gpqw22+YHa/kS2trz0XrPt/rXY4SDAXcjSNSzS5WcnvVX5v7DioGHo8/emYY9XEjML2iig1mxxyaP71GuWvzmITPWQHM3iJvXPywwgki1UiZqN+3WsZUi2zFrGJP/VXuL+8lCKvwZmRg0ACK+TeAenZsSSr3AdiKKbpriGHeqjjnSUvMmx6DUNIYdrxc9gNXBQ4tnNMN+pYBDj2jeiSIx2pb2derhOMGKyBCn3vfFylp2ljp7xJ39+N8fTlB7oTDQRCXmW/CR6bHd41/DeP9Hli8D0iYq0toM2oxby/eXPr/+I7wOZU23CKi/kQssxdn5XnlAGV0j7moF3ys3q7qFWesRQw1iYsS+dIvSr714u1NJXvE0nU6v5Vv64s22g+AC1FrWlsOdSo3CDLc1KctIuuFclyxI4mIekQk3iOKl/4a6XK/suOhmyzWHEKlq3LhbHZEA/maMOsKU//tX0uA+asOBLQJPtixwuQ9ZE0vpr4uL0LRJjpnYk09ktuE2YerQu6pGkMBt7uQnpWSzAlO2+3jPducXUdft9MXYM2jaK+PoUuCLUNegeqcpzF3KnGT9zDfbR15abg9nrY1Gv4cHlNN94JFxD2Z9qYBnNHBmG+Pdkq5xYDOcSmC3AV1IF+OAY+IYbb2BAUVy2JvqJal2mvGnlgOSVxtaA51VOkov8Bd0XwMUC/QDaj+CxMS/uDIDUsg6qbuw4dg+HjDVYhlnc6YElwET6LBoLkS5SIX+8W8XoVDAoTapOlrSXDo/elRW/WY4TJ4MEdW0xasjDuCxNDCpdmzbGsNUbpXQqDSz3sJvEggri0Q5ShGBJ57XCNEbXO/ZjlzBE1eN1bVjKkAbNrdj89NHpwFJiUUwiqhJmMFt1lbCdA9ihpKsuUyF7jBwnOdVnSLqvcL+U2WG6xWfJHTyoMpRFlaJJfchc3Nv3upOajk1rPFCdEK0vztAYinN8ldieKOz1bSJL8/RomSyjWJ3CeyyQYAODZn8KNf8E8YqapENbHA4Mj687NvaMxXl+sRxp+uprbZ/KDY609vEuub/46q0S5yddd3VAUrXX1x+leeRusGqXR0I9iwyaYSXpZO7fyUm1762o71fQHYgXcvco2NmDCH8AeFO0/Dc6bm8n//2g5XUg0ej+o1YZQaQ+plDjM9pHX33/BOvXDOJ7MoQMGIHadv9tS+USaLKNI45Z4tklIKGzkNh5q6JCrIGnja76ncaLGGOJpxG2tuQh7CATdSCWtDOJTLYDa84kWLH1lkXJeLkYGdTrKDpjNZnUQkggVyKisK9cSlnsUNsW+xwl2fKvuoNjm0wrBXN4MkUdLbbGBFt5CbZbyzz3f4et8twQ77TT6KJ5hORj/D3FFfM8LCDS/WQYQ9mHEZjWhtIfIRphSt192I/6hHuhHb7nl+ZO/SKoqfKN7Z32OUIR/gc6tcD+CYC02EpNgqZw9Lacq+zIAvY2m5KUbjaX/ddjI6OE7WyrBSArjtr/o1Vrto8xBZ5eHbbauFTFHN/QuadfU/VHDLUM2KQoWw1luYMTQBpyhK/ZCnOcU6hhJfWyMBY7lHBZBc44iu1ntyc+BPXL5kg9RoA832vNJAqt+1TGllnT1l6rd29+evfW7LIVLwQKVfCcR7DNX9NJYF8LDz2TCL7633udmoJC4bDCIW4mt1D5ITItat3AHSLruYyFPrUx4GwWGL4SKZTQxqpVxvj8mQC77h8WbkfH2csU6hFr7yCjVMpg7RSax942GHUPZzJnHmjgbgyNnats/ZgKjWxlVi/D7bUDxcYGOAHwjodyidGZbCiQckxkwF8brcfLM4VcgYfZ4Xe2tcMFLQML4id8WTgpnCv+jnSmOxn0IJog4SQ1qxPScKCAQL78SKCCeG67GTmcMbBPXhKTf7AQTpCIAUPSeAiR5rvNv5TZjIXzWYu6SP0Cw8+NxkENaS5RZsXtjVJTGnL3UJjVEQw9BC5qjXta2n8R8X1ELDB6qwjdDy3U5hbrdwEyjV8h5TJRe3xcYcMrKicmLfG6bhdcx1SpiCiI9M3hpc32S2Dn8FCoYFlP4tsuzT4b2VcaOZAlkLahchNbTTIMlehzJnGkXX1HwCh+c+fSD/apiONh49VPbVOAvV/rsSjn15AemL25MrP76evzIZwfrYdsZkGyq+sT2UyO8sGhu9U08bJkdC+1saQzSam75AWvV2dS7/HLefsMoezSLurhkr1jGjVsxaRXM9UCWxRYP2a4HHT6fHXdUGP9dHyEv8E/B5RpvD/HzNr8udxHdq7SgXhoEHMqWOKPtNVkXlqttlAWbcoWDnJaOBH1/50+DZYuZ9bmF+X5qk/TM2jyhQIyekLSw1quOdnfx5OM8K9ZmgUEqyJ2LibXW9yZWoth/Pjq7sFIkC8YSneWiFRk7uOFZjcfnoItHrjghW5tK7diluj97+O3p2FqtV9pqB2UhyPAeIRSmWFxhPj5dornJVIQL/Zr2Jv911HICP2G7wQnsKv54Fnp4t+9ZjhJzkTh4IFK,iv:vF3GSh82JgjFVTTkTJrxu142JQGIF1/1r9b1yfcDXGE=,tag:rf0/VoDl2vKwL9gwepX4rg==,type:str]
@@ -24,8 +25,8 @@ sops:
            YlhlTVhRdDFJUVZiMTdtVXlveWNDWE0KG7MKLp5tUCm7KpuhpmsvAWDrreBuHSEp
            zyH6hY1i7jgjh020qZI32zNDHeTIJhi+mHur/jvBJhEGLMz6JYUPrg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-01-02T20:30:02Z"
-    mac: ENC[AES256_GCM,data:Zl15uw3w7dLj+XWyevM6RsPBD8K7I6G4DQMROt47fcIhVxsoINl2/2r9nuOeICP7n+gQpKIX4OhZnxowUoU+YAwBPYOg6Ez3oT3DeSHXJxANA3mZ5PExd1Ius4nQNAnFJFNDI6rEF6onGQjhO1tw5bvwPqyjfBIRtsIXj9u9VZo=,iv:IXC7V/ejYG4lb2xKG1ZtnrIDqeIpzaNR8Wh/MdQ05RM=,tag:aq+3ZCRWZQtFv0U6b4G8VA==,type:str]
+    lastmodified: "2023-03-17T00:23:02Z"
+    mac: ENC[AES256_GCM,data:pIJwVCQaP73DElbqqxbA9jadVekYkvcHxnlanOtUdjHiNAYRwjXpJTssPEJC3TL+r4zBWZUlstDG4R9kgaY1Kz/dnhO7MuH/1FN6ShTWsDwgVJfJTtn8hfYiq9H7mHNwvscK7PbirQQYPCXMFFMDfK2CfKBIYkKmlzOMQvVRvlc=,iv:yexA2IKrIGFg8phkJhLkd211MDxBidfVdGL+PVzkAJ0=,tag:XnQdY6Md8PcWgyubtX3Ekw==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.py
+++ b/kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.py
@@ -8,10 +8,6 @@ database and captured in a backup.
 Requires paths to the cert (including the any intermediate CA certs) and private key,
 and username, password, and FQDN of your FreeNAS system.

-Your private key should only be readable by root, so this script must run with root
-privileges.  And, since it contains your root password, this script itself should
-only be readable by root.
-
 Source: https://github.com/danb35/deploy-freenas
 """

--- a/kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.sh
+++ b/kubernetes/apps/default/truenas/certs-deploy/truenas-certs-deploy.sh
@@ -7,7 +7,11 @@ mkdir -p ~/.ssh
 cp /opt/id_rsa ~/.ssh/id_rsa
 chmod 600 ~/.ssh/id_rsa

+if [ "${HOSTNAME}" == "truenas" ]; then
    printf -v truenas_api_key %q "$TRUENAS_API_KEY"
+elif [ "${HOSTNAME}" == "truenas-remote" ]; then
+    printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY"
+fi
 printf -v cert_deploy_s3_enabled_str %q "$CERTS_DEPLOY_S3_ENABLED"
 printf -v pushover_api_key_str %q "$PUSHOVER_API_KEY"
 printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY"
@@ -33,7 +37,9 @@ SCRIPT_PATH="${HOME}/scripts"
 export CERTS_DEPLOY_API_KEY=$1
 export CERTS_DEPLOY_PRIVATE_KEY_PATH=${CERTIFICATE_PATH}/key.pem
 export CERTS_DEPLOY_FULLCHAIN_PATH=${CERTIFICATE_PATH}/fullchain.pem
+if [ "$2" == "True" ]; then
    export CERTS_DEPLOY_S3_ENABLED=$2
+fi

 # Check if cert is older than 69 days
 result=$(find ${CERTS_DEPLOY_PRIVATE_KEY_PATH} -mtime +69)
@@ -47,9 +53,11 @@ if [[ "$result" == "${CERTS_DEPLOY_PRIVATE_KEY_PATH}" ]]; then
        --form-string "message=Certificate on $TARGET is older than 69 days. Verify than it has been renewed by ACME client on opnsense and that the upload automation has been executed" \
        https://api.pushover.net/1/messages.json
 else
-    echo "checking if $TARGET expires in less than $DAYS days"
-    result=(openssl x509 -checkend $(( 24*3600*$DAYS )) -noout -in <(openssl s_client -showcerts -connect $TARGET:443 </dev/null 2>/dev/null | openssl x509 -outform PEM))
-    if [ "$result" == "Certificate will expire" ]; then
+    echo "INFO checking if $TARGET expires in less than $DAYS days"
+    set +o errexit
+    openssl x509 -checkend $(( 24*3600*$DAYS )) -noout -in <(openssl s_client -showcerts -connect $TARGET:443 </dev/null 2>/dev/null | openssl x509 -outform PEM)
+    if [[ $? -ne 0 ]]; then
+        set -o errexit
        echo "INFO - Certificate expires in less than $DAYS days"
        echo "INFO - Deploying new certificate"
        # Deploy certificate (truenas UI & minio)