From 6281d19b76a7493e45dfbdeb6192562efd981199 Mon Sep 17 00:00:00 2001
From: Tom Hayward <thayward@infoblox.com>
Date: Mon, 2 May 2022 11:58:57 -0700
Subject: [PATCH 1/4] renew apiserver and etcd certs on konk pod startup

---
 helm-charts/konk/scripts/provision.sh | 37 ++++++++++++++++-----------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/helm-charts/konk/scripts/provision.sh b/helm-charts/konk/scripts/provision.sh
index 1f39650e..d2dc0064 100644
--- a/helm-charts/konk/scripts/provision.sh
+++ b/helm-charts/konk/scripts/provision.sh
@@ -40,25 +40,32 @@ rm -f /etc/kubernetes/pki/etcd/server*
 kubeadm init phase certs etcd-server --config=/tmp/kubeadmcfg.yaml
 kubeadm init phase kubeconfig admin --control-plane-endpoint $FULLNAME.$NAMESPACE.svc
 find /etc/kubernetes/pki
-if secret_not_found $FULLNAME-etcd-cert
+
+# replaces any existing etcd-cert
+if ! secret_not_found $FULLNAME-etcd-cert
 then
-  kubectl -n $NAMESPACE create secret generic $FULLNAME-etcd-cert \
-    --from-file=/etc/kubernetes/pki/etcd/ca.crt \
-    --from-file=/etc/kubernetes/pki/etcd/server.crt \
-    --from-file=/etc/kubernetes/pki/etcd/server.key
-  kubectl -n $NAMESPACE label secret $FULLNAME-etcd-cert $LABELS
+  kubectl -n $NAMESPACE delete secret $FULLNAME-etcd-cert
 fi
-if secret_not_found $FULLNAME-apiserver-cert
+kubectl -n $NAMESPACE create secret generic $FULLNAME-etcd-cert \
+  --from-file=/etc/kubernetes/pki/etcd/ca.crt \
+  --from-file=/etc/kubernetes/pki/etcd/server.crt \
+  --from-file=/etc/kubernetes/pki/etcd/server.key
+kubectl -n $NAMESPACE label secret $FULLNAME-etcd-cert $LABELS
+
+# replaces any existing apiserver-cert
+if ! secret_not_found $FULLNAME-apiserver-cert
 then
-  kubectl -n $NAMESPACE create secret generic $FULLNAME-apiserver-cert \
-    --from-file=/etc/kubernetes/pki/apiserver.crt \
-    --from-file=/etc/kubernetes/pki/apiserver.key \
-    --from-file=/etc/kubernetes/pki/ca.crt \
-    --from-file=etcd-ca.crt=/etc/kubernetes/pki/etcd/ca.crt \
-    --from-file=/etc/kubernetes/pki/apiserver-etcd-client.crt \
-    --from-file=/etc/kubernetes/pki/apiserver-etcd-client.key
-  kubectl -n $NAMESPACE label secret $FULLNAME-apiserver-cert $LABELS
+  kubectl -n $NAMESPACE delete secret $FULLNAME-apiserver-cert
 fi
+kubectl -n $NAMESPACE create secret generic $FULLNAME-apiserver-cert \
+  --from-file=/etc/kubernetes/pki/apiserver.crt \
+  --from-file=/etc/kubernetes/pki/apiserver.key \
+  --from-file=/etc/kubernetes/pki/ca.crt \
+  --from-file=etcd-ca.crt=/etc/kubernetes/pki/etcd/ca.crt \
+  --from-file=/etc/kubernetes/pki/apiserver-etcd-client.crt \
+  --from-file=/etc/kubernetes/pki/apiserver-etcd-client.key
+kubectl -n $NAMESPACE label secret $FULLNAME-apiserver-cert $LABELS
+
 if secret_not_found $FULLNAME-ca
 then
   kubectl -n $NAMESPACE create secret tls $FULLNAME-ca \

From bef4f05243fa4b70caefa9f954721396bd2b75a6 Mon Sep 17 00:00:00 2001
From: Tom Hayward <thayward@infoblox.com>
Date: Mon, 2 May 2022 14:22:06 -0700
Subject: [PATCH 2/4] patch existing cert

---
 helm-charts/konk/scripts/provision.sh | 46 ++++++++++++++++-----------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/helm-charts/konk/scripts/provision.sh b/helm-charts/konk/scripts/provision.sh
index d2dc0064..1fec4465 100644
--- a/helm-charts/konk/scripts/provision.sh
+++ b/helm-charts/konk/scripts/provision.sh
@@ -41,30 +41,38 @@ kubeadm init phase certs etcd-server --config=/tmp/kubeadmcfg.yaml
 kubeadm init phase kubeconfig admin --control-plane-endpoint $FULLNAME.$NAMESPACE.svc
 find /etc/kubernetes/pki
 
-# replaces any existing etcd-cert
-if ! secret_not_found $FULLNAME-etcd-cert
+if secret_not_found $FULLNAME-etcd-cert
 then
-  kubectl -n $NAMESPACE delete secret $FULLNAME-etcd-cert
+  kubectl -n $NAMESPACE create secret generic $FULLNAME-etcd-cert \
+    --from-file=/etc/kubernetes/pki/etcd/ca.crt \
+    --from-file=/etc/kubernetes/pki/etcd/server.crt \
+    --from-file=/etc/kubernetes/pki/etcd/server.key
+  kubectl -n $NAMESPACE label secret $FULLNAME-etcd-cert $LABELS
+else
+  kubectl -n $NAMESPACE patch secret $FULLNAME-etcd-cert --type=json -p '[
+    {"op":"replace","path":"/data/server.crt","value":"'"$(base64 --wrap=0 < /etc/kubernetes/pki/etcd/server.crt)"'"},
+    {"op":"replace","path":"/data/server.key","value":"'"$(base64 --wrap=0 < /etc/kubernetes/pki/etcd/server.key)"'"}
+  ]'
 fi
-kubectl -n $NAMESPACE create secret generic $FULLNAME-etcd-cert \
-  --from-file=/etc/kubernetes/pki/etcd/ca.crt \
-  --from-file=/etc/kubernetes/pki/etcd/server.crt \
-  --from-file=/etc/kubernetes/pki/etcd/server.key
-kubectl -n $NAMESPACE label secret $FULLNAME-etcd-cert $LABELS
 
-# replaces any existing apiserver-cert
-if ! secret_not_found $FULLNAME-apiserver-cert
+if secret_not_found $FULLNAME-apiserver-cert
 then
-  kubectl -n $NAMESPACE delete secret $FULLNAME-apiserver-cert
+  kubectl -n $NAMESPACE create secret generic $FULLNAME-apiserver-cert \
+    --from-file=/etc/kubernetes/pki/apiserver.crt \
+    --from-file=/etc/kubernetes/pki/apiserver.key \
+    --from-file=/etc/kubernetes/pki/ca.crt \
+    --from-file=etcd-ca.crt=/etc/kubernetes/pki/etcd/ca.crt \
+    --from-file=/etc/kubernetes/pki/apiserver-etcd-client.crt \
+    --from-file=/etc/kubernetes/pki/apiserver-etcd-client.key
+  kubectl -n $NAMESPACE label secret $FULLNAME-apiserver-cert $LABELS
+else
+  kubectl -n $NAMESPACE patch secret $FULLNAME-apiserver-cert --type=json -p '[
+    {"op":"replace","path":"/data/apiserver.crt","value":"'"$(base64 --wrap=0 < /etc/kubernetes/pki/apiserver.crt)"'"},
+    {"op":"replace","path":"/data/apiserver.key","value":"'"$(base64 --wrap=0 < /etc/kubernetes/pki/apiserver.key)"'"},
+    {"op":"replace","path":"/data/apiserver-etcd-client.crt","value":"'"$(base64 --wrap=0 < /etc/kubernetes/pki/apiserver-etcd-client.crt)"'"},
+    {"op":"replace","path":"/data/apiserver-etcd-client.key","value":"'"$(base64 --wrap=0 < /etc/kubernetes/pki/apiserver-etcd-client.key)"'"}
+  ]'
 fi
-kubectl -n $NAMESPACE create secret generic $FULLNAME-apiserver-cert \
-  --from-file=/etc/kubernetes/pki/apiserver.crt \
-  --from-file=/etc/kubernetes/pki/apiserver.key \
-  --from-file=/etc/kubernetes/pki/ca.crt \
-  --from-file=etcd-ca.crt=/etc/kubernetes/pki/etcd/ca.crt \
-  --from-file=/etc/kubernetes/pki/apiserver-etcd-client.crt \
-  --from-file=/etc/kubernetes/pki/apiserver-etcd-client.key
-kubectl -n $NAMESPACE label secret $FULLNAME-apiserver-cert $LABELS
 
 if secret_not_found $FULLNAME-ca
 then

From 90e325126fccc2c1c13c38dfa4659b9699d1bcb5 Mon Sep 17 00:00:00 2001
From: Tom Hayward <thayward@infoblox.com>
Date: Mon, 2 May 2022 14:28:33 -0700
Subject: [PATCH 3/4] periodically renew certs

---
 helm-charts/konk/templates/init.yaml | 29 ++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/helm-charts/konk/templates/init.yaml b/helm-charts/konk/templates/init.yaml
index aa696e52..84c27721 100644
--- a/helm-charts/konk/templates/init.yaml
+++ b/helm-charts/konk/templates/init.yaml
@@ -20,16 +20,25 @@ spec:
         app.kubernetes.io/component: init
     spec:
       serviceAccountName: {{ include "konk.serviceAccountName" . }}
-      initContainers:
-      - name: kind
+      containers:
+      - name: provision
         securityContext:
           {{- toYaml .Values.kind.securityContext | nindent 10 }}
         image: "{{ .Values.kind.image.repository }}:{{ .Values.kind.image.tag | default .Chart.AppVersion }}"
         imagePullPolicy: {{ .Values.kind.image.pullPolicy }}
         command:
           - bash
+          - "-c"
         args:
-          - /scripts/provision.sh
+          - |
+            set -e
+            while true
+            do
+              date
+              /scripts/provision.sh
+              touch /tmp/ready
+              sleep 90d
+            done
         env:
           {{- with .Values.certManager.namespace }}
           - name: CERT_MANAGER_NAMESPACE
@@ -47,21 +56,17 @@ spec:
             value: {{ .Release.Name }}
           - name: SCOPE
             value: {{ .Values.scope }}
+        readinessProbe:
+          exec:
+            command:
+            - cat
+            - /tmp/ready
         resources:
           {{- toYaml .Values.kind.resources | nindent 10 }}
         volumeMounts:
         - mountPath: /scripts/
           name: scripts
           readOnly: true
-      containers:
-      - name: done
-        securityContext:
-          {{- toYaml .Values.kind.securityContext | nindent 10 }}
-        image: "{{ .Values.kind.image.repository }}:{{ .Values.kind.image.tag | default .Chart.AppVersion }}"
-        imagePullPolicy: {{ .Values.kind.image.pullPolicy }}
-        command:
-          - sleep
-          - infinity
       volumes:
       - name: scripts
         configMap:

From 154713db237aab7715c9e4f6b30143e71b24e3ab Mon Sep 17 00:00:00 2001
From: Tom Hayward <thayward@infoblox.com>
Date: Mon, 2 May 2022 14:29:10 -0700
Subject: [PATCH 4/4] fix makefile for paths with spaces

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index f419a713..6a35e4a8 100644
--- a/Makefile
+++ b/Makefile
@@ -140,7 +140,7 @@ docker-push:
 	docker push ${IMG}
 
 PATH  := $(PATH):$(shell pwd)/bin
-SHELL := env PATH=$(PATH) /bin/sh
+SHELL := env PATH="$(PATH)" /bin/sh
 OS    = $(shell uname -s | tr '[:upper:]' '[:lower:]')
 ARCH  = $(shell uname -m | sed 's/x86_64/amd64/')
 OSOPER   = $(shell uname -s | tr '[:upper:]' '[:lower:]' | sed 's/darwin/apple-darwin/' | sed 's/linux/linux-gnu/')