Barthélemy Vessemont BarthV

## capi-ca-rotation-dirty.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                BarthV
                / capi-ca-rotation-dirty.md
            
            
              Last active
              September 26, 2023 07:38
            
              
                Kubernetes cluster-api CA rotation : big-bang strategy
              
          
    Kubernetes cluster-api managed cluster CA certificate rotation

In Kubernetes, rotating CA certificates is a non-trivial operation. Adding cluster-api constraints (machine immutability & VM destroy & replacement strategy) makes this operation even harder beacause CAPI doesn't support CA automated rotation yet.
Cluster API custom certificates

Cluster API expects certificates and keys used for bootstrapping to follow the below convention. CABPK generates new certificates using this convention if they do not already exist (at sens an initJob is started before applying a cluster to guarantee that a self-signed certificate will never be created for any cluster).
Each certificate must be stored in a single secret named one of:

  
## rpisensorhub.py
import os, sys, getopt, smbus, signal
from threading import Event, Thread
from prometheus_client import start_http_server,Gauge,Counter

DEVICE_BUS = 1
DEVICE_ADDR = 0x17

TEMP_REG = 0x01
LIGHT_REG_L = 0x02
LIGHT_REG_H = 0x03

## AutoDLSTape.js
// ==UserScript==
// @name         AutoDLSTape
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  Tries to open ST video in new tab & download it
// @author       NunursMegaPower
// @include      /^https:\/\/(streamtape\.com|.+\.tapecontent\.net)\/.*$/
// @icon         data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==
// @grant        GM_openInTab
// ==/UserScript==

## gist:63b633b6874e37a7e0511453f37f14c3
# WARNING: This file was auto-generated using snmp_exporter generator, manual changes will be lost.
apcups:
  walk:
  - 1.3.6.1.2.1.2
  - 1.3.6.1.4.1.318.1.1.1.12
  - 1.3.6.1.4.1.318.1.1.1.2
  - 1.3.6.1.4.1.318.1.1.1.3
  - 1.3.6.1.4.1.318.1.1.1.4
  - 1.3.6.1.4.1.318.1.1.1.7.2
  - 1.3.6.1.4.1.318.1.1.10.2.3.2

## gist:17521ff8cc5c5b3b704c9e2f491c7e60
# ConfigMap here with both files
#################################
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: fluentbit-dedot-lua
data:
  dedot.conf: |2

## .config
#
# Automatically generated file; DO NOT EDIT.
# Linux/arm64 4.9.140 Kernel Configuration
#
CONFIG_ARM64=y
CONFIG_64BIT=y
CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
CONFIG_MMU=y
CONFIG_DEBUG_RODATA=y
CONFIG_ARM64_PAGE_SHIFT=12

## gist:f6c19db566938b66d80693915b0dfcee
2019-06-13 14:00:30.325244 I | op-object: metadata pool replication changed from 3 to 4
2019-06-13 14:00:30.325323 I | op-object: update object store s3-test
2019-06-13 14:00:30.325515 I | exec: Running command: ceph osd crush dump --connect-timeout=15 --cluster=rook-ceph --conf=/var/lib/rook/rook-ceph/rook-ceph.config --keyring=/var/lib/rook/rook-ceph/client.admin.keyring --format json --out-file /tmp/030832320
2019-06-13 14:00:30.722195 I | exec: Running command: ceph osd crush dump --connect-timeout=15 --cluster=rook-ceph --conf=/var/lib/rook/rook-ceph/rook-ceph.config --keyring=/var/lib/rook/rook-ceph/client.admin.keyring --format json --out-file /tmp/825666847
2019-06-13 14:00:31.135912 I | op-object: object store s3-test exists in namespace rook-ceph. checking for updates
2019-06-13 14:00:31.135945 I | op-object: creating object store s3-test in namespace rook-ceph
2019-06-13 14:00:31.162653 I | exec: Running command: ceph osd pool get s3-test.rgw.control all --connect-timeout=15 --cluster=rook-ceph --c

## gist:53dbffa1687164be54b1cc20d3ab77f4
### Keybase proof

I hereby claim:

  * I am barthv on github.
  * I am barthv (https://keybase.io/barthv) on keybase.
  * I have a public key ASCsgg0oSoD82q09dXE5bZDNJAn2jxrQ9d6Eey7Rf8OFNwo

To claim this, I am signing this object:

## bonjour-madame.pl
#!/usr/bin/env perl
#
# Récupérer les photographies des jolies dames de www.bonjourmadame.fr.
#
# $Id       : bonjour-madame.pl $
# $HeadURL  : https://bobotig.fr/contenu/contrib/scripts/bonjour-madame.pl $
# $Source   : https://bobotig.fr/contenu/contrib/scripts/bonjour-madame.pl $
# $Author   : BoboTiG $
# $Revision : 16 $
# $Date     : 2013/06/27 $

## ciphers list for target host
> ./ciphers.sh
Obtaining cipher list from OpenSSL 1.0.1f 6 Jan 2014.
Testing ECDHE-RSA-AES256-GCM-SHA384...YES
Testing ECDHE-RSA-AES256-SHA...YES
Testing AES256-SHA...YES
Testing ECDHE-RSA-DES-CBC3-SHA...YES
Testing DES-CBC3-SHA...YES
Testing ECDHE-RSA-AES128-GCM-SHA256...YES
Testing ECDHE-RSA-AES128-SHA...YES
Testing AES128-SHA...YES
	import os, sys, getopt, smbus, signal
	from threading import Event, Thread
	from prometheus_client import start_http_server,Gauge,Counter

	DEVICE_BUS = 1
	DEVICE_ADDR = 0x17

	TEMP_REG = 0x01
	LIGHT_REG_L = 0x02
	LIGHT_REG_H = 0x03
	// ==UserScript==
	// @name AutoDLSTape
	// @namespace http://tampermonkey.net/
	// @version 0.1
	// @description Tries to open ST video in new tab & download it
	// @author NunursMegaPower
	// @include /^https:\/\/(streamtape\.com\|.+\.tapecontent\.net)\/.*$/
	// @icon data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==
	// @grant GM_openInTab
	// ==/UserScript==
	# WARNING: This file was auto-generated using snmp_exporter generator, manual changes will be lost.
	apcups:
	walk:
	- 1.3.6.1.2.1.2
	- 1.3.6.1.4.1.318.1.1.1.12
	- 1.3.6.1.4.1.318.1.1.1.2
	- 1.3.6.1.4.1.318.1.1.1.3
	- 1.3.6.1.4.1.318.1.1.1.4
	- 1.3.6.1.4.1.318.1.1.1.7.2
	- 1.3.6.1.4.1.318.1.1.10.2.3.2
	# ConfigMap here with both files
	#################################
	---
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: fluentbit-dedot-lua
	data:
	dedot.conf: \|2
	#
	# Automatically generated file; DO NOT EDIT.
	# Linux/arm64 4.9.140 Kernel Configuration
	#
	CONFIG_ARM64=y
	CONFIG_64BIT=y
	CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
	CONFIG_MMU=y
	CONFIG_DEBUG_RODATA=y
	CONFIG_ARM64_PAGE_SHIFT=12
	2019-06-13 14:00:30.325244 I \| op-object: metadata pool replication changed from 3 to 4
	2019-06-13 14:00:30.325323 I \| op-object: update object store s3-test
	2019-06-13 14:00:30.325515 I \| exec: Running command: ceph osd crush dump --connect-timeout=15 --cluster=rook-ceph --conf=/var/lib/rook/rook-ceph/rook-ceph.config --keyring=/var/lib/rook/rook-ceph/client.admin.keyring --format json --out-file /tmp/030832320
	2019-06-13 14:00:30.722195 I \| exec: Running command: ceph osd crush dump --connect-timeout=15 --cluster=rook-ceph --conf=/var/lib/rook/rook-ceph/rook-ceph.config --keyring=/var/lib/rook/rook-ceph/client.admin.keyring --format json --out-file /tmp/825666847
	2019-06-13 14:00:31.135912 I \| op-object: object store s3-test exists in namespace rook-ceph. checking for updates
	2019-06-13 14:00:31.135945 I \| op-object: creating object store s3-test in namespace rook-ceph
	2019-06-13 14:00:31.162653 I \| exec: Running command: ceph osd pool get s3-test.rgw.control all --connect-timeout=15 --cluster=rook-ceph --c
	### Keybase proof

	I hereby claim:

	* I am barthv on github.
	* I am barthv (https://keybase.io/barthv) on keybase.
	* I have a public key ASCsgg0oSoD82q09dXE5bZDNJAn2jxrQ9d6Eey7Rf8OFNwo

	To claim this, I am signing this object:
	#!/usr/bin/env perl
	#
	# Récupérer les photographies des jolies dames de www.bonjourmadame.fr.
	#
	# $Id : bonjour-madame.pl $
	# $HeadURL : https://bobotig.fr/contenu/contrib/scripts/bonjour-madame.pl $
	# $Source : https://bobotig.fr/contenu/contrib/scripts/bonjour-madame.pl $
	# $Author : BoboTiG $
	# $Revision : 16 $
	# $Date : 2013/06/27 $
	> ./ciphers.sh
	Obtaining cipher list from OpenSSL 1.0.1f 6 Jan 2014.
	Testing ECDHE-RSA-AES256-GCM-SHA384...YES
	Testing ECDHE-RSA-AES256-SHA...YES
	Testing AES256-SHA...YES
	Testing ECDHE-RSA-DES-CBC3-SHA...YES
	Testing DES-CBC3-SHA...YES
	Testing ECDHE-RSA-AES128-GCM-SHA256...YES
	Testing ECDHE-RSA-AES128-SHA...YES
	Testing AES128-SHA...YES