openstack
/
kolla
Code Issues Proposed changes

Rework letsencrypt 

This patch is adding "API layer" to letsencrypt
images which is represented by set of scripts inside.

This scripts are called by kolla-ansible orchestration.

Change-Id: I61b70fb4e12ba03b96e79004e735d2ead0f52319
This commit is contained in:
Michal Arbet 2023-06-30 01:29:35 +02:00
parent 00cebc3cde
commit 3213dccb8c
13 changed files with 573 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docker/haproxy/haproxy-ssh/Dockerfile.j2
View File

@ -13,6 +13,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
{% set haproxy_ssh_packages = [
'openssh-server',
'openssh-clients',
'rsync',
] %}
# NOTE(mgoddard): The centos:8 image contains a /run/nologin file, which
@ -23,6 +24,7 @@ RUN rm -f /run/nologin
{% set haproxy_ssh_packages = [
'openssh-server',
'openssh-client',
'rsync',
] %}
RUN mkdir -p /var/run/sshd \
@ -36,5 +38,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 644 /usr/local/bin/kolla_extend_start \
&& sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
COPY update-haproxy-cert.sh /usr/bin/update-haproxy-cert
{% block haproxy_ssh_footer %}{% endblock %}
{% block footer %}{% endblock %}

25
docker/haproxy/haproxy-ssh/extend_start.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash
SSH_HOST_KEY_TYPES=( "ecdsa" )
SSH_HOST_KEY_TYPES=( "rsa" "dsa" "ecdsa" "ed25519" )
for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
KEY_PATH=/etc/ssh/ssh_host_${key_type}_key
@ -12,5 +12,26 @@ done
mkdir -p /var/lib/haproxy/.ssh
if [[ $(stat -c %U:%G /var/lib/haproxy/.ssh) != "haproxy:haproxy" ]]; then
sudo chown haproxy: /var/lib/haproxy/.ssh
chown haproxy: /var/lib/haproxy/.ssh
fi
FOLDERS_LEGO="/etc/letsencrypt /etc/letsencrypt/backups"
USERGROUP="haproxy:haproxy"
for folder in ${FOLDERS_LEGO}; do
mkdir -p ${folder}
if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP}" ]]; then
chown ${USERGROUP} ${folder}
fi
if [[ "${folder}" == "/etc/letsencrypt" ]]; then
if [[ $(stat -c %a ${folder}) != "751" ]]; then
chmod 751 ${folder}
fi
else
if [[ $(stat -c %a ${folder}) != "755" ]]; then
chmod 755 ${folder}
fi
fi
done

113
docker/haproxy/haproxy-ssh/update-haproxy-cert.sh Executable file
View File

@ -0,0 +1,113 @@
#!/bin/bash
function haproxy_transaction_start {
local cert_input=${1}
local cert_dest=${2}
local transaction_result=""
local transaction_grep_check=""
transaction_grep_check="Transaction (created|updated) for certificate $(echo $cert_dest | sed -e 's|/|\\/|g')!"
transaction_result=$(echo -e "set ssl cert ${cert_dest} <<\n$(cat ${cert_input})\n" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock -)
if echo "${transaction_result}" | grep -Pq "${transaction_grep_check}"; then
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} started."
else
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed."
exit 1
fi
local cert_input_sha1=""
local cert_dest_sha1=""
cert_input_sha1=$(openssl x509 -noout -fingerprint -sha1 -inform pem -in ${cert_input} | awk -F '=' '{print $2}' | sed -e 's/://g')
cert_dest_sha1=$(echo "show ssl cert *${cert_dest}" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock - | awk -F 'SHA1 FingerPrint: ' '{print $2}' | sed '/^$/d')
if [ "${cert_input_sha1}" = "${cert_dest_sha1}" ]; then
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} successfull."
else
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed."
exit 1
fi
}
function haproxy_upload_to_memory {
local cert_input=${1}
local cert_dest=${2}
local cert_upload_output=""
cert_upload_output=$(echo "commit ssl cert ${cert_dest}" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock -)
if echo "${cert_upload_output}" | grep -q "Success!"; then
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Certificate ${cert_input} uploaded to haproxy memory."
else
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Certificate ${cert_input} upload to haproxy memory failed."
exit 1
fi
}
function haproxy_write_to_disk {
local cert_input=${1}
local cert_haproxy_path=${2}
local cert_backup_suffix=""
local cert_backup_path=""
local cert_backup_name=""
cert_backup_suffix="-$(date +%Y-%m-%d-%H-%M-%S).pem"
cert_backup_path=$(echo "${cert_input}" | awk -v suffix="$cert_backup_suffix" -F '.pem' '{print $1suffix}')
cert_backup_name=$(echo ${cert_backup_path} | awk -F '/' '{print $NF}')
mkdir -p /etc/letsencrypt/backups
echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_haproxy_path} - update] Backuping currently loaded ${cert_haproxy_path} -> /etc/letsencrypt/backups/${cert_backup_name}"
cp -a ${cert_haproxy_path} /etc/letsencrypt/backups/${cert_backup_name}
cp -a ${cert_input} ${cert_haproxy_path}
rm -f ${cert_input}
}
# Parser
INTERNAL_SET="false"
EXTERNAL_SET="false"
VALID_ARGS=$(getopt -o ie --long internal,external -- "$@")
if [[ $? -ne 0 ]]; then
exit 1;
fi
eval set -- "$VALID_ARGS"
while [ : ]; do
case "$1" in
-i | --internal)
CERT_TYPE="internal"
INTERNAL_SET="true"
shift
;;
-e | --external)
CERT_TYPE="external"
EXTERNAL_SET="true"
shift
;;
--) shift;
break
;;
esac
done
if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then
echo "[e] Only --internal or --external parameter is allowed at a time"
exit 1
fi
if [ "${INTERNAL_SET}" = "true" ]; then
HAPROXY_CERT_INCOMING_PATH="/var/lib/haproxy/haproxy-internal.pem"
HAPROXY_CERT_PATH="/etc/haproxy/certificates/haproxy-internal.pem"
else
HAPROXY_CERT_INCOMING_PATH="/var/lib/haproxy/haproxy.pem"
HAPROXY_CERT_PATH="/etc/haproxy/certificates/haproxy.pem"
fi
fi
# Main
haproxy_transaction_start ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH}
haproxy_upload_to_memory ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH}
haproxy_write_to_disk ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH}

38
docker/letsencrypt/Dockerfile.j2
View File

@ -1,38 +0,0 @@
FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
{% block labels %}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% endblock %}
{% block letsencrypt_header %}{% endblock %}
{% import "macros.j2" as macros with context %}
{% if base_package_type == 'rpm' %}
{% set letsencrypt_packages = [
'openssh-clients',
'cronie'
] %}
{% elif base_package_type == 'deb' %}
{% set letsencrypt_packages = [
'openssh-client',
'cron'
] %}
{% endif %}
{{ macros.install_packages(letsencrypt_packages | customizable("packages")) }}
COPY extend_start.sh /usr/local/bin/kolla_extend_start
RUN chmod 644 /usr/local/bin/kolla_extend_start
{% block lego_repository %}
ENV lego_version=4.6.0
ENV lego_download_url=https://github.com/go-acme/lego/releases/download/v${lego_version}/lego_v${lego_version}_linux_{{debian_arch}}.tar.gz
{% endblock %}
{% block lego_install %}
RUN curl -o /tmp/lego.tar.gz ${lego_download_url} \
&& tar xvf /tmp/lego.tar.gz -C /opt/ \
&& rm -f /tmp/lego.tar.gz
{% endblock %}
{% block letsencrypt_footer %}{% endblock %}
{% block footer %}{% endblock %}

10
docker/letsencrypt/extend_start.sh
View File

@ -1,10 +0,0 @@
#!/bin/bash
if [[ ! -d "/var/log/kolla/letsencrypt" ]]; then
mkdir -p /var/log/kolla/letsencrypt
fi
if [[ $(stat -c %a /var/log/kolla/letsencrypt) != "755" ]]; then
chmod 755 /var/log/kolla/letsencrypt
fi
. /usr/local/bin/kolla_httpd_setup

14
docker/letsencrypt/letsencrypt-base/Dockerfile.j2 Normal file
View File

@ -0,0 +1,14 @@
FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
{% block labels %}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% endblock %}
{% block letsencrypt_base_header %}{% endblock %}
{% import "macros.j2" as macros with context %}
{{ macros.install_packages(cinder_base_packages | customizable("packages")) }}
COPY extend_start.sh /usr/local/bin/kolla_extend_start
{% block letsencrypt_base_footer %}{% endblock %}

69
docker/letsencrypt/letsencrypt-base/extend_start.sh Normal file
View File

@ -0,0 +1,69 @@
#!/bin/bash
# Logs
if [[ ! -d "/var/log/kolla/letsencrypt" ]]; then
mkdir -p /var/log/kolla/letsencrypt
fi
if [[ $(stat -c %a /var/log/kolla/letsencrypt) != "755" ]]; then
chmod 755 /var/log/kolla/letsencrypt
fi
# Structure for lego and webserver
FOLDERS_LEGO="/etc/letsencrypt /etc/letsencrypt/lego /etc/letsencrypt/lego/internal /etc/letsencrypt/lego/external"
FOLDERS_WEBSERVER="/etc/letsencrypt/http-01 /etc/letsencrypt/http-01/.well-known /etc/letsencrypt/http-01/.well-known/acme-challenge"
if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then
USER="www-data"
GROUP="www-data"
USERGROUP_WEBSERVER="${USER}:${GROUP}"
USERGROUP="haproxy:haproxy"
else
USER="apache"
GROUP="apache"
USERGROUP_WEBSERVER="${USER}:${GROUP}"
USERGROUP="haproxy:haproxy"
fi
for folder in ${FOLDERS_LEGO}; do
if [[ ! -d "${folder}" ]]; then
mkdir -p ${folder}
fi
if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP}" ]]; then
if getent passwd ${USER} 2 > /dev/null; then
chown ${USERGROUP} ${folder}
fi
fi
if [[ "${folder}" == "/etc/letsencrypt" ]]; then
if [[ $(stat -c %a ${folder}) != "751" ]]; then
chmod 751 ${folder}
fi
else
if [[ $(stat -c %a ${folder}) != "755" ]]; then
chmod 755 ${folder}
fi
fi
done
for folder in ${FOLDERS_WEBSERVER}; do
if [[ ! -d "${folder}" ]]; then
mkdir -p ${folder}
fi
if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP_WEBSERVER}" ]]; then
if getent passwd ${USER} 2 > /dev/null; then
chown ${USERGROUP_WEBSERVER} ${folder}
fi
fi
if [[ $(stat -c %a ${folder}) != "755" ]]; then
chmod 755 ${folder}
fi
done
if [ -e /usr/local/bin/kolla_letsencrypt_extend_start ]; then
. /usr/local/bin/kolla_letsencrypt_extend_start
fi

50
docker/letsencrypt/letsencrypt-lego/Dockerfile.j2 Executable file
View File

@ -0,0 +1,50 @@
FROM {{ namespace }}/{{ image_prefix }}letsencrypt-base:{{ tag }}
{% block labels %}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% endblock %}
{% block letsencrypt_lego_header %}{% endblock %}
{% import "macros.j2" as macros with context %}
{{ macros.configure_user(name='letsencrypt', shell='/bin/bash') }}
{% if base_package_type == 'rpm' %}
{% set letsencrypt_lego_packages = [
'openssh-clients',
'cronie',
'rsync'
] %}
{% elif base_package_type == 'deb' %}
{% set letsencrypt_lego_packages = [
'openssh-client',
'cron',
'rsync'
] %}
{% endif %}
{{ macros.install_packages(letsencrypt_lego_packages | customizable("packages")) }}
{% block letsencrypt_lego_repository_version %}
ARG letsencrypt_lego_version=4.6.0
{% if debian_arch == 'arm64' %}
ARG letsencrypt_lego_sha256sum=f5cecda8880d04ffc394049852a797ec120aebf0203ab0f1b877a0cd89bb0b3e
{% else %}
ARG letsencrypt_lego_sha256sum=c0c408788cdec96a4697300211c3944a050bb3d62ed3525a5409c136c94e09cb
{% endif %}
ARG letsencrypt_lego_url=https://github.com/go-acme/lego/releases/download/v${letsencrypt_lego_version}/lego_v${letsencrypt_lego_version}_linux_{{debian_arch}}.tar.gz
{% endblock %}
{% block letsencrypt_lego_install %}
RUN curl -L -o /tmp/lego.tar.gz ${letsencrypt_lego_url} \
&& echo "${letsencrypt_lego_sha256sum} /tmp/lego.tar.gz" | sha256sum -c \
&& tar xvf /tmp/lego.tar.gz -C /opt/ \
&& rm -f /tmp/lego.tar.gz
{% endblock %}
COPY letsencrypt-certificates.sh /usr/bin/letsencrypt-certificates
COPY sync-and-update-certificate.sh /usr/bin/sync-and-update-certificate
RUN chmod +x /usr/bin/letsencrypt-certificates /usr/bin/sync-and-update-certificate
{% block letsencrypt_lego_footer %}{% endblock %}
{% block footer %}{% endblock %}

167
docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh Executable file
View File

@ -0,0 +1,167 @@
#!/bin/bash
function log_info {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}"
}
function log_error {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}"
}
function obtain_or_renew_certificate {
local certificate_fqdns="${1}"
local certificate_type="${2}"
local listen_port="${3}"
local valid_days="${4}"
local acme_url="${5}"
local mail="${6}"
local letsencrypt_ssh_port="${7}"
certificate_domain_opts=$(echo ${certificate_fqdns} | sed -r -e 's/^/,/g' -e 's/,/--domains=/g' -e 's/--/ --/g')
certificate_fqdn=$(echo ${certificate_fqdns} | awk -F ',' '{print $1}')
certificate_fqdns=$(echo ${certificate_fqdns} | sed -r 's/,/\ /g')
if [ -d "/etc/letsencrypt/lego/${certificate_type}/certificates" ]; then
garbage_count=$(find /etc/letsencrypt/lego/${certificate_type}/certificates/ -type f | grep -v "${certificate_fqdn}" | wc -l)
if [ ${garbage_count} -ne 0 ]; then
log_info "[${certificate_fqdn} - cron] Cleaning up garbage in certificates directory."
find /etc/letsencrypt/lego/${certificate_type}/certificates/ -type f | grep -v "${certificate_fqdn}" | xargs rm -f
fi
fi
if [ -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ]; then
certificate_current_fqdns=$(openssl x509 -text -in /etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem \
| grep DNS: \
| sed -r -e 's/\ *DNS://g' -e 's/^/,/g' -e 's/$/,/g')
local domains_add=""
for i in ${certificate_fqdns}; do
if ! echo "${certificate_current_fqdns}" | grep -q ",${i},"; then
domains_add="${domains_add} ${i}"
fi
done
domains_add=$(echo "${domains_add}" | sed -r -e 's/^\ //g' -e 's/\ /, /g')
if [ "${domains_add}" != "" ]; then
log_info "[${certificate_fqdn} - cron] Domains ${domains_add} will be added to certificate."
rm -f /etc/letsencrypt/lego/${certificate_type}/certificates/*
fi
fi
[ ! -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ] && local lego_action="run" || local lego_action="renew"
log_info "[INFO] [${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}."
/opt/lego --email="${mail}" \
${certificate_domain_opts} \
--server "${acme_url}" \
--path "/etc/letsencrypt/lego/${certificate_type}/" \
--http.webroot "/etc/letsencrypt/http-01" \
--http.port ${listen_port} \
--cert.timeout ${valid_days} \
--accept-tos \
--http \
--pem ${lego_action} \
--${lego_action}-hook="/usr/bin/sync-and-update-certificate --${certificate_type} --fqdn ${certificate_fqdn} --haproxies-ssh ${letsencrypt_ssh_port}"
}
# Parser
INTERNAL_SET="false"
EXTERNAL_SET="false"
LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log"
VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh: -- "$@")
if [[ $? -ne 0 ]]; then
exit 1;
fi
eval set -- "$VALID_ARGS"
while [ : ]; do
case "$1" in
-i | --internal)
CERT_TYPE="internal"
INTERNAL_SET="true"
shift
;;
-e | --external)
CERT_TYPE="external"
EXTERNAL_SET="true"
shift
;;
-f | --fqdns)
FQDNS="${2}"
shift 2
;;
-p | --port)
PORT="${2}"
shift 2
;;
-d | --days)
DAYS="${2}"
shift 2
;;
-m | --mail)
MAIL="${2}"
shift 2
;;
-a | --acme)
ACME="${2}"
shift 2
;;
-v | --vips)
VIPS="${2}"
shift 2
;;
-h | --haproxies-ssh)
LETSENCRYPT_SSH_PORT="${2}"
shift 2
;;
--) shift;
break
;;
esac
done
FQDN=$(echo "${FQDNS}" | awk -F ',' '{print $1}')
if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then
log_error "[${FQDN} - cron] Only --internal or --external parameter is allowed at a time."
exit 1
fi
LETSENCRYPT_VIP_ADDRESSES="$(echo ${VIPS} | sed -e 's/,/|/g')"
if [ "${INTERNAL_SET}" = "true" ]; then
LETSENCRYPT_INTERNAL_FQDNS="${FQDNS}"
fi
if [ "${EXTERNAL_SET}" = "true" ]; then
LETSENCRYPT_EXTERNAL_FQDNS="${FQDNS}"
fi
if ip a | egrep -q "${LETSENCRYPT_VIP_ADDRESSES}"; then
log_info "[${FQDN} - cron] This Letsencrypt-lego host is active..."
if [ "${LETSENCRYPT_INTERNAL_FQDNS}" != "" ]; then
log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS}"
obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
fi
if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then
log_info "[INFO] [${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}"
obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
fi
else
log_info "[${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..."
fi
fi
if [ -d "/etc/letsencrypt/lego" ]; then
chown -R haproxy:haproxy /etc/letsencrypt/lego
fi

93
docker/letsencrypt/letsencrypt-lego/sync-and-update-certificate.sh Normal file
View File

@ -0,0 +1,93 @@
#!/bin/bash
function log_info {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}"
}
function log_error {
local message="${1}"
echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}"
}
# Parser
INTERNAL_SET="false"
EXTERNAL_SET="false"
LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log"
VALID_ARGS=$(getopt -o ief:l: --long internal,external,fqdn:,haproxies-ssh: -- "$@")
if [[ $? -ne 0 ]]; then
exit 1;
fi
eval set -- "$VALID_ARGS"
while [ : ]; do
case "$1" in
-i | --internal)
CERT_TYPE="internal"
INTERNAL_SET="true"
shift
;;
-e | --external)
CERT_TYPE="external"
EXTERNAL_SET="true"
shift
;;
-f | --fqdn)
FQDN="${2}"
shift 2
;;
-l | --haproxies-ssh)
HAPROXIES_SSH_HOSTS_PORT="${2}"
shift 2
;;
--) shift;
break
;;
esac
done
if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then
log_error "[${FQDN} - hook] Only --internal or --external parameter is allowed at a time"
exit 1
fi
HAPROXIES_SSH_HOSTS_PORT=$(echo ${HAPROXIES_SSH_HOSTS_PORT} | sed -e 's/,/ /g')
for i in ${HAPROXIES_SSH_HOSTS_PORT}; do
server=$(echo $i | awk -F ':' '{print $1}')
port=$(echo $i | awk -F ':' '{print $2}')
if ! ip a | grep -q "${server}"; then
log_info "[${FQDN} - hook] Rsync lego data /etc/letsencrypt/lego/ to server ${server} and port ${port}"
rsync -a -e "ssh -p ${port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" /etc/letsencrypt/lego/ haproxy@${server}:/etc/letsencrypt/lego/ --delete >/dev/null 2>&1
if [ "$?" -eq 0 ]; then
log_info "[${FQDN} - hook] Rsync Successfull."
fi
else
log_info "[${FQDN} - hook] Rsync lego data /etc/letsencrypt/lego/ to server ${server} and port ${port} not needed."
fi
if [ "${INTERNAL_SET}" = "true" ]; then
internal_cert_path=$(find /etc/letsencrypt/lego/internal/ -name '*.pem')
sed -i '/^$/d' ${internal_cert_path}
rsync -av -e "ssh -p ${port} -o StrictHostKeyChecking=no -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" ${internal_cert_path} haproxy@${server}:/var/lib/haproxy/haproxy-internal.pem --delete >/dev/null 2>&1
ssh -p ${port} -i /var/lib/letsencrypt/.ssh/id_rsa -o StrictHostKeyChecking=no haproxy@${server} "/usr/bin/update-haproxy-cert --internal"
else
external_cert_path=$(find /etc/letsencrypt/lego/external/ -name '*.pem')
sed -i '/^$/d' ${external_cert_path}
rsync -av -e "ssh -p ${port} -o StrictHostKeyChecking=no -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" ${external_cert_path} haproxy@${server}:/var/lib/haproxy/haproxy.pem --delete >/dev/null 2>&1
ssh -p ${port} -i /var/lib/letsencrypt/.ssh/id_rsa -o StrictHostKeyChecking=no haproxy@${server} "/usr/bin/update-haproxy-cert --external"
fi
done
fi

32
docker/letsencrypt/letsencrypt-webserver/Dockerfile.j2 Normal file
View File

@ -0,0 +1,32 @@
FROM {{ namespace }}/{{ image_prefix }}letsencrypt-base:{{ tag }}
{% block labels %}
LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
{% endblock %}
{% block letsencrypt_webserver_header %}{% endblock %}
{% import "macros.j2" as macros with context %}
{% if base_package_type == 'rpm' %}
{% set letsencrypt_webserver_packages = [
'httpd',
'mod_ssl'
] %}
{% elif base_package_type == 'deb' %}
{% set letsencrypt_webserver_packages = [
'apache2'
] %}
{% endif %}
{{ macros.install_packages(letsencrypt_webserver_packages | customizable("packages")) }}
{% if base_package_type == 'rpm' %}
RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
&& sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
{% elif base_package_type == 'deb' %}
RUN echo > /etc/apache2/ports.conf
{% endif %}
COPY extend_start.sh /usr/local/bin/kolla_letsencrypt_extend_start
{% block letsencrypt_webserver_footer %}{% endblock %}
{% block footer %}{% endblock %}

3
docker/letsencrypt/letsencrypt-webserver/extend_start.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/bash
. /usr/local/bin/kolla_httpd_setup

5
releasenotes/notes/add-api-layer-to-letsencrypt-images-9db42c763b7d13ad.yaml Normal file
View File

@ -0,0 +1,5 @@
---
features:
- |
Adds an API layer to letsencrypt image which are represented by set of
scripts. Those scripts are called from kolla-ansible orchestration.