From 3213dccb8c318134695bcc9c9ba480448964314f Mon Sep 17 00:00:00 2001 From: Michal Arbet Date: Fri, 30 Jun 2023 01:29:35 +0200 Subject: [PATCH] Rework letsencrypt This patch is adding "API layer" to letsencrypt images which is represented by set of scripts inside. This scripts are called by kolla-ansible orchestration. Change-Id: I61b70fb4e12ba03b96e79004e735d2ead0f52319 --- docker/haproxy/haproxy-ssh/Dockerfile.j2 | 4 + docker/haproxy/haproxy-ssh/extend_start.sh | 25 ++- .../haproxy-ssh/update-haproxy-cert.sh | 113 ++++++++++++ docker/letsencrypt/Dockerfile.j2 | 38 ---- docker/letsencrypt/extend_start.sh | 10 -- .../letsencrypt-base/Dockerfile.j2 | 14 ++ .../letsencrypt-base/extend_start.sh | 69 ++++++++ .../letsencrypt-lego/Dockerfile.j2 | 50 ++++++ .../letsencrypt-certificates.sh | 167 ++++++++++++++++++ .../sync-and-update-certificate.sh | 93 ++++++++++ .../letsencrypt-webserver/Dockerfile.j2 | 32 ++++ .../letsencrypt-webserver/extend_start.sh | 3 + ...o-letsencrypt-images-9db42c763b7d13ad.yaml | 5 + 13 files changed, 573 insertions(+), 50 deletions(-) create mode 100755 docker/haproxy/haproxy-ssh/update-haproxy-cert.sh delete mode 100644 docker/letsencrypt/Dockerfile.j2 delete mode 100644 docker/letsencrypt/extend_start.sh create mode 100644 docker/letsencrypt/letsencrypt-base/Dockerfile.j2 create mode 100644 docker/letsencrypt/letsencrypt-base/extend_start.sh create mode 100755 docker/letsencrypt/letsencrypt-lego/Dockerfile.j2 create mode 100755 docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh create mode 100644 docker/letsencrypt/letsencrypt-lego/sync-and-update-certificate.sh create mode 100644 docker/letsencrypt/letsencrypt-webserver/Dockerfile.j2 create mode 100644 docker/letsencrypt/letsencrypt-webserver/extend_start.sh create mode 100644 releasenotes/notes/add-api-layer-to-letsencrypt-images-9db42c763b7d13ad.yaml diff --git a/docker/haproxy/haproxy-ssh/Dockerfile.j2 b/docker/haproxy/haproxy-ssh/Dockerfile.j2 index 8eecc88916..b8277a237b 100644 --- a/docker/haproxy/haproxy-ssh/Dockerfile.j2 +++ b/docker/haproxy/haproxy-ssh/Dockerfile.j2 @@ -13,6 +13,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build {% set haproxy_ssh_packages = [ 'openssh-server', 'openssh-clients', + 'rsync', ] %} # NOTE(mgoddard): The centos:8 image contains a /run/nologin file, which @@ -23,6 +24,7 @@ RUN rm -f /run/nologin {% set haproxy_ssh_packages = [ 'openssh-server', 'openssh-client', + 'rsync', ] %} RUN mkdir -p /var/run/sshd \ @@ -36,5 +38,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start RUN chmod 644 /usr/local/bin/kolla_extend_start \ && sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd +COPY update-haproxy-cert.sh /usr/bin/update-haproxy-cert + {% block haproxy_ssh_footer %}{% endblock %} {% block footer %}{% endblock %} diff --git a/docker/haproxy/haproxy-ssh/extend_start.sh b/docker/haproxy/haproxy-ssh/extend_start.sh index d571e72920..421e4bd6ff 100644 --- a/docker/haproxy/haproxy-ssh/extend_start.sh +++ b/docker/haproxy/haproxy-ssh/extend_start.sh @@ -1,6 +1,6 @@ #!/bin/bash -SSH_HOST_KEY_TYPES=( "ecdsa" ) +SSH_HOST_KEY_TYPES=( "rsa" "dsa" "ecdsa" "ed25519" ) for key_type in ${SSH_HOST_KEY_TYPES[@]}; do KEY_PATH=/etc/ssh/ssh_host_${key_type}_key @@ -12,5 +12,26 @@ done mkdir -p /var/lib/haproxy/.ssh if [[ $(stat -c %U:%G /var/lib/haproxy/.ssh) != "haproxy:haproxy" ]]; then - sudo chown haproxy: /var/lib/haproxy/.ssh + chown haproxy: /var/lib/haproxy/.ssh fi + +FOLDERS_LEGO="/etc/letsencrypt /etc/letsencrypt/backups" +USERGROUP="haproxy:haproxy" + +for folder in ${FOLDERS_LEGO}; do + mkdir -p ${folder} + + if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP}" ]]; then + chown ${USERGROUP} ${folder} + fi + + if [[ "${folder}" == "/etc/letsencrypt" ]]; then + if [[ $(stat -c %a ${folder}) != "751" ]]; then + chmod 751 ${folder} + fi + else + if [[ $(stat -c %a ${folder}) != "755" ]]; then + chmod 755 ${folder} + fi + fi +done diff --git a/docker/haproxy/haproxy-ssh/update-haproxy-cert.sh b/docker/haproxy/haproxy-ssh/update-haproxy-cert.sh new file mode 100755 index 0000000000..61a5d0806d --- /dev/null +++ b/docker/haproxy/haproxy-ssh/update-haproxy-cert.sh @@ -0,0 +1,113 @@ +#!/bin/bash + +function haproxy_transaction_start { + local cert_input=${1} + local cert_dest=${2} + + local transaction_result="" + local transaction_grep_check="" + + transaction_grep_check="Transaction (created|updated) for certificate $(echo $cert_dest | sed -e 's|/|\\/|g')!" + transaction_result=$(echo -e "set ssl cert ${cert_dest} <<\n$(cat ${cert_input})\n" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock -) + if echo "${transaction_result}" | grep -Pq "${transaction_grep_check}"; then + echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} started." + else + echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed." + exit 1 + fi + + local cert_input_sha1="" + local cert_dest_sha1="" + + cert_input_sha1=$(openssl x509 -noout -fingerprint -sha1 -inform pem -in ${cert_input} | awk -F '=' '{print $2}' | sed -e 's/://g') + cert_dest_sha1=$(echo "show ssl cert *${cert_dest}" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock - | awk -F 'SHA1 FingerPrint: ' '{print $2}' | sed '/^$/d') + if [ "${cert_input_sha1}" = "${cert_dest_sha1}" ]; then + echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} successfull." + else + echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed." + exit 1 + fi +} + +function haproxy_upload_to_memory { + local cert_input=${1} + local cert_dest=${2} + + local cert_upload_output="" + + cert_upload_output=$(echo "commit ssl cert ${cert_dest}" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock -) + if echo "${cert_upload_output}" | grep -q "Success!"; then + echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Certificate ${cert_input} uploaded to haproxy memory." + else + echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Certificate ${cert_input} upload to haproxy memory failed." + exit 1 + fi +} + +function haproxy_write_to_disk { + local cert_input=${1} + local cert_haproxy_path=${2} + + local cert_backup_suffix="" + local cert_backup_path="" + local cert_backup_name="" + + cert_backup_suffix="-$(date +%Y-%m-%d-%H-%M-%S).pem" + cert_backup_path=$(echo "${cert_input}" | awk -v suffix="$cert_backup_suffix" -F '.pem' '{print $1suffix}') + cert_backup_name=$(echo ${cert_backup_path} | awk -F '/' '{print $NF}') + mkdir -p /etc/letsencrypt/backups + echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_haproxy_path} - update] Backuping currently loaded ${cert_haproxy_path} -> /etc/letsencrypt/backups/${cert_backup_name}" + cp -a ${cert_haproxy_path} /etc/letsencrypt/backups/${cert_backup_name} + cp -a ${cert_input} ${cert_haproxy_path} + rm -f ${cert_input} +} + + +# Parser + +INTERNAL_SET="false" +EXTERNAL_SET="false" + +VALID_ARGS=$(getopt -o ie --long internal,external -- "$@") +if [[ $? -ne 0 ]]; then + exit 1; +fi + +eval set -- "$VALID_ARGS" +while [ : ]; do + case "$1" in + -i | --internal) + CERT_TYPE="internal" + INTERNAL_SET="true" + shift + ;; + -e | --external) + CERT_TYPE="external" + EXTERNAL_SET="true" + shift + ;; + --) shift; + break + ;; + esac +done + +if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then + if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then + echo "[e] Only --internal or --external parameter is allowed at a time" + exit 1 + fi + if [ "${INTERNAL_SET}" = "true" ]; then + HAPROXY_CERT_INCOMING_PATH="/var/lib/haproxy/haproxy-internal.pem" + HAPROXY_CERT_PATH="/etc/haproxy/certificates/haproxy-internal.pem" + else + HAPROXY_CERT_INCOMING_PATH="/var/lib/haproxy/haproxy.pem" + HAPROXY_CERT_PATH="/etc/haproxy/certificates/haproxy.pem" + fi +fi + +# Main + +haproxy_transaction_start ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH} +haproxy_upload_to_memory ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH} +haproxy_write_to_disk ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH} diff --git a/docker/letsencrypt/Dockerfile.j2 b/docker/letsencrypt/Dockerfile.j2 deleted file mode 100644 index 3617e8714e..0000000000 --- a/docker/letsencrypt/Dockerfile.j2 +++ /dev/null @@ -1,38 +0,0 @@ -FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }} -{% block labels %} -LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}" -{% endblock %} - -{% block letsencrypt_header %}{% endblock %} - -{% import "macros.j2" as macros with context %} - -{% if base_package_type == 'rpm' %} - {% set letsencrypt_packages = [ - 'openssh-clients', - 'cronie' - ] %} -{% elif base_package_type == 'deb' %} - {% set letsencrypt_packages = [ - 'openssh-client', - 'cron' - ] %} -{% endif %} -{{ macros.install_packages(letsencrypt_packages | customizable("packages")) }} - -COPY extend_start.sh /usr/local/bin/kolla_extend_start -RUN chmod 644 /usr/local/bin/kolla_extend_start - -{% block lego_repository %} -ENV lego_version=4.6.0 -ENV lego_download_url=https://github.com/go-acme/lego/releases/download/v${lego_version}/lego_v${lego_version}_linux_{{debian_arch}}.tar.gz -{% endblock %} - -{% block lego_install %} -RUN curl -o /tmp/lego.tar.gz ${lego_download_url} \ - && tar xvf /tmp/lego.tar.gz -C /opt/ \ - && rm -f /tmp/lego.tar.gz -{% endblock %} - -{% block letsencrypt_footer %}{% endblock %} -{% block footer %}{% endblock %} diff --git a/docker/letsencrypt/extend_start.sh b/docker/letsencrypt/extend_start.sh deleted file mode 100644 index 420c96028b..0000000000 --- a/docker/letsencrypt/extend_start.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -if [[ ! -d "/var/log/kolla/letsencrypt" ]]; then - mkdir -p /var/log/kolla/letsencrypt -fi -if [[ $(stat -c %a /var/log/kolla/letsencrypt) != "755" ]]; then - chmod 755 /var/log/kolla/letsencrypt -fi - -. /usr/local/bin/kolla_httpd_setup diff --git a/docker/letsencrypt/letsencrypt-base/Dockerfile.j2 b/docker/letsencrypt/letsencrypt-base/Dockerfile.j2 new file mode 100644 index 0000000000..022ff2bfa3 --- /dev/null +++ b/docker/letsencrypt/letsencrypt-base/Dockerfile.j2 @@ -0,0 +1,14 @@ +FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }} +{% block labels %} +LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}" +{% endblock %} + +{% block letsencrypt_base_header %}{% endblock %} + +{% import "macros.j2" as macros with context %} + +{{ macros.install_packages(cinder_base_packages | customizable("packages")) }} + +COPY extend_start.sh /usr/local/bin/kolla_extend_start + +{% block letsencrypt_base_footer %}{% endblock %} diff --git a/docker/letsencrypt/letsencrypt-base/extend_start.sh b/docker/letsencrypt/letsencrypt-base/extend_start.sh new file mode 100644 index 0000000000..0300f0b444 --- /dev/null +++ b/docker/letsencrypt/letsencrypt-base/extend_start.sh @@ -0,0 +1,69 @@ +#!/bin/bash + +# Logs + +if [[ ! -d "/var/log/kolla/letsencrypt" ]]; then + mkdir -p /var/log/kolla/letsencrypt +fi +if [[ $(stat -c %a /var/log/kolla/letsencrypt) != "755" ]]; then + chmod 755 /var/log/kolla/letsencrypt +fi + +# Structure for lego and webserver + +FOLDERS_LEGO="/etc/letsencrypt /etc/letsencrypt/lego /etc/letsencrypt/lego/internal /etc/letsencrypt/lego/external" +FOLDERS_WEBSERVER="/etc/letsencrypt/http-01 /etc/letsencrypt/http-01/.well-known /etc/letsencrypt/http-01/.well-known/acme-challenge" + +if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then + USER="www-data" + GROUP="www-data" + USERGROUP_WEBSERVER="${USER}:${GROUP}" + USERGROUP="haproxy:haproxy" +else + USER="apache" + GROUP="apache" + USERGROUP_WEBSERVER="${USER}:${GROUP}" + USERGROUP="haproxy:haproxy" +fi + +for folder in ${FOLDERS_LEGO}; do + if [[ ! -d "${folder}" ]]; then + mkdir -p ${folder} + fi + + if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP}" ]]; then + if getent passwd ${USER} 2 > /dev/null; then + chown ${USERGROUP} ${folder} + fi + fi + + if [[ "${folder}" == "/etc/letsencrypt" ]]; then + if [[ $(stat -c %a ${folder}) != "751" ]]; then + chmod 751 ${folder} + fi + else + if [[ $(stat -c %a ${folder}) != "755" ]]; then + chmod 755 ${folder} + fi + fi +done + +for folder in ${FOLDERS_WEBSERVER}; do + if [[ ! -d "${folder}" ]]; then + mkdir -p ${folder} + fi + + if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP_WEBSERVER}" ]]; then + if getent passwd ${USER} 2 > /dev/null; then + chown ${USERGROUP_WEBSERVER} ${folder} + fi + fi + + if [[ $(stat -c %a ${folder}) != "755" ]]; then + chmod 755 ${folder} + fi +done + +if [ -e /usr/local/bin/kolla_letsencrypt_extend_start ]; then + . /usr/local/bin/kolla_letsencrypt_extend_start +fi diff --git a/docker/letsencrypt/letsencrypt-lego/Dockerfile.j2 b/docker/letsencrypt/letsencrypt-lego/Dockerfile.j2 new file mode 100755 index 0000000000..47e9a5308c --- /dev/null +++ b/docker/letsencrypt/letsencrypt-lego/Dockerfile.j2 @@ -0,0 +1,50 @@ +FROM {{ namespace }}/{{ image_prefix }}letsencrypt-base:{{ tag }} +{% block labels %} +LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}" +{% endblock %} + +{% block letsencrypt_lego_header %}{% endblock %} + +{% import "macros.j2" as macros with context %} + +{{ macros.configure_user(name='letsencrypt', shell='/bin/bash') }} + +{% if base_package_type == 'rpm' %} + {% set letsencrypt_lego_packages = [ + 'openssh-clients', + 'cronie', + 'rsync' + ] %} +{% elif base_package_type == 'deb' %} + {% set letsencrypt_lego_packages = [ + 'openssh-client', + 'cron', + 'rsync' + ] %} +{% endif %} +{{ macros.install_packages(letsencrypt_lego_packages | customizable("packages")) }} + +{% block letsencrypt_lego_repository_version %} +ARG letsencrypt_lego_version=4.6.0 +{% if debian_arch == 'arm64' %} +ARG letsencrypt_lego_sha256sum=f5cecda8880d04ffc394049852a797ec120aebf0203ab0f1b877a0cd89bb0b3e +{% else %} +ARG letsencrypt_lego_sha256sum=c0c408788cdec96a4697300211c3944a050bb3d62ed3525a5409c136c94e09cb +{% endif %} +ARG letsencrypt_lego_url=https://github.com/go-acme/lego/releases/download/v${letsencrypt_lego_version}/lego_v${letsencrypt_lego_version}_linux_{{debian_arch}}.tar.gz +{% endblock %} + +{% block letsencrypt_lego_install %} +RUN curl -L -o /tmp/lego.tar.gz ${letsencrypt_lego_url} \ + && echo "${letsencrypt_lego_sha256sum} /tmp/lego.tar.gz" | sha256sum -c \ + && tar xvf /tmp/lego.tar.gz -C /opt/ \ + && rm -f /tmp/lego.tar.gz +{% endblock %} + +COPY letsencrypt-certificates.sh /usr/bin/letsencrypt-certificates +COPY sync-and-update-certificate.sh /usr/bin/sync-and-update-certificate + +RUN chmod +x /usr/bin/letsencrypt-certificates /usr/bin/sync-and-update-certificate + +{% block letsencrypt_lego_footer %}{% endblock %} +{% block footer %}{% endblock %} diff --git a/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh b/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh new file mode 100755 index 0000000000..464fe9c956 --- /dev/null +++ b/docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh @@ -0,0 +1,167 @@ +#!/bin/bash + +function log_info { + local message="${1}" + + echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}" +} + +function log_error { + local message="${1}" + + echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}" +} + +function obtain_or_renew_certificate { + local certificate_fqdns="${1}" + local certificate_type="${2}" + local listen_port="${3}" + local valid_days="${4}" + local acme_url="${5}" + local mail="${6}" + local letsencrypt_ssh_port="${7}" + + certificate_domain_opts=$(echo ${certificate_fqdns} | sed -r -e 's/^/,/g' -e 's/,/--domains=/g' -e 's/--/ --/g') + certificate_fqdn=$(echo ${certificate_fqdns} | awk -F ',' '{print $1}') + certificate_fqdns=$(echo ${certificate_fqdns} | sed -r 's/,/\ /g') + + if [ -d "/etc/letsencrypt/lego/${certificate_type}/certificates" ]; then + garbage_count=$(find /etc/letsencrypt/lego/${certificate_type}/certificates/ -type f | grep -v "${certificate_fqdn}" | wc -l) + if [ ${garbage_count} -ne 0 ]; then + log_info "[${certificate_fqdn} - cron] Cleaning up garbage in certificates directory." + find /etc/letsencrypt/lego/${certificate_type}/certificates/ -type f | grep -v "${certificate_fqdn}" | xargs rm -f + fi + fi + + if [ -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ]; then + certificate_current_fqdns=$(openssl x509 -text -in /etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem \ + | grep DNS: \ + | sed -r -e 's/\ *DNS://g' -e 's/^/,/g' -e 's/$/,/g') + + local domains_add="" + for i in ${certificate_fqdns}; do + if ! echo "${certificate_current_fqdns}" | grep -q ",${i},"; then + domains_add="${domains_add} ${i}" + fi + done + domains_add=$(echo "${domains_add}" | sed -r -e 's/^\ //g' -e 's/\ /, /g') + + if [ "${domains_add}" != "" ]; then + log_info "[${certificate_fqdn} - cron] Domains ${domains_add} will be added to certificate." + rm -f /etc/letsencrypt/lego/${certificate_type}/certificates/* + fi + fi + + [ ! -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ] && local lego_action="run" || local lego_action="renew" + + log_info "[INFO] [${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}." + /opt/lego --email="${mail}" \ + ${certificate_domain_opts} \ + --server "${acme_url}" \ + --path "/etc/letsencrypt/lego/${certificate_type}/" \ + --http.webroot "/etc/letsencrypt/http-01" \ + --http.port ${listen_port} \ + --cert.timeout ${valid_days} \ + --accept-tos \ + --http \ + --pem ${lego_action} \ + --${lego_action}-hook="/usr/bin/sync-and-update-certificate --${certificate_type} --fqdn ${certificate_fqdn} --haproxies-ssh ${letsencrypt_ssh_port}" +} + + +# Parser + +INTERNAL_SET="false" +EXTERNAL_SET="false" +LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log" + + +VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh: -- "$@") +if [[ $? -ne 0 ]]; then + exit 1; +fi + +eval set -- "$VALID_ARGS" +while [ : ]; do + case "$1" in + -i | --internal) + CERT_TYPE="internal" + INTERNAL_SET="true" + shift + ;; + -e | --external) + CERT_TYPE="external" + EXTERNAL_SET="true" + shift + ;; + -f | --fqdns) + FQDNS="${2}" + shift 2 + ;; + -p | --port) + PORT="${2}" + shift 2 + ;; + -d | --days) + DAYS="${2}" + shift 2 + ;; + -m | --mail) + MAIL="${2}" + shift 2 + ;; + -a | --acme) + ACME="${2}" + shift 2 + ;; + -v | --vips) + VIPS="${2}" + shift 2 + ;; + -h | --haproxies-ssh) + LETSENCRYPT_SSH_PORT="${2}" + shift 2 + ;; + --) shift; + break + ;; + esac +done + +FQDN=$(echo "${FQDNS}" | awk -F ',' '{print $1}') + +if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then + if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then + log_error "[${FQDN} - cron] Only --internal or --external parameter is allowed at a time." + exit 1 + fi + + LETSENCRYPT_VIP_ADDRESSES="$(echo ${VIPS} | sed -e 's/,/|/g')" + if [ "${INTERNAL_SET}" = "true" ]; then + LETSENCRYPT_INTERNAL_FQDNS="${FQDNS}" + fi + + if [ "${EXTERNAL_SET}" = "true" ]; then + LETSENCRYPT_EXTERNAL_FQDNS="${FQDNS}" + fi + + + if ip a | egrep -q "${LETSENCRYPT_VIP_ADDRESSES}"; then + log_info "[${FQDN} - cron] This Letsencrypt-lego host is active..." + if [ "${LETSENCRYPT_INTERNAL_FQDNS}" != "" ]; then + log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS}" + obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} + fi + + if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then + log_info "[INFO] [${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}" + obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT} + fi + else + log_info "[${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..." + fi +fi + +if [ -d "/etc/letsencrypt/lego" ]; then + chown -R haproxy:haproxy /etc/letsencrypt/lego +fi diff --git a/docker/letsencrypt/letsencrypt-lego/sync-and-update-certificate.sh b/docker/letsencrypt/letsencrypt-lego/sync-and-update-certificate.sh new file mode 100644 index 0000000000..6dc76e988e --- /dev/null +++ b/docker/letsencrypt/letsencrypt-lego/sync-and-update-certificate.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +function log_info { + local message="${1}" + + echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}" +} + +function log_error { + local message="${1}" + + echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}" +} + + +# Parser + +INTERNAL_SET="false" +EXTERNAL_SET="false" +LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log" + + +VALID_ARGS=$(getopt -o ief:l: --long internal,external,fqdn:,haproxies-ssh: -- "$@") +if [[ $? -ne 0 ]]; then + exit 1; +fi + +eval set -- "$VALID_ARGS" +while [ : ]; do + case "$1" in + -i | --internal) + CERT_TYPE="internal" + INTERNAL_SET="true" + shift + ;; + -e | --external) + CERT_TYPE="external" + EXTERNAL_SET="true" + shift + ;; + -f | --fqdn) + FQDN="${2}" + shift 2 + ;; + -l | --haproxies-ssh) + HAPROXIES_SSH_HOSTS_PORT="${2}" + shift 2 + ;; + --) shift; + break + ;; + esac +done + +if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then + if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then + log_error "[${FQDN} - hook] Only --internal or --external parameter is allowed at a time" + exit 1 + fi + + HAPROXIES_SSH_HOSTS_PORT=$(echo ${HAPROXIES_SSH_HOSTS_PORT} | sed -e 's/,/ /g') + + for i in ${HAPROXIES_SSH_HOSTS_PORT}; do + + server=$(echo $i | awk -F ':' '{print $1}') + port=$(echo $i | awk -F ':' '{print $2}') + + if ! ip a | grep -q "${server}"; then + + log_info "[${FQDN} - hook] Rsync lego data /etc/letsencrypt/lego/ to server ${server} and port ${port}" + rsync -a -e "ssh -p ${port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" /etc/letsencrypt/lego/ haproxy@${server}:/etc/letsencrypt/lego/ --delete >/dev/null 2>&1 + if [ "$?" -eq 0 ]; then + log_info "[${FQDN} - hook] Rsync Successfull." + fi + + else + log_info "[${FQDN} - hook] Rsync lego data /etc/letsencrypt/lego/ to server ${server} and port ${port} not needed." + fi + + if [ "${INTERNAL_SET}" = "true" ]; then + internal_cert_path=$(find /etc/letsencrypt/lego/internal/ -name '*.pem') + sed -i '/^$/d' ${internal_cert_path} + rsync -av -e "ssh -p ${port} -o StrictHostKeyChecking=no -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" ${internal_cert_path} haproxy@${server}:/var/lib/haproxy/haproxy-internal.pem --delete >/dev/null 2>&1 + ssh -p ${port} -i /var/lib/letsencrypt/.ssh/id_rsa -o StrictHostKeyChecking=no haproxy@${server} "/usr/bin/update-haproxy-cert --internal" + else + external_cert_path=$(find /etc/letsencrypt/lego/external/ -name '*.pem') + sed -i '/^$/d' ${external_cert_path} + rsync -av -e "ssh -p ${port} -o StrictHostKeyChecking=no -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" ${external_cert_path} haproxy@${server}:/var/lib/haproxy/haproxy.pem --delete >/dev/null 2>&1 + ssh -p ${port} -i /var/lib/letsencrypt/.ssh/id_rsa -o StrictHostKeyChecking=no haproxy@${server} "/usr/bin/update-haproxy-cert --external" + fi + + done +fi diff --git a/docker/letsencrypt/letsencrypt-webserver/Dockerfile.j2 b/docker/letsencrypt/letsencrypt-webserver/Dockerfile.j2 new file mode 100644 index 0000000000..d97af8f9cf --- /dev/null +++ b/docker/letsencrypt/letsencrypt-webserver/Dockerfile.j2 @@ -0,0 +1,32 @@ +FROM {{ namespace }}/{{ image_prefix }}letsencrypt-base:{{ tag }} +{% block labels %} +LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}" +{% endblock %} + +{% block letsencrypt_webserver_header %}{% endblock %} + +{% import "macros.j2" as macros with context %} + +{% if base_package_type == 'rpm' %} + {% set letsencrypt_webserver_packages = [ + 'httpd', + 'mod_ssl' + ] %} +{% elif base_package_type == 'deb' %} + {% set letsencrypt_webserver_packages = [ + 'apache2' + ] %} +{% endif %} +{{ macros.install_packages(letsencrypt_webserver_packages | customizable("packages")) }} + +{% if base_package_type == 'rpm' %} +RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \ + && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf +{% elif base_package_type == 'deb' %} +RUN echo > /etc/apache2/ports.conf +{% endif %} + +COPY extend_start.sh /usr/local/bin/kolla_letsencrypt_extend_start + +{% block letsencrypt_webserver_footer %}{% endblock %} +{% block footer %}{% endblock %} diff --git a/docker/letsencrypt/letsencrypt-webserver/extend_start.sh b/docker/letsencrypt/letsencrypt-webserver/extend_start.sh new file mode 100644 index 0000000000..c55f0b1995 --- /dev/null +++ b/docker/letsencrypt/letsencrypt-webserver/extend_start.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +. /usr/local/bin/kolla_httpd_setup diff --git a/releasenotes/notes/add-api-layer-to-letsencrypt-images-9db42c763b7d13ad.yaml b/releasenotes/notes/add-api-layer-to-letsencrypt-images-9db42c763b7d13ad.yaml new file mode 100644 index 0000000000..00a2ef748c --- /dev/null +++ b/releasenotes/notes/add-api-layer-to-letsencrypt-images-9db42c763b7d13ad.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds an API layer to letsencrypt image which are represented by set of + scripts. Those scripts are called from kolla-ansible orchestration.