haproxy: use the master CLI for hot update
DEPLOY_HAPROXY_MASTER_CLI allows to use the HAProxy master CLI instead of a stats socket for DEPLOY_HAPROXY_HOT_UPDATE="yes" The syntax of the master CLI is slightly different, a prefix with the process number need to be added before any command. This patch uses ${_cmdpfx} in front of every socat commands which is filled when the master CLI is used.
This commit is contained in:
parent
98a7a01dbb
commit
36fc321096
@ -44,6 +44,11 @@
|
|||||||
#
|
#
|
||||||
# Require the socat binary. DEPLOY_HAPROXY_STATS_SOCKET variable uses the socat
|
# Require the socat binary. DEPLOY_HAPROXY_STATS_SOCKET variable uses the socat
|
||||||
# address format.
|
# address format.
|
||||||
|
#
|
||||||
|
# export DEPLOY_HAPROXY_MASTER_CLI="UNIX:/run/haproxy-master.sock"
|
||||||
|
#
|
||||||
|
# OPTIONAL: To use the master CLI with DEPLOY_HAPROXY_HOT_UPDATE="yes" instead
|
||||||
|
# of a stats socket, use this variable.
|
||||||
|
|
||||||
######## Public functions #####################
|
######## Public functions #####################
|
||||||
|
|
||||||
@ -54,6 +59,7 @@ haproxy_deploy() {
|
|||||||
_ccert="$3"
|
_ccert="$3"
|
||||||
_cca="$4"
|
_cca="$4"
|
||||||
_cfullchain="$5"
|
_cfullchain="$5"
|
||||||
|
_cmdpfx=""
|
||||||
|
|
||||||
# Some defaults
|
# Some defaults
|
||||||
DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy"
|
DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy"
|
||||||
@ -148,6 +154,16 @@ haproxy_deploy() {
|
|||||||
Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT}"
|
Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# MASTER_CLI is optional. No defaults are used. When the master CLI is used,
|
||||||
|
# all commands are sent with a prefix.
|
||||||
|
_getdeployconf DEPLOY_HAPROXY_MASTER_CLI
|
||||||
|
_debug2 DEPLOY_HAPROXY_MASTER_CLI "${DEPLOY_HAPROXY_MASTER_CLI}"
|
||||||
|
if [ -n "${DEPLOY_HAPROXY_MASTER_CLI}" ]; then
|
||||||
|
Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_MASTER_CLI}"
|
||||||
|
_savedomainconf Le_Deploy_haproxy_stats_socket "${Le_Deploy_haproxy_stats_socket}"
|
||||||
|
_cmdpfx="@1 " # command prefix used for master CLI only.
|
||||||
|
fi
|
||||||
|
|
||||||
# Set the suffix depending if we are creating a bundle or not
|
# Set the suffix depending if we are creating a bundle or not
|
||||||
if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then
|
if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then
|
||||||
_info "Bundle creation requested"
|
_info "Bundle creation requested"
|
||||||
@ -297,18 +313,25 @@ haproxy_deploy() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "${Le_Deploy_haproxy_hot_update}" = "yes" ]; then
|
if [ "${Le_Deploy_haproxy_hot_update}" = "yes" ]; then
|
||||||
# Update certificate over HAProxy stats socket.
|
# set the socket name for messages
|
||||||
|
if [ -n "${_cmdpfx}" ]; then
|
||||||
|
_socketname="master CLI"
|
||||||
|
else
|
||||||
|
_socketname="stats socket"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Update certificate over HAProxy stats socket or master CLI.
|
||||||
if _exists socat; then
|
if _exists socat; then
|
||||||
# look for the certificate on the stats socket, to chose between updating or creating one
|
# look for the certificate on the stats socket, to chose between updating or creating one
|
||||||
_socat_cert_cmd="echo 'show ssl cert' | socat '${_statssock}' - | grep -q '^${_pem}$'"
|
_socat_cert_cmd="echo '${_cmdpfx}show ssl cert' | socat '${_statssock}' - | grep -q '^${_pem}$'"
|
||||||
_debug _socat_cert_cmd "${_socat_cert_cmd}"
|
_debug _socat_cert_cmd "${_socat_cert_cmd}"
|
||||||
eval "${_socat_cert_cmd}"
|
eval "${_socat_cert_cmd}"
|
||||||
_ret=$?
|
_ret=$?
|
||||||
if [ "${_ret}" != "0" ]; then
|
if [ "${_ret}" != "0" ]; then
|
||||||
_newcert="1"
|
_newcert="1"
|
||||||
_info "Creating new certificate '${_pem}' over HAProxy stats socket."
|
_info "Creating new certificate '${_pem}' over HAProxy ${_socketname}."
|
||||||
# certificate wasn't found, it's a new one. We should check if the crt-list exists and creates/inserts the certificate.
|
# certificate wasn't found, it's a new one. We should check if the crt-list exists and creates/inserts the certificate.
|
||||||
_socat_crtlist_show_cmd="echo 'show ssl crt-list' | socat '${_statssock}' - | grep -q '^${Le_Deploy_haproxy_pem_path}$'"
|
_socat_crtlist_show_cmd="echo '${_cmdpfx}show ssl crt-list' | socat '${_statssock}' - | grep -q '^${Le_Deploy_haproxy_pem_path}$'"
|
||||||
_debug _socat_crtlist_show_cmd "${_socat_crtlist_show_cmd}"
|
_debug _socat_crtlist_show_cmd "${_socat_crtlist_show_cmd}"
|
||||||
eval "${_socat_crtlist_show_cmd}"
|
eval "${_socat_crtlist_show_cmd}"
|
||||||
_ret=$?
|
_ret=$?
|
||||||
@ -317,7 +340,7 @@ haproxy_deploy() {
|
|||||||
return "${_ret}"
|
return "${_ret}"
|
||||||
fi
|
fi
|
||||||
# create a new certificate
|
# create a new certificate
|
||||||
_socat_new_cmd="echo 'new ssl cert ${_pem}' | socat '${_statssock}' - | grep -q 'New empty'"
|
_socat_new_cmd="echo '${_cmdpfx}new ssl cert ${_pem}' | socat '${_statssock}' - | grep -q 'New empty'"
|
||||||
_debug _socat_new_cmd "${_socat_new_cmd}"
|
_debug _socat_new_cmd "${_socat_new_cmd}"
|
||||||
eval "${_socat_new_cmd}"
|
eval "${_socat_new_cmd}"
|
||||||
_ret=$?
|
_ret=$?
|
||||||
@ -326,9 +349,9 @@ haproxy_deploy() {
|
|||||||
return "${_ret}"
|
return "${_ret}"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
_info "Update existing certificate '${_pem}' over HAProxy stats socket."
|
_info "Update existing certificate '${_pem}' over HAProxy ${_socketname}."
|
||||||
fi
|
fi
|
||||||
_socat_cert_set_cmd="echo -e 'set ssl cert ${_pem} <<\n$(cat "${_pem}")\n' | socat '${_statssock}' - | grep -q 'Transaction created'"
|
_socat_cert_set_cmd="echo -e '${_cmdpfx}set ssl cert ${_pem} <<\n$(cat "${_pem}")\n' | socat '${_statssock}' - | grep -q 'Transaction created'"
|
||||||
_debug _socat_cert_set_cmd "${_socat_cert_set_cmd}"
|
_debug _socat_cert_set_cmd "${_socat_cert_set_cmd}"
|
||||||
eval "${_socat_cert_set_cmd}"
|
eval "${_socat_cert_set_cmd}"
|
||||||
_ret=$?
|
_ret=$?
|
||||||
@ -336,7 +359,7 @@ haproxy_deploy() {
|
|||||||
_err "Can't update '${_pem}' in haproxy"
|
_err "Can't update '${_pem}' in haproxy"
|
||||||
return "${_ret}"
|
return "${_ret}"
|
||||||
fi
|
fi
|
||||||
_socat_cert_commit_cmd="echo 'commit ssl cert ${_pem}' | socat '${_statssock}' - | grep -q '^Success!$'"
|
_socat_cert_commit_cmd="echo '${_cmdpfx}commit ssl cert ${_pem}' | socat '${_statssock}' - | grep -q '^Success!$'"
|
||||||
_debug _socat_cert_commit_cmd "${_socat_cert_commit_cmd}"
|
_debug _socat_cert_commit_cmd "${_socat_cert_commit_cmd}"
|
||||||
eval "${_socat_cert_commit_cmd}"
|
eval "${_socat_cert_commit_cmd}"
|
||||||
_ret=$?
|
_ret=$?
|
||||||
@ -346,7 +369,7 @@ haproxy_deploy() {
|
|||||||
fi
|
fi
|
||||||
if [ "${_newcert}" = "1" ]; then
|
if [ "${_newcert}" = "1" ]; then
|
||||||
# if this is a new certificate, it needs to be inserted into the crt-list`
|
# if this is a new certificate, it needs to be inserted into the crt-list`
|
||||||
_socat_cert_add_cmd="echo 'add ssl crt-list ${Le_Deploy_haproxy_pem_path} ${_pem}' | socat '${_statssock}' - | grep -q 'Success!'"
|
_socat_cert_add_cmd="echo '${_cmdpfx}add ssl crt-list ${Le_Deploy_haproxy_pem_path} ${_pem}' | socat '${_statssock}' - | grep -q 'Success!'"
|
||||||
_debug _socat_cert_add_cmd "${_socat_cert_add_cmd}"
|
_debug _socat_cert_add_cmd "${_socat_cert_add_cmd}"
|
||||||
eval "${_socat_cert_add_cmd}"
|
eval "${_socat_cert_add_cmd}"
|
||||||
_ret=$?
|
_ret=$?
|
||||||
@ -356,7 +379,7 @@ haproxy_deploy() {
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
_err "'socat' is not available, couldn't update over stats socket"
|
_err "'socat' is not available, couldn't update over ${_socketname}"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# Reload HAProxy
|
# Reload HAProxy
|
||||||
|
Loading…
Reference in New Issue
Block a user