263 lines
8.5 KiB
Bash
263 lines
8.5 KiB
Bash
#!/usr/bin/env sh
|
|
|
|
# OpenStack Barbican deploy hook
|
|
#
|
|
# This requires you to have OpenStackClient and python-barbicanclient
|
|
# installed.
|
|
#
|
|
# You will require Keystone V3 credentials loaded into your environment, which
|
|
# could be either password or v3applicationcredential type.
|
|
#
|
|
# Author: Andy Botting <andy@andybotting.com>
|
|
|
|
openstack_deploy() {
|
|
_cdomain="$1"
|
|
_ckey="$2"
|
|
_ccert="$3"
|
|
_cca="$4"
|
|
_cfullchain="$5"
|
|
|
|
_debug _cdomain "$_cdomain"
|
|
_debug _ckey "$_ckey"
|
|
_debug _ccert "$_ccert"
|
|
_debug _cca "$_cca"
|
|
_debug _cfullchain "$_cfullchain"
|
|
|
|
if ! _exists openstack; then
|
|
_err "OpenStack client not found"
|
|
return 1
|
|
fi
|
|
|
|
_openstack_credentials || return $?
|
|
|
|
_info "Generate import pkcs12"
|
|
_import_pkcs12="$(_mktemp)"
|
|
if ! _openstack_to_pkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca"; then
|
|
_err "Error creating pkcs12 certificate"
|
|
return 1
|
|
fi
|
|
_debug _import_pkcs12 "$_import_pkcs12"
|
|
_base64_pkcs12=$(_base64 "multiline" <"$_import_pkcs12")
|
|
|
|
secretHrefs=$(_openstack_get_secrets)
|
|
_debug secretHrefs "$secretHrefs"
|
|
_openstack_store_secret || return $?
|
|
|
|
if [ -n "$secretHrefs" ]; then
|
|
_info "Cleaning up existing secret"
|
|
_openstack_delete_secrets || return $?
|
|
fi
|
|
|
|
_info "Certificate successfully deployed"
|
|
return 0
|
|
}
|
|
|
|
_openstack_store_secret() {
|
|
if ! openstack secret store --name "$_cdomain." -t 'application/octet-stream' -e base64 --payload "$_base64_pkcs12"; then
|
|
_err "Failed to create OpenStack secret"
|
|
return 1
|
|
fi
|
|
return
|
|
}
|
|
|
|
_openstack_delete_secrets() {
|
|
echo "$secretHrefs" | while read -r secretHref; do
|
|
_info "Deleting old secret $secretHref"
|
|
if ! openstack secret delete "$secretHref"; then
|
|
_err "Failed to delete OpenStack secret"
|
|
return 1
|
|
fi
|
|
done
|
|
return
|
|
}
|
|
|
|
_openstack_get_secrets() {
|
|
if ! secretHrefs=$(openstack secret list -f value --name "$_cdomain." | cut -d' ' -f1); then
|
|
_err "Failed to list secrets"
|
|
return 1
|
|
fi
|
|
echo "$secretHrefs"
|
|
}
|
|
|
|
_openstack_to_pkcs() {
|
|
# The existing _toPkcs command can't allow an empty password, due to sh
|
|
# -z test, so copied here and forcing the empty password.
|
|
_cpfx="$1"
|
|
_ckey="$2"
|
|
_ccert="$3"
|
|
_cca="$4"
|
|
|
|
${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:"
|
|
}
|
|
|
|
_openstack_credentials() {
|
|
_debug "Check OpenStack credentials"
|
|
|
|
# If we have OS_AUTH_URL already set in the environment, then assume we want
|
|
# to use those, otherwise use stored credentials
|
|
if [ -n "$OS_AUTH_URL" ]; then
|
|
_debug "OS_AUTH_URL env var found, using environment"
|
|
else
|
|
_debug "OS_AUTH_URL not found, loading stored credentials"
|
|
OS_AUTH_URL="${OS_AUTH_URL:-$(_readaccountconf_mutable OS_AUTH_URL)}"
|
|
OS_IDENTITY_API_VERSION="${OS_IDENTITY_API_VERSION:-$(_readaccountconf_mutable OS_IDENTITY_API_VERSION)}"
|
|
OS_AUTH_TYPE="${OS_AUTH_TYPE:-$(_readaccountconf_mutable OS_AUTH_TYPE)}"
|
|
OS_APPLICATION_CREDENTIAL_ID="${OS_APPLICATION_CREDENTIAL_ID:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID)}"
|
|
OS_APPLICATION_CREDENTIAL_SECRET="${OS_APPLICATION_CREDENTIAL_SECRET:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET)}"
|
|
OS_USERNAME="${OS_USERNAME:-$(_readaccountconf_mutable OS_USERNAME)}"
|
|
OS_PASSWORD="${OS_PASSWORD:-$(_readaccountconf_mutable OS_PASSWORD)}"
|
|
OS_PROJECT_NAME="${OS_PROJECT_NAME:-$(_readaccountconf_mutable OS_PROJECT_NAME)}"
|
|
OS_PROJECT_ID="${OS_PROJECT_ID:-$(_readaccountconf_mutable OS_PROJECT_ID)}"
|
|
OS_USER_DOMAIN_NAME="${OS_USER_DOMAIN_NAME:-$(_readaccountconf_mutable OS_USER_DOMAIN_NAME)}"
|
|
OS_USER_DOMAIN_ID="${OS_USER_DOMAIN_ID:-$(_readaccountconf_mutable OS_USER_DOMAIN_ID)}"
|
|
OS_PROJECT_DOMAIN_NAME="${OS_PROJECT_DOMAIN_NAME:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_NAME)}"
|
|
OS_PROJECT_DOMAIN_ID="${OS_PROJECT_DOMAIN_ID:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_ID)}"
|
|
fi
|
|
|
|
# Check each var and either save or clear it depending on whether its set.
|
|
# The helps us clear out old vars in the case where a user may want
|
|
# to switch between password and app creds
|
|
_debug "OS_AUTH_URL" "$OS_AUTH_URL"
|
|
if [ -n "$OS_AUTH_URL" ]; then
|
|
export OS_AUTH_URL
|
|
_saveaccountconf_mutable OS_AUTH_URL "$OS_AUTH_URL"
|
|
else
|
|
unset OS_AUTH_URL
|
|
_clearaccountconf SAVED_OS_AUTH_URL
|
|
fi
|
|
|
|
_debug "OS_IDENTITY_API_VERSION" "$OS_IDENTITY_API_VERSION"
|
|
if [ -n "$OS_IDENTITY_API_VERSION" ]; then
|
|
export OS_IDENTITY_API_VERSION
|
|
_saveaccountconf_mutable OS_IDENTITY_API_VERSION "$OS_IDENTITY_API_VERSION"
|
|
else
|
|
unset OS_IDENTITY_API_VERSION
|
|
_clearaccountconf SAVED_OS_IDENTITY_API_VERSION
|
|
fi
|
|
|
|
_debug "OS_AUTH_TYPE" "$OS_AUTH_TYPE"
|
|
if [ -n "$OS_AUTH_TYPE" ]; then
|
|
export OS_AUTH_TYPE
|
|
_saveaccountconf_mutable OS_AUTH_TYPE "$OS_AUTH_TYPE"
|
|
else
|
|
unset OS_AUTH_TYPE
|
|
_clearaccountconf SAVED_OS_AUTH_TYPE
|
|
fi
|
|
|
|
_debug "OS_APPLICATION_CREDENTIAL_ID" "$OS_APPLICATION_CREDENTIAL_ID"
|
|
if [ -n "$OS_APPLICATION_CREDENTIAL_ID" ]; then
|
|
export OS_APPLICATION_CREDENTIAL_ID
|
|
_saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID "$OS_APPLICATION_CREDENTIAL_ID"
|
|
else
|
|
unset OS_APPLICATION_CREDENTIAL_ID
|
|
_clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_ID
|
|
fi
|
|
|
|
_secure_debug "OS_APPLICATION_CREDENTIAL_SECRET" "$OS_APPLICATION_CREDENTIAL_SECRET"
|
|
if [ -n "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then
|
|
export OS_APPLICATION_CREDENTIAL_SECRET
|
|
_saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET "$OS_APPLICATION_CREDENTIAL_SECRET"
|
|
else
|
|
unset OS_APPLICATION_CREDENTIAL_SECRET
|
|
_clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_SECRET
|
|
fi
|
|
|
|
_debug "OS_USERNAME" "$OS_USERNAME"
|
|
if [ -n "$OS_USERNAME" ]; then
|
|
export OS_USERNAME
|
|
_saveaccountconf_mutable OS_USERNAME "$OS_USERNAME"
|
|
else
|
|
unset OS_USERNAME
|
|
_clearaccountconf SAVED_OS_USERNAME
|
|
fi
|
|
|
|
_secure_debug "OS_PASSWORD" "$OS_PASSWORD"
|
|
if [ -n "$OS_PASSWORD" ]; then
|
|
export OS_PASSWORD
|
|
_saveaccountconf_mutable OS_PASSWORD "$OS_PASSWORD"
|
|
else
|
|
unset OS_PASSWORD
|
|
_clearaccountconf SAVED_OS_PASSWORD
|
|
fi
|
|
|
|
_debug "OS_PROJECT_NAME" "$OS_PROJECT_NAME"
|
|
if [ -n "$OS_PROJECT_NAME" ]; then
|
|
export OS_PROJECT_NAME
|
|
_saveaccountconf_mutable OS_PROJECT_NAME "$OS_PROJECT_NAME"
|
|
else
|
|
unset OS_PROJECT_NAME
|
|
_clearaccountconf SAVED_OS_PROJECT_NAME
|
|
fi
|
|
|
|
_debug "OS_PROJECT_ID" "$OS_PROJECT_ID"
|
|
if [ -n "$OS_PROJECT_ID" ]; then
|
|
export OS_PROJECT_ID
|
|
_saveaccountconf_mutable OS_PROJECT_ID "$OS_PROJECT_ID"
|
|
else
|
|
unset OS_PROJECT_ID
|
|
_clearaccountconf SAVED_OS_PROJECT_ID
|
|
fi
|
|
|
|
_debug "OS_USER_DOMAIN_NAME" "$OS_USER_DOMAIN_NAME"
|
|
if [ -n "$OS_USER_DOMAIN_NAME" ]; then
|
|
export OS_USER_DOMAIN_NAME
|
|
_saveaccountconf_mutable OS_USER_DOMAIN_NAME "$OS_USER_DOMAIN_NAME"
|
|
else
|
|
unset OS_USER_DOMAIN_NAME
|
|
_clearaccountconf SAVED_OS_USER_DOMAIN_NAME
|
|
fi
|
|
|
|
_debug "OS_USER_DOMAIN_ID" "$OS_USER_DOMAIN_ID"
|
|
if [ -n "$OS_USER_DOMAIN_ID" ]; then
|
|
export OS_USER_DOMAIN_ID
|
|
_saveaccountconf_mutable OS_USER_DOMAIN_ID "$OS_USER_DOMAIN_ID"
|
|
else
|
|
unset OS_USER_DOMAIN_ID
|
|
_clearaccountconf SAVED_OS_USER_DOMAIN_ID
|
|
fi
|
|
|
|
_debug "OS_PROJECT_DOMAIN_NAME" "$OS_PROJECT_DOMAIN_NAME"
|
|
if [ -n "$OS_PROJECT_DOMAIN_NAME" ]; then
|
|
export OS_PROJECT_DOMAIN_NAME
|
|
_saveaccountconf_mutable OS_PROJECT_DOMAIN_NAME "$OS_PROJECT_DOMAIN_NAME"
|
|
else
|
|
unset OS_PROJECT_DOMAIN_NAME
|
|
_clearaccountconf SAVED_OS_PROJECT_DOMAIN_NAME
|
|
fi
|
|
|
|
_debug "OS_PROJECT_DOMAIN_ID" "$OS_PROJECT_DOMAIN_ID"
|
|
if [ -n "$OS_PROJECT_DOMAIN_ID" ]; then
|
|
export OS_PROJECT_DOMAIN_ID
|
|
_saveaccountconf_mutable OS_PROJECT_DOMAIN_ID "$OS_PROJECT_DOMAIN_ID"
|
|
else
|
|
unset OS_PROJECT_DOMAIN_ID
|
|
_clearaccountconf SAVED_OS_PROJECT_DOMAIN_ID
|
|
fi
|
|
|
|
if [ "$OS_AUTH_TYPE" = "v3applicationcredential" ]; then
|
|
# Application Credential auth
|
|
if [ -z "$OS_APPLICATION_CREDENTIAL_ID" ] || [ -z "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then
|
|
_err "When using OpenStack application credentials, OS_APPLICATION_CREDENTIAL_ID"
|
|
_err "and OS_APPLICATION_CREDENTIAL_SECRET must be set."
|
|
_err "Please check your credentials and try again."
|
|
return 1
|
|
fi
|
|
else
|
|
# Password auth
|
|
if [ -z "$OS_USERNAME" ] || [ -z "$OS_PASSWORD" ]; then
|
|
_err "OpenStack username or password not found."
|
|
_err "Please check your credentials and try again."
|
|
return 1
|
|
fi
|
|
|
|
if [ -z "$OS_PROJECT_NAME" ] && [ -z "$OS_PROJECT_ID" ]; then
|
|
_err "When using password authentication, OS_PROJECT_NAME or"
|
|
_err "OS_PROJECT_ID must be set."
|
|
_err "Please check your credentials and try again."
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
return 0
|
|
}
|