-
Notifications
You must be signed in to change notification settings - Fork 0
/
run.sh
executable file
·184 lines (169 loc) · 5.53 KB
/
run.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
#!/bin/bash -
#title :run.sh
#description :This script automatically contact to letsencrypt and generate ssl for the domain and update the kubernetes tls secret.
#author :RafikFarhad<rafikfarhad@gmail.com>
#date :20200613
#version :1.0.0
#usage :./myscript.sh
#notes :Required env values are: DOMAINS,SECETS,NAMESPACE,EMAIL,CLUSTER_ADDRESS,DO_NOT_UPDATE_WINDOW
#bash_version :5.0.17(1)-release
# ##################################################
function log() {
echo "##################################################"
echo $1
echo "##################################################"
}
# ##################################################
log "Kubernetes-Nginx-LetsEncrypt Helper Tool"
echo ""
echo ""
DOMAIN_LIST=()
SECRET_LIST=()
COMPLETED=()
NOT_COMPLETED=()
function check_domain_list() {
if [[ -z $DOMAINS ]]; then
log "Domain list not found. Specify at least one domain."
exit 1
fi
split_csv $DOMAINS DOMAIN_LIST
}
function check_secret_list() {
if [[ -z $SECRETS ]]; then
log "Kubernetes secret list not found."
exit 1
fi
split_csv $SECRETS SECRET_LIST
}
function split_csv() {
IFS=','
csv_data=$1
local -n global_list_array=$2
for i in $csv_data; do
global_list_array+=($i)
done
unset IFS
}
function check_domain_secret_pair() {
if [[ ${#DOMAIN_LIST[@]} -ne ${#SECRET_LIST[@]} ]]; then
log "Domain and Secret count not matched."
log "Your provided ${#DOMAIN_LIST[@]} domain."
log "But you provided ${#SECRET_LIST[@]} secret to be updated."
exit 1
fi
}
function check_other_inputs() {
if [[ -z $EMAIL ]]; then
log "Email not provided."
exit 1
fi
if [[ -z $NAMESPACE ]]; then
log "Namespace not provided."
exit 1
fi
if [[ -z $CLUSTER_ADDRESS ]]; then
log "Cluster address not provided. Secret will not be pushed to kubernetes and will be printed on console."
fi
}
function get_day_to_expire() {
site=$1
local -n expired_in=$2
certificate_file=$(mktemp)
echo -n | openssl s_client -servername "$site" -connect "$site":443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >$certificate_file
date=$(openssl x509 -in $certificate_file -enddate -noout | sed "s/.*=\(.*\)/\1/")
date_s=$(date -d "${date}" +%s)
now_s=$(date -d now +%s)
expired_in=$(((date_s - now_s) / 86400))
}
function generate_ssl() {
domain=$1
secret=$2
log "Generating SSL for $domain:"
EXPIRED_IN=0
if [ ! -z $DO_NOT_UPDATE_WINDOW ]; then
get_day_to_expire ${domain} EXPIRED_IN
log "This domain will expire in ${EXPIRED_IN}"
if [ ! -z $EXPIRED_IN ] && [ $EXPIRED_IN -gt $DO_NOT_UPDATE_WINDOW ]; then
log "Skipping domain"
return
fi
fi
certbot certonly -n \
--no-self-upgrade \
--preferred-challenges=http \
--config-dir /root/.certbot/config \
--logs-dir /root/.certbot/logs \
--work-dir /root \
--webroot --webroot-path /root \
--agree-tos \
--server https://acme-v02.api.letsencrypt.org/directory \
--email ${EMAIL} \
-d ${domain}
CERT_PATH="/root/.certbot/config/live/${domain}"
if [ ! -d $CERT_PATH ]; then
log "SSL is not generated for ${domain}."
NOT_COMPLETED+=($domain)
return
fi
cat /root/secret_config_template.json |
sed "s/NAMESPACE/${NAMESPACE}/" |
sed "s/NAME/${secret}/" |
sed "s/TLSCERT/$(cat ${CERT_PATH}/fullchain.pem | base64 | tr -d '\n')/" |
sed "s/TLSKEY/$(cat ${CERT_PATH}/privkey.pem | base64 | tr -d '\n')/" \
>/root/secret_config.json
if [ ! -f /root/secret_config.json ]; then
log "Secret config not generated for ${domain}."
NOT_COMPLETED+=($domain)
return
fi
if [ ! -z $CLUSTER_ADDRESS ]; then
log "Updating secret to kubermetes cluster ..."
status=$(curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
-k -XPATCH -H "Accept: application/json, */*" \
-H "Content-Type: application/strategic-merge-patch+json" \
-d @/root/secret_config.json \
-o /dev/stderr \
-s -w "%{http_code}\n" \
https://${CLUSTER_ADDRESS}/api/v1/namespaces/${NAMESPACE}/secrets/${secret})
if [ $status -ne 200 ]; then
log "Secret not updated for ${domain}: Curl status: ${status}."
NOT_COMPLETED+=($domain)
return
fi
else
cat ./secret_config.json
fi
rm ./secret_config.json
COMPLETED+=($domain)
log "Secret updated."
}
function generate_ssl_for_all_domains() {
total_iteration=${#DOMAIN_LIST[@]}
python -m SimpleHTTPServer 80 &
sleep 3
PID=$!
for ((i = 0; i < total_iteration; i++)); do
generate_ssl ${DOMAIN_LIST[$i]} ${SECRET_LIST[$i]}
done
kill $PID
sleep 3
}
# Main
check_domain_list
check_secret_list
check_domain_secret_pair
check_other_inputs
generate_ssl_for_all_domains
echo "##################################################"
if [ ${#COMPLETED[@]} -ne 0 ]; then
echo "SSL generated for:"
printf "=> %s\n" "${COMPLETED[@]}"
fi
if [ ${#NOT_COMPLETED[@]} -ne 0 ]; then
echo "SSL not generated for:"
printf "x => %s\n" "${NOT_COMPLETED[@]}"
fi
echo "##################################################"
log "Task Ended."
exit 0