New configuration for commands/handlers to run after updates

* The new configuration includes specific commands per file, as well
    as handlers that can be triggered by updates but will only ever run
    once.
  * For now, commands from the pre_commands section are executed, the
    rest is ignored
This commit is contained in:
Emmanuel BENOîT 2021-12-04 10:40:15 +01:00
parent 7eb865e306
commit 3e088d4af7
3 changed files with 45 additions and 18 deletions

View file

@ -206,12 +206,12 @@ func (b *tCertificateBuilder) RunCommandsIfChanged() error {
log.Debug("Not running commands")
return nil
}
for i := range b.config.AfterUpdate {
for i := range b.config.AfterUpdate.PreCommands {
err := b.RunCommand(i)
if err != nil {
return fmt.Errorf(
"Failed while executing command '%s': %w",
b.config.AfterUpdate[i],
b.config.AfterUpdate.PreCommands[i],
err,
)
}
@ -224,9 +224,9 @@ func (b *tCertificateBuilder) RunCommand(pos int) error {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
log := b.logger.WithField("command", b.config.AfterUpdate[pos])
log := b.logger.WithField("command", b.config.AfterUpdate.PreCommands[pos])
log.Debug("Executing command")
cmd := exec.CommandContext(ctx, "sh", "-c", b.config.AfterUpdate[pos])
cmd := exec.CommandContext(ctx, "sh", "-c", b.config.AfterUpdate.PreCommands[pos])
output, err := cmd.CombinedOutput()
if len(output) != 0 {
if utf8.Valid(output) {

View file

@ -59,19 +59,29 @@ type (
Servers []tLdapServerConfig `yaml:"servers"`
}
// Handlers. Each handler has a name and contains a list of commands.
tHandlers map[string][]string
// Certificate file updates configuration.
tCertFileUpdateConfig struct {
PreCommands []string `yaml:"pre_commands"`
Handlers tHandlers `yaml:"handlers"`
PostCommands []string `yaml:"post_commands"`
}
// Certificate file configuration.
tCertificateFileConfig struct {
Path string `yaml:"path"`
Mode os.FileMode `yaml:"mode"`
Owner string `yaml:"owner"`
Group string `yaml:"group"`
PrependFiles []string `yaml:"prepend_files"`
Certificate string `yaml:"certificate"`
CACertificates []string `yaml:"ca"`
CAChainOf string `yaml:"ca_chain_of"`
Reverse bool `yaml:"reverse"`
AppendFiles []string `yaml:"append_files"`
AfterUpdate []string `yaml:"after_update"`
Path string `yaml:"path"`
Mode os.FileMode `yaml:"mode"`
Owner string `yaml:"owner"`
Group string `yaml:"group"`
PrependFiles []string `yaml:"prepend_files"`
Certificate string `yaml:"certificate"`
CACertificates []string `yaml:"ca"`
CAChainOf string `yaml:"ca_chain_of"`
Reverse bool `yaml:"reverse"`
AppendFiles []string `yaml:"append_files"`
AfterUpdate tCertFileUpdateConfig `yaml:"after_update"`
}
// Main configuration.

View file

@ -53,6 +53,15 @@ ldap:
- host: ldap1.example.org
- host: ldap2.example.org
# Handlers. Certificate updates can specify that a handler must be executed
# if the PEM file is replaced. A handler will only be executed once for all
# triggered updates. Each handler is a list of commands. When a handler runs,
# the first command that fails will stop the execution.
handlers:
apache:
- /usr/sbin/apache2ctl configtest
- /usr/sbin/apache2ctl graceful
# Certificates that must be updated
certificates:
@ -89,7 +98,15 @@ certificates:
# A list of files to append to the output.
append_files:
- /some/other/file.pem
# A list of commands that will be executed when the file is replaced.
# If one of the commands fails, execution will stop.
# Define what must be done after an update.
after_update:
- apache2ctl graceful
# Commands to execute before handlers are run. The order of the commands
# is respected. If a command fails to run, execution stops.
pre_commands: []
# Handlers to trigger. Handlers will still be executed if a pre-command
# had failed but they were triggered by more than one update. Execution
# order is arbitrary.
handlers:
- apache
# Commands to execute after handlers are run.
post_commands: []