New configuration for commands/handlers to run after updates

* The new configuration includes specific commands per file, as well
    as handlers that can be triggered by updates but will only ever run
    once.
  * For now, commands from the pre_commands section are executed, the
    rest is ignored
This commit is contained in:
Emmanuel BENOîT 2021-12-04 10:40:15 +01:00
parent 7eb865e306
commit 3e088d4af7
3 changed files with 45 additions and 18 deletions

View file

@ -206,12 +206,12 @@ func (b *tCertificateBuilder) RunCommandsIfChanged() error {
log.Debug("Not running commands") log.Debug("Not running commands")
return nil return nil
} }
for i := range b.config.AfterUpdate { for i := range b.config.AfterUpdate.PreCommands {
err := b.RunCommand(i) err := b.RunCommand(i)
if err != nil { if err != nil {
return fmt.Errorf( return fmt.Errorf(
"Failed while executing command '%s': %w", "Failed while executing command '%s': %w",
b.config.AfterUpdate[i], b.config.AfterUpdate.PreCommands[i],
err, err,
) )
} }
@ -224,9 +224,9 @@ func (b *tCertificateBuilder) RunCommand(pos int) error {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel() defer cancel()
log := b.logger.WithField("command", b.config.AfterUpdate[pos]) log := b.logger.WithField("command", b.config.AfterUpdate.PreCommands[pos])
log.Debug("Executing command") log.Debug("Executing command")
cmd := exec.CommandContext(ctx, "sh", "-c", b.config.AfterUpdate[pos]) cmd := exec.CommandContext(ctx, "sh", "-c", b.config.AfterUpdate.PreCommands[pos])
output, err := cmd.CombinedOutput() output, err := cmd.CombinedOutput()
if len(output) != 0 { if len(output) != 0 {
if utf8.Valid(output) { if utf8.Valid(output) {

View file

@ -59,19 +59,29 @@ type (
Servers []tLdapServerConfig `yaml:"servers"` Servers []tLdapServerConfig `yaml:"servers"`
} }
// Handlers. Each handler has a name and contains a list of commands.
tHandlers map[string][]string
// Certificate file updates configuration.
tCertFileUpdateConfig struct {
PreCommands []string `yaml:"pre_commands"`
Handlers tHandlers `yaml:"handlers"`
PostCommands []string `yaml:"post_commands"`
}
// Certificate file configuration. // Certificate file configuration.
tCertificateFileConfig struct { tCertificateFileConfig struct {
Path string `yaml:"path"` Path string `yaml:"path"`
Mode os.FileMode `yaml:"mode"` Mode os.FileMode `yaml:"mode"`
Owner string `yaml:"owner"` Owner string `yaml:"owner"`
Group string `yaml:"group"` Group string `yaml:"group"`
PrependFiles []string `yaml:"prepend_files"` PrependFiles []string `yaml:"prepend_files"`
Certificate string `yaml:"certificate"` Certificate string `yaml:"certificate"`
CACertificates []string `yaml:"ca"` CACertificates []string `yaml:"ca"`
CAChainOf string `yaml:"ca_chain_of"` CAChainOf string `yaml:"ca_chain_of"`
Reverse bool `yaml:"reverse"` Reverse bool `yaml:"reverse"`
AppendFiles []string `yaml:"append_files"` AppendFiles []string `yaml:"append_files"`
AfterUpdate []string `yaml:"after_update"` AfterUpdate tCertFileUpdateConfig `yaml:"after_update"`
} }
// Main configuration. // Main configuration.

View file

@ -53,6 +53,15 @@ ldap:
- host: ldap1.example.org - host: ldap1.example.org
- host: ldap2.example.org - host: ldap2.example.org
# Handlers. Certificate updates can specify that a handler must be executed
# if the PEM file is replaced. A handler will only be executed once for all
# triggered updates. Each handler is a list of commands. When a handler runs,
# the first command that fails will stop the execution.
handlers:
apache:
- /usr/sbin/apache2ctl configtest
- /usr/sbin/apache2ctl graceful
# Certificates that must be updated # Certificates that must be updated
certificates: certificates:
@ -89,7 +98,15 @@ certificates:
# A list of files to append to the output. # A list of files to append to the output.
append_files: append_files:
- /some/other/file.pem - /some/other/file.pem
# A list of commands that will be executed when the file is replaced. # Define what must be done after an update.
# If one of the commands fails, execution will stop.
after_update: after_update:
- apache2ctl graceful # Commands to execute before handlers are run. The order of the commands
# is respected. If a command fails to run, execution stops.
pre_commands: []
# Handlers to trigger. Handlers will still be executed if a pre-command
# had failed but they were triggered by more than one update. Execution
# order is arbitrary.
handlers:
- apache
# Commands to execute after handlers are run.
post_commands: []