68 lines
2.1 KiB
Bash
68 lines
2.1 KiB
Bash
#!/usr/bin/env bash
|
|
set -Eeuo pipefail
|
|
|
|
# derive app/dirs from script location
|
|
SCRIPT_DIR="$(cd -- "$(dirname -- "$0")" && pwd)"
|
|
AGENT_DIR="$(dirname -- "$SCRIPT_DIR")" # .../.vault-agent-<app>
|
|
APP_NAME="${APP_NAME:-${AGENT_DIR##*.vault-agent-}}"
|
|
JSON="${AGENT_DIR}/.issue.json"
|
|
OUTDIR="${OUTDIR:-$HOME/tls}"
|
|
LABEL="${RELOAD_TLS_LABEL:-tls=true}"
|
|
|
|
log(){ echo "[post][$APP_NAME] $*"; }
|
|
|
|
umask 077
|
|
mkdir -p "$OUTDIR"
|
|
|
|
# sanity checks
|
|
[[ -s "$JSON" ]] || { log "issue file missing: $JSON"; exit 1; }
|
|
|
|
tmp="$(mktemp -d "$OUTDIR/.staging.XXXX")"
|
|
|
|
# write files from JSON (handles array/string/null ca_chain)
|
|
jq -r .private_key "$JSON" > "$tmp/${APP_NAME}.key"
|
|
jq -r '
|
|
.certificate,
|
|
(if (.ca_chain|type=="array") then (.ca_chain|join("\n"))
|
|
else if (.ca_chain|type=="string") then .ca_chain
|
|
else .issuing_ca end end)
|
|
' "$JSON" > "$tmp/${APP_NAME}.fullchain.pem"
|
|
|
|
install -m 600 "$tmp/${APP_NAME}.key" "$OUTDIR/${APP_NAME}.key"
|
|
install -m 644 "$tmp/${APP_NAME}.fullchain.pem" "$OUTDIR/${APP_NAME}.fullchain.pem"
|
|
rm -rf "$tmp"
|
|
|
|
# ownership (no-op if not needed)
|
|
chown --quiet --no-dereference "$(id -u):$(id -g)" \
|
|
"$OUTDIR/${APP_NAME}.key" "$OUTDIR/${APP_NAME}.fullchain.pem" || true
|
|
|
|
log "wrote $OUTDIR/${APP_NAME}.key and ${APP_NAME}.fullchain.pem"
|
|
|
|
# log subject (nice for debugging)
|
|
SUBJ="$(jq -r '.certificate' "$JSON" | openssl x509 -noout -subject 2>/dev/null || true)"
|
|
[[ -n "$SUBJ" ]] && log "cert subject: ${SUBJ#subject=}"
|
|
|
|
# Podman reload via exec (simple & reliable)
|
|
if ! command -v podman >/dev/null 2>&1; then
|
|
log "podman not found → skip container reload"
|
|
exit 0
|
|
fi
|
|
|
|
log "label filter: ${LABEL}"
|
|
mapfile -t CIDS < <(podman ps --filter "label=${LABEL}" --format '{{.ID}}' | sed '/^$/d') || true
|
|
if (( ${#CIDS[@]} == 0 )); then
|
|
log "no containers with label ${LABEL} → skip reload"
|
|
exit 0
|
|
fi
|
|
|
|
log "found ${#CIDS[@]} container(s): ${CIDS[*]}"
|
|
for cid in "${CIDS[@]}"; do
|
|
if podman exec "$cid" sh -lc 'nginx -t >/dev/null 2>&1 && nginx -s reload' >/dev/null 2>&1; then
|
|
log "reload OK in $cid"
|
|
else
|
|
log "reload FAILED in $cid"
|
|
fi
|
|
done
|
|
|
|
exit 0
|
|
|