92 lines
3.5 KiB
Bash
Executable file
92 lines
3.5 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
set -Eeuo pipefail
|
|
|
|
# ========= Pretty logging =========
|
|
if [[ -t 1 ]]; then
|
|
BOLD=$'\e[1m'; DIM=$'\e[2m'; RESET=$'\e[0m'
|
|
BLUE=$'\e[34m'; GREEN=$'\e[32m'; YELLOW=$'\e[33m'; RED=$'\e[31m'
|
|
else
|
|
BOLD=""; DIM=""; RESET=""; BLUE=""; GREEN=""; YELLOW=""; RED=""
|
|
fi
|
|
info(){ echo -e "🟦 ${BLUE}${BOLD}[INFO]${RESET} $*"; }
|
|
ok(){ echo -e "🟩 ${GREEN}${BOLD}[ OK ]${RESET} $*"; }
|
|
warn(){ echo -e "🟨 ${YELLOW}${BOLD}[WARN]${RESET} $*"; }
|
|
err(){ echo -e "🟥 ${RED}${BOLD}[FAIL]${RESET} $*" >&2; }
|
|
|
|
# ========= Derive context =========
|
|
SCRIPT_DIR="$(cd -- "$(dirname -- "$0")" && pwd)"
|
|
AGENT_DIR="$(dirname -- "$SCRIPT_DIR")" # …/.vault-agent-<app>
|
|
APP_NAME="${APP_NAME:-${AGENT_DIR##*.vault-agent-}}"
|
|
VERSION="${VERSION:-post-2025-09-22.3}"
|
|
|
|
# Inputs (Agent rendert genau EINS davon)
|
|
JSON_LEAF="${AGENT_DIR}/.issue.json" # App-Zert (leaf)
|
|
JSON_CHAIN="${AGENT_DIR}/.ca.json" # Proxy-CA-Kette
|
|
JSON="$JSON_LEAF"; [[ -s "$JSON" ]] || JSON="$JSON_CHAIN"
|
|
|
|
# Outputs
|
|
OUTDIR="${OUTDIR:-$HOME/tls}" # leaf out
|
|
CHAIN_FILE="${CHAIN_FILE:-$HOME/nginx/ca/current-ca-chain.pem}" # proxy out
|
|
RELOAD_TLS_LABEL="${RELOAD_TLS_LABEL:-tls=true}" # container label
|
|
|
|
info "post v${VERSION} for ${BOLD}${APP_NAME}${RESET}"
|
|
command -v jq >/dev/null || { err "jq not found"; exit 1; }
|
|
|
|
umask 077
|
|
mkdir -p "$OUTDIR" 2>/dev/null || true
|
|
mkdir -p "$(dirname "$CHAIN_FILE")" 2>/dev/null || true
|
|
|
|
[[ -s "$JSON" ]] || { err "render JSON missing: $JSON_LEAF | $JSON_CHAIN"; exit 1; }
|
|
|
|
# ========= LEAF vs CHAIN =========
|
|
if jq -e 'has("private_key")' "$JSON" >/dev/null 2>&1; then
|
|
# ----- LEAF (App-Zert) -----
|
|
tmp="$(mktemp -d "$OUTDIR/.staging.XXXX")"; trap 'rm -rf "$tmp"' EXIT
|
|
jq -r .private_key "$JSON" > "$tmp/${APP_NAME}.key"
|
|
jq -r '
|
|
.certificate,
|
|
(if (.ca_chain|type=="array") then (.ca_chain|join("\n"))
|
|
else if (.ca_chain|type=="string") then .ca_chain
|
|
else .issuing_ca end end)
|
|
' "$JSON" > "$tmp/${APP_NAME}.fullchain.pem"
|
|
|
|
install -m 600 "$tmp/${APP_NAME}.key" "$OUTDIR/${APP_NAME}.key"
|
|
install -m 644 "$tmp/${APP_NAME}.fullchain.pem" "$OUTDIR/${APP_NAME}.fullchain.pem"
|
|
ok "leaf written → ${OUTDIR}/${APP_NAME}.{key,fullchain.pem}"
|
|
|
|
subj="$(jq -r '.certificate' "$JSON" | openssl x509 -noout -subject 2>/dev/null || true)"
|
|
[[ -n "$subj" ]] && info "subject: ${subj#subject=}"
|
|
else
|
|
# ----- CHAIN (Proxy-CA-Kette) -----
|
|
tmp="$(mktemp "${CHAIN_FILE}.XXXX")"; trap 'rm -f "$tmp"' EXIT
|
|
jq -r '
|
|
if has("ca_chain") then
|
|
(if (.ca_chain|type=="array") then (.ca_chain|join("\n")) else .ca_chain end)
|
|
elif has("issuing_ca") then .issuing_ca
|
|
elif has("certificate") then .certificate
|
|
else empty end
|
|
' "$JSON" > "$tmp"
|
|
install -m 644 "$tmp" "$CHAIN_FILE"
|
|
ok "chain written → ${CHAIN_FILE}"
|
|
fi
|
|
|
|
# ========= Optional NGINX reload via podman labels =========
|
|
if ! command -v podman >/dev/null 2>&1; then
|
|
warn "podman not found → skip container reload"
|
|
exit 0
|
|
fi
|
|
info "reload label: ${BOLD}${RELOAD_TLS_LABEL}${RESET}"
|
|
mapfile -t CIDS < <(podman ps --filter "label=${RELOAD_TLS_LABEL}" --format '{{.ID}}' | sed '/^$/d') || true
|
|
if (( ${#CIDS[@]} == 0 )); then
|
|
warn "no containers with label ${RELOAD_TLS_LABEL} → skip reload"
|
|
exit 0
|
|
fi
|
|
info "containers: ${BOLD}${CIDS[*]}${RESET}"
|
|
for cid in "${CIDS[@]}"; do
|
|
if podman exec "$cid" sh -lc 'nginx -t >/dev/null 2>&1 && nginx -s reload' >/dev/null 2>&1; then
|
|
ok "reload OK in ${cid}"
|
|
else
|
|
warn "reload FAILED in ${cid}"
|
|
fi
|
|
done
|
|
|