image/base-image/service-available/:ssl-tools/assets/tool/ssl-auto-renew - airflow-openldap - Git at Google

 #!/bin/bash -e

 # This file aims to be called by a cron task
 # and not directly. See ssl-helper.

 source /container/run/environment.sh

 SSL_HELPER_TOOL=$1
 PREFIX=$2
 CERT_FILE=$3
 KEY_FILE=$4
 CA_FILE=$5
 IMPACTED_SERVICES=$6
 JSONSSL_FILE=$7
 FROM_FILES=$8
 CERT_FROM_FILE=$9
 KEY_FROM_FILE=${10}
 CA_CERT_FROM_FILE=${11}

 function stop_impacted_services() {
     # Stop impacted services
     if [ -n "${IMPACTED_SERVICES}" ]; then
         log-helper info "Services to stop: ${IMPACTED_SERVICES}"

         impacted_services_table=("${IMPACTED_SERVICES}")
         for service in "${impacted_services_table[@]}"
         do
             log-helper info "Stopping ${service}..."
             sv stop "/container/run/process/${service}"
         done

         log-helper info "All services are stopped"
     fi
 }

 function start_impacted_services() {
     # restart impacted services
     if [ -n "${IMPACTED_SERVICES}" ]; then

         impacted_services_table=("${IMPACTED_SERVICES}")
         for service in "${impacted_services_table[@]}"
         do
             log-helper info "Starting ${service}..."
             sv start "/container/run/process/${service}"
         done

         log-helper info "All services are started"
     fi
 }

 # renew from container files
 if [ "${FROM_FILES,,}" = "true" ]; then

     log-helper info "Check renew from files"
     renew=false

     # File previous md5
     CERT_PREVIOUS_MD5=$(cat "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${CERT_FILE}.md5") || true
     KEY_PREVIOUS_MD5=$(cat "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${KEY_FILE}.md5") || true
     CA_CERT_PREVIOUS_MD5=$(cat "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${CA_FILE}.md5") || true

     # from file current md5
     FROM_CERT_MD5=$(md5sum "${CERT_FROM_FILE}" | awk '{ print $1 }')
     FROM_KEY_MD5=$(md5sum "${KEY_FROM_FILE}" | awk '{ print $1 }')
     FROM_CA_CERT_MD5=$(md5sum "${CA_CERT_FROM_FILE}" | awk '{ print $1 }')

     [[ "$CERT_PREVIOUS_MD5" != "$FROM_CERT_MD5" ]] && renew=true
     [[ "$KEY_PREVIOUS_MD5" != "$FROM_KEY_MD5" ]] && renew=true
     [[ "$CA_CERT_PREVIOUS_MD5" != "$FROM_CA_CERT_MD5" ]] && renew=true

     if ! $renew; then
         log-helper info "Certificate files are identicals"
         exit 0
     fi

     log-helper info "Certificate files are differents"

     stop_impacted_services

     if [ "${CERT_FROM_FILE}" != "${CERT_FILE}" ]; then
         log-helper info "Copy ${CERT_FROM_FILE} to ${CERT_FILE}"
         cp -f "${CERT_FROM_FILE}" "${CERT_FILE}"
     fi

     if [ "${KEY_FROM_FILE}" != "${KEY_FILE}" ]; then
         log-helper info "Copy ${KEY_FROM_FILE} to ${KEY_FILE}"
         cp -f "${KEY_FROM_FILE}" "${KEY_FILE}"
     fi

     if [ "${CA_CERT_FROM_FILE}" != "${CA_FILE}" ]; then
         log-helper info "Copy ${CA_CERT_FROM_FILE} to ${CA_FILE}"
         cp -f "${CA_CERT_FROM_FILE}" "${CA_FILE}"
     fi

     log-helper info "Update file md5 with new values"
     echo "${FROM_CERT_MD5}" > "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${CERT_FILE}.md5"
     echo "${FROM_KEY_MD5}" > "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${KEY_FILE}.md5"
     echo "${FROM_CA_CERT_MD5}" > "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${CA_FILE}.md5"

     start_impacted_services

     # renew with cfssl or jsonssl
 else
     log-helper info "Check renew for cfssl or jsonssl"

     cert_ok=false
     ca_ok=false

     # the certificate will expired in the next day
     if openssl x509 -checkend 259200 -noout -in "${CERT_FILE}"; then
         log-helper info "The certificate '${CERT_FILE}' is ok for the next 3 days at least."
         cert_ok=true
     fi

     if openssl x509 -checkend 259200 -noout -in "${CA_FILE}"; then
         log-helper info "The CA certificate '${CA_FILE}' is ok for the next 3 days at least."
         ca_ok=true
     fi

     if [ "${SSL_HELPER_TOOL}" = "jsonssl-helper" ]; then
         log-helper info "Check if ${JSONSSL_FILE} has changed"
         JSONSSL_FILE_PREVIOUS_MD5=$(cat "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${JSONSSL_FILE}.md5") || true
         JSONSSL_FILE_MD5=$(md5sum "${JSONSSL_FILE}" | awk '{ print $1 }')

         [[ "${JSONSSL_FILE_PREVIOUS_MD5}" != "${JSONSSL_FILE_MD5}" ]] && cert_ok=false
     fi

     if ${cert_ok} && ${ca_ok}; then
         log-helper info "Nothing to do :)"
         exit 0
     fi

     log-helper info "Auto-renew on the way!"

     stop_impacted_services

     log-helper info "Remove certificate files"
     rm -f "${CERT_FILE}" "${KEY_FILE}" "${CA_FILE}"

     log-helper info "Regenerate certificate with ${SSL_HELPER_TOOL}"
     ${SSL_HELPER_TOOL} "${PREFIX}" "${CERT_FILE}" "${KEY_FILE}" "${CA_FILE}"

     start_impacted_services

     if [ "${SSL_HELPER_TOOL}" = "jsonssl-helper" ]; then
         log-helper info "Update file md5 with new values"
         echo "${JSONSSL_FILE_MD5}" > "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${JSONSSL_FILE}.md5"
     fi

 fi

 log-helper info "Auto-renew finished! Champagne!"
	#!/bin/bash -e

	# This file aims to be called by a cron task
	# and not directly. See ssl-helper.

	source /container/run/environment.sh

	SSL_HELPER_TOOL=$1
	PREFIX=$2
	CERT_FILE=$3
	KEY_FILE=$4
	CA_FILE=$5
	IMPACTED_SERVICES=$6
	JSONSSL_FILE=$7
	FROM_FILES=$8
	CERT_FROM_FILE=$9
	KEY_FROM_FILE=${10}
	CA_CERT_FROM_FILE=${11}

	function stop_impacted_services() {
	# Stop impacted services
	if [ -n "${IMPACTED_SERVICES}" ]; then
	log-helper info "Services to stop: ${IMPACTED_SERVICES}"

	impacted_services_table=("${IMPACTED_SERVICES}")
	for service in "${impacted_services_table[@]}"
	do
	log-helper info "Stopping ${service}..."
	sv stop "/container/run/process/${service}"
	done

	log-helper info "All services are stopped"
	fi
	}

	function start_impacted_services() {
	# restart impacted services
	if [ -n "${IMPACTED_SERVICES}" ]; then

	impacted_services_table=("${IMPACTED_SERVICES}")
	for service in "${impacted_services_table[@]}"
	do
	log-helper info "Starting ${service}..."
	sv start "/container/run/process/${service}"
	done

	log-helper info "All services are started"
	fi
	}

	# renew from container files
	if [ "${FROM_FILES,,}" = "true" ]; then

	log-helper info "Check renew from files"
	renew=false

	# File previous md5
	CERT_PREVIOUS_MD5=$(cat "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${CERT_FILE}.md5") \|\| true
	KEY_PREVIOUS_MD5=$(cat "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${KEY_FILE}.md5") \|\| true
	CA_CERT_PREVIOUS_MD5=$(cat "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${CA_FILE}.md5") \|\| true

	# from file current md5
	FROM_CERT_MD5=$(md5sum "${CERT_FROM_FILE}" \| awk '{ print $1 }')
	FROM_KEY_MD5=$(md5sum "${KEY_FROM_FILE}" \| awk '{ print $1 }')
	FROM_CA_CERT_MD5=$(md5sum "${CA_CERT_FROM_FILE}" \| awk '{ print $1 }')

	[[ "$CERT_PREVIOUS_MD5" != "$FROM_CERT_MD5" ]] && renew=true
	[[ "$KEY_PREVIOUS_MD5" != "$FROM_KEY_MD5" ]] && renew=true
	[[ "$CA_CERT_PREVIOUS_MD5" != "$FROM_CA_CERT_MD5" ]] && renew=true

	if ! $renew; then
	log-helper info "Certificate files are identicals"
	exit 0
	fi

	log-helper info "Certificate files are differents"

	stop_impacted_services

	if [ "${CERT_FROM_FILE}" != "${CERT_FILE}" ]; then
	log-helper info "Copy ${CERT_FROM_FILE} to ${CERT_FILE}"
	cp -f "${CERT_FROM_FILE}" "${CERT_FILE}"
	fi

	if [ "${KEY_FROM_FILE}" != "${KEY_FILE}" ]; then
	log-helper info "Copy ${KEY_FROM_FILE} to ${KEY_FILE}"
	cp -f "${KEY_FROM_FILE}" "${KEY_FILE}"
	fi

	if [ "${CA_CERT_FROM_FILE}" != "${CA_FILE}" ]; then
	log-helper info "Copy ${CA_CERT_FROM_FILE} to ${CA_FILE}"
	cp -f "${CA_CERT_FROM_FILE}" "${CA_FILE}"
	fi

	log-helper info "Update file md5 with new values"
	echo "${FROM_CERT_MD5}" > "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${CERT_FILE}.md5"
	echo "${FROM_KEY_MD5}" > "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${KEY_FILE}.md5"
	echo "${FROM_CA_CERT_MD5}" > "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${CA_FILE}.md5"

	start_impacted_services

	# renew with cfssl or jsonssl
	else
	log-helper info "Check renew for cfssl or jsonssl"

	cert_ok=false
	ca_ok=false

	# the certificate will expired in the next day
	if openssl x509 -checkend 259200 -noout -in "${CERT_FILE}"; then
	log-helper info "The certificate '${CERT_FILE}' is ok for the next 3 days at least."
	cert_ok=true
	fi

	if openssl x509 -checkend 259200 -noout -in "${CA_FILE}"; then
	log-helper info "The CA certificate '${CA_FILE}' is ok for the next 3 days at least."
	ca_ok=true
	fi

	if [ "${SSL_HELPER_TOOL}" = "jsonssl-helper" ]; then
	log-helper info "Check if ${JSONSSL_FILE} has changed"
	JSONSSL_FILE_PREVIOUS_MD5=$(cat "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${JSONSSL_FILE}.md5") \|\| true
	JSONSSL_FILE_MD5=$(md5sum "${JSONSSL_FILE}" \| awk '{ print $1 }')

	[[ "${JSONSSL_FILE_PREVIOUS_MD5}" != "${JSONSSL_FILE_MD5}" ]] && cert_ok=false
	fi

	if ${cert_ok} && ${ca_ok}; then
	log-helper info "Nothing to do :)"
	exit 0
	fi

	log-helper info "Auto-renew on the way!"

	stop_impacted_services

	log-helper info "Remove certificate files"
	rm -f "${CERT_FILE}" "${KEY_FILE}" "${CA_FILE}"

	log-helper info "Regenerate certificate with ${SSL_HELPER_TOOL}"
	${SSL_HELPER_TOOL} "${PREFIX}" "${CERT_FILE}" "${KEY_FILE}" "${CA_FILE}"

	start_impacted_services

	if [ "${SSL_HELPER_TOOL}" = "jsonssl-helper" ]; then
	log-helper info "Update file md5 with new values"
	echo "${JSONSSL_FILE_MD5}" > "${CONTAINER_SERVICE_DIR}/:ssl-tools/assets/md5${JSONSSL_FILE}.md5"
	fi

	fi

	log-helper info "Auto-renew finished! Champagne!"