neil
5 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 796 additions and 24 deletions
-
2.travis.yml
-
4README.md
-
8acme.sh
-
262deploy/openstack.sh
-
4deploy/synology_dsm.sh
-
2deploy/vault_cli.sh
-
8dnsapi/dns_1984hosting.sh
-
2dnsapi/dns_azure.sh
-
6dnsapi/dns_cloudns.sh
-
4dnsapi/dns_cyon.sh
-
6dnsapi/dns_dgon.sh
-
2dnsapi/dns_dynv6.sh
-
160dnsapi/dns_netlify.sh
-
2dnsapi/dns_yandex.sh
-
348dnsapi/openstack.sh
@ -0,0 +1,262 @@ |
|||||
|
#!/usr/bin/env sh |
||||
|
|
||||
|
# OpenStack Barbican deploy hook |
||||
|
# |
||||
|
# This requires you to have OpenStackClient and python-barbicanclient |
||||
|
# installed. |
||||
|
# |
||||
|
# You will require Keystone V3 credentials loaded into your environment, which |
||||
|
# could be either password or v3applicationcredential type. |
||||
|
# |
||||
|
# Author: Andy Botting <andy@andybotting.com> |
||||
|
|
||||
|
openstack_deploy() { |
||||
|
_cdomain="$1" |
||||
|
_ckey="$2" |
||||
|
_ccert="$3" |
||||
|
_cca="$4" |
||||
|
_cfullchain="$5" |
||||
|
|
||||
|
_debug _cdomain "$_cdomain" |
||||
|
_debug _ckey "$_ckey" |
||||
|
_debug _ccert "$_ccert" |
||||
|
_debug _cca "$_cca" |
||||
|
_debug _cfullchain "$_cfullchain" |
||||
|
|
||||
|
if ! _exists openstack; then |
||||
|
_err "OpenStack client not found" |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_openstack_credentials || return $? |
||||
|
|
||||
|
_info "Generate import pkcs12" |
||||
|
_import_pkcs12="$(_mktemp)" |
||||
|
if ! _openstack_to_pkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca"; then |
||||
|
_err "Error creating pkcs12 certificate" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug _import_pkcs12 "$_import_pkcs12" |
||||
|
_base64_pkcs12=$(_base64 "multiline" <"$_import_pkcs12") |
||||
|
|
||||
|
secretHrefs=$(_openstack_get_secrets) |
||||
|
_debug secretHrefs "$secretHrefs" |
||||
|
_openstack_store_secret || return $? |
||||
|
|
||||
|
if [ -n "$secretHrefs" ]; then |
||||
|
_info "Cleaning up existing secret" |
||||
|
_openstack_delete_secrets || return $? |
||||
|
fi |
||||
|
|
||||
|
_info "Certificate successfully deployed" |
||||
|
return 0 |
||||
|
} |
||||
|
|
||||
|
_openstack_store_secret() { |
||||
|
if ! openstack secret store --name "$_cdomain." -t 'application/octet-stream' -e base64 --payload "$_base64_pkcs12"; then |
||||
|
_err "Failed to create OpenStack secret" |
||||
|
return 1 |
||||
|
fi |
||||
|
return |
||||
|
} |
||||
|
|
||||
|
_openstack_delete_secrets() { |
||||
|
echo "$secretHrefs" | while read -r secretHref; do |
||||
|
_info "Deleting old secret $secretHref" |
||||
|
if ! openstack secret delete "$secretHref"; then |
||||
|
_err "Failed to delete OpenStack secret" |
||||
|
return 1 |
||||
|
fi |
||||
|
done |
||||
|
return |
||||
|
} |
||||
|
|
||||
|
_openstack_get_secrets() { |
||||
|
if ! secretHrefs=$(openstack secret list -f value --name "$_cdomain." | cut -d' ' -f1); then |
||||
|
_err "Failed to list secrets" |
||||
|
return 1 |
||||
|
fi |
||||
|
echo "$secretHrefs" |
||||
|
} |
||||
|
|
||||
|
_openstack_to_pkcs() { |
||||
|
# The existing _toPkcs command can't allow an empty password, due to sh |
||||
|
# -z test, so copied here and forcing the empty password. |
||||
|
_cpfx="$1" |
||||
|
_ckey="$2" |
||||
|
_ccert="$3" |
||||
|
_cca="$4" |
||||
|
|
||||
|
${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:" |
||||
|
} |
||||
|
|
||||
|
_openstack_credentials() { |
||||
|
_debug "Check OpenStack credentials" |
||||
|
|
||||
|
# If we have OS_AUTH_URL already set in the environment, then assume we want |
||||
|
# to use those, otherwise use stored credentials |
||||
|
if [ -n "$OS_AUTH_URL" ]; then |
||||
|
_debug "OS_AUTH_URL env var found, using environment" |
||||
|
else |
||||
|
_debug "OS_AUTH_URL not found, loading stored credentials" |
||||
|
OS_AUTH_URL="${OS_AUTH_URL:-$(_readaccountconf_mutable OS_AUTH_URL)}" |
||||
|
OS_IDENTITY_API_VERSION="${OS_IDENTITY_API_VERSION:-$(_readaccountconf_mutable OS_IDENTITY_API_VERSION)}" |
||||
|
OS_AUTH_TYPE="${OS_AUTH_TYPE:-$(_readaccountconf_mutable OS_AUTH_TYPE)}" |
||||
|
OS_APPLICATION_CREDENTIAL_ID="${OS_APPLICATION_CREDENTIAL_ID:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID)}" |
||||
|
OS_APPLICATION_CREDENTIAL_SECRET="${OS_APPLICATION_CREDENTIAL_SECRET:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET)}" |
||||
|
OS_USERNAME="${OS_USERNAME:-$(_readaccountconf_mutable OS_USERNAME)}" |
||||
|
OS_PASSWORD="${OS_PASSWORD:-$(_readaccountconf_mutable OS_PASSWORD)}" |
||||
|
OS_PROJECT_NAME="${OS_PROJECT_NAME:-$(_readaccountconf_mutable OS_PROJECT_NAME)}" |
||||
|
OS_PROJECT_ID="${OS_PROJECT_ID:-$(_readaccountconf_mutable OS_PROJECT_ID)}" |
||||
|
OS_USER_DOMAIN_NAME="${OS_USER_DOMAIN_NAME:-$(_readaccountconf_mutable OS_USER_DOMAIN_NAME)}" |
||||
|
OS_USER_DOMAIN_ID="${OS_USER_DOMAIN_ID:-$(_readaccountconf_mutable OS_USER_DOMAIN_ID)}" |
||||
|
OS_PROJECT_DOMAIN_NAME="${OS_PROJECT_DOMAIN_NAME:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_NAME)}" |
||||
|
OS_PROJECT_DOMAIN_ID="${OS_PROJECT_DOMAIN_ID:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_ID)}" |
||||
|
fi |
||||
|
|
||||
|
# Check each var and either save or clear it depending on whether its set. |
||||
|
# The helps us clear out old vars in the case where a user may want |
||||
|
# to switch between password and app creds |
||||
|
_debug "OS_AUTH_URL" "$OS_AUTH_URL" |
||||
|
if [ -n "$OS_AUTH_URL" ]; then |
||||
|
export OS_AUTH_URL |
||||
|
_saveaccountconf_mutable OS_AUTH_URL "$OS_AUTH_URL" |
||||
|
else |
||||
|
unset OS_AUTH_URL |
||||
|
_clearaccountconf SAVED_OS_AUTH_URL |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_IDENTITY_API_VERSION" "$OS_IDENTITY_API_VERSION" |
||||
|
if [ -n "$OS_IDENTITY_API_VERSION" ]; then |
||||
|
export OS_IDENTITY_API_VERSION |
||||
|
_saveaccountconf_mutable OS_IDENTITY_API_VERSION "$OS_IDENTITY_API_VERSION" |
||||
|
else |
||||
|
unset OS_IDENTITY_API_VERSION |
||||
|
_clearaccountconf SAVED_OS_IDENTITY_API_VERSION |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_AUTH_TYPE" "$OS_AUTH_TYPE" |
||||
|
if [ -n "$OS_AUTH_TYPE" ]; then |
||||
|
export OS_AUTH_TYPE |
||||
|
_saveaccountconf_mutable OS_AUTH_TYPE "$OS_AUTH_TYPE" |
||||
|
else |
||||
|
unset OS_AUTH_TYPE |
||||
|
_clearaccountconf SAVED_OS_AUTH_TYPE |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_APPLICATION_CREDENTIAL_ID" "$OS_APPLICATION_CREDENTIAL_ID" |
||||
|
if [ -n "$OS_APPLICATION_CREDENTIAL_ID" ]; then |
||||
|
export OS_APPLICATION_CREDENTIAL_ID |
||||
|
_saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID "$OS_APPLICATION_CREDENTIAL_ID" |
||||
|
else |
||||
|
unset OS_APPLICATION_CREDENTIAL_ID |
||||
|
_clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_ID |
||||
|
fi |
||||
|
|
||||
|
_secure_debug "OS_APPLICATION_CREDENTIAL_SECRET" "$OS_APPLICATION_CREDENTIAL_SECRET" |
||||
|
if [ -n "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then |
||||
|
export OS_APPLICATION_CREDENTIAL_SECRET |
||||
|
_saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET "$OS_APPLICATION_CREDENTIAL_SECRET" |
||||
|
else |
||||
|
unset OS_APPLICATION_CREDENTIAL_SECRET |
||||
|
_clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_SECRET |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_USERNAME" "$OS_USERNAME" |
||||
|
if [ -n "$OS_USERNAME" ]; then |
||||
|
export OS_USERNAME |
||||
|
_saveaccountconf_mutable OS_USERNAME "$OS_USERNAME" |
||||
|
else |
||||
|
unset OS_USERNAME |
||||
|
_clearaccountconf SAVED_OS_USERNAME |
||||
|
fi |
||||
|
|
||||
|
_secure_debug "OS_PASSWORD" "$OS_PASSWORD" |
||||
|
if [ -n "$OS_PASSWORD" ]; then |
||||
|
export OS_PASSWORD |
||||
|
_saveaccountconf_mutable OS_PASSWORD "$OS_PASSWORD" |
||||
|
else |
||||
|
unset OS_PASSWORD |
||||
|
_clearaccountconf SAVED_OS_PASSWORD |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_PROJECT_NAME" "$OS_PROJECT_NAME" |
||||
|
if [ -n "$OS_PROJECT_NAME" ]; then |
||||
|
export OS_PROJECT_NAME |
||||
|
_saveaccountconf_mutable OS_PROJECT_NAME "$OS_PROJECT_NAME" |
||||
|
else |
||||
|
unset OS_PROJECT_NAME |
||||
|
_clearaccountconf SAVED_OS_PROJECT_NAME |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_PROJECT_ID" "$OS_PROJECT_ID" |
||||
|
if [ -n "$OS_PROJECT_ID" ]; then |
||||
|
export OS_PROJECT_ID |
||||
|
_saveaccountconf_mutable OS_PROJECT_ID "$OS_PROJECT_ID" |
||||
|
else |
||||
|
unset OS_PROJECT_ID |
||||
|
_clearaccountconf SAVED_OS_PROJECT_ID |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_USER_DOMAIN_NAME" "$OS_USER_DOMAIN_NAME" |
||||
|
if [ -n "$OS_USER_DOMAIN_NAME" ]; then |
||||
|
export OS_USER_DOMAIN_NAME |
||||
|
_saveaccountconf_mutable OS_USER_DOMAIN_NAME "$OS_USER_DOMAIN_NAME" |
||||
|
else |
||||
|
unset OS_USER_DOMAIN_NAME |
||||
|
_clearaccountconf SAVED_OS_USER_DOMAIN_NAME |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_USER_DOMAIN_ID" "$OS_USER_DOMAIN_ID" |
||||
|
if [ -n "$OS_USER_DOMAIN_ID" ]; then |
||||
|
export OS_USER_DOMAIN_ID |
||||
|
_saveaccountconf_mutable OS_USER_DOMAIN_ID "$OS_USER_DOMAIN_ID" |
||||
|
else |
||||
|
unset OS_USER_DOMAIN_ID |
||||
|
_clearaccountconf SAVED_OS_USER_DOMAIN_ID |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_PROJECT_DOMAIN_NAME" "$OS_PROJECT_DOMAIN_NAME" |
||||
|
if [ -n "$OS_PROJECT_DOMAIN_NAME" ]; then |
||||
|
export OS_PROJECT_DOMAIN_NAME |
||||
|
_saveaccountconf_mutable OS_PROJECT_DOMAIN_NAME "$OS_PROJECT_DOMAIN_NAME" |
||||
|
else |
||||
|
unset OS_PROJECT_DOMAIN_NAME |
||||
|
_clearaccountconf SAVED_OS_PROJECT_DOMAIN_NAME |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_PROJECT_DOMAIN_ID" "$OS_PROJECT_DOMAIN_ID" |
||||
|
if [ -n "$OS_PROJECT_DOMAIN_ID" ]; then |
||||
|
export OS_PROJECT_DOMAIN_ID |
||||
|
_saveaccountconf_mutable OS_PROJECT_DOMAIN_ID "$OS_PROJECT_DOMAIN_ID" |
||||
|
else |
||||
|
unset OS_PROJECT_DOMAIN_ID |
||||
|
_clearaccountconf SAVED_OS_PROJECT_DOMAIN_ID |
||||
|
fi |
||||
|
|
||||
|
if [ "$OS_AUTH_TYPE" = "v3applicationcredential" ]; then |
||||
|
# Application Credential auth |
||||
|
if [ -z "$OS_APPLICATION_CREDENTIAL_ID" ] || [ -z "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then |
||||
|
_err "When using OpenStack application credentials, OS_APPLICATION_CREDENTIAL_ID" |
||||
|
_err "and OS_APPLICATION_CREDENTIAL_SECRET must be set." |
||||
|
_err "Please check your credentials and try again." |
||||
|
return 1 |
||||
|
fi |
||||
|
else |
||||
|
# Password auth |
||||
|
if [ -z "$OS_USERNAME" ] || [ -z "$OS_PASSWORD" ]; then |
||||
|
_err "OpenStack username or password not found." |
||||
|
_err "Please check your credentials and try again." |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
if [ -z "$OS_PROJECT_NAME" ] && [ -z "$OS_PROJECT_ID" ]; then |
||||
|
_err "When using password authentication, OS_PROJECT_NAME or" |
||||
|
_err "OS_PROJECT_ID must be set." |
||||
|
_err "Please check your credentials and try again." |
||||
|
return 1 |
||||
|
fi |
||||
|
fi |
||||
|
|
||||
|
return 0 |
||||
|
} |
@ -0,0 +1,160 @@ |
|||||
|
#!/usr/bin/env sh |
||||
|
|
||||
|
#NETLIFY_ACCESS_TOKEN="xxxx" |
||||
|
|
||||
|
NETLIFY_HOST="api.netlify.com/api/v1/" |
||||
|
NETLIFY_URL="https://$NETLIFY_HOST" |
||||
|
|
||||
|
######## Public functions ##################### |
||||
|
|
||||
|
#Usage: dns_myapi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" |
||||
|
dns_netlify_add() { |
||||
|
fulldomain=$1 |
||||
|
txtvalue=$2 |
||||
|
|
||||
|
NETLIFY_ACCESS_TOKEN="${NETLIFY_ACCESS_TOKEN:-$(_readaccountconf_mutable NETLIFY_ACCESS_TOKEN)}" |
||||
|
|
||||
|
if [ -z "$NETLIFY_ACCESS_TOKEN" ]; then |
||||
|
NETLIFY_ACCESS_TOKEN="" |
||||
|
_err "Please specify your Netlify Access Token and try again." |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_info "Using Netlify" |
||||
|
_debug fulldomain "$fulldomain" |
||||
|
_debug txtvalue "$txtvalue" |
||||
|
|
||||
|
_saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN" |
||||
|
|
||||
|
if ! _get_root "$fulldomain" "$accesstoken"; then |
||||
|
_err "invalid domain" |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_debug _domain_id "$_domain_id" |
||||
|
_debug _sub_domain "$_sub_domain" |
||||
|
_debug _domain "$_domain" |
||||
|
|
||||
|
dnsRecordURI="dns_zones/$_domain_id/dns_records" |
||||
|
|
||||
|
body="{\"type\":\"TXT\", \"hostname\":\"$_sub_domain\", \"value\":\"$txtvalue\", \"ttl\":\"10\"}" |
||||
|
|
||||
|
_netlify_rest POST "$dnsRecordURI" "$body" "$NETLIFY_ACCESS_TOKEN" |
||||
|
_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" |
||||
|
if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then |
||||
|
_info "validation value added" |
||||
|
return 0 |
||||
|
else |
||||
|
_err "error adding validation value ($_code)" |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_err "Not fully implemented!" |
||||
|
return 1 |
||||
|
} |
||||
|
|
||||
|
#Usage: dns_myapi_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" |
||||
|
#Remove the txt record after validation. |
||||
|
dns_netlify_rm() { |
||||
|
_info "Using Netlify" |
||||
|
_debug txtdomain "$txtdomain" |
||||
|
_debug txt "$txt" |
||||
|
|
||||
|
_saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN" |
||||
|
|
||||
|
if ! _get_root "$txtdomain" "$accesstoken"; then |
||||
|
_err "invalid domain" |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
_debug _domain_id "$_domain_id" |
||||
|
_debug _sub_domain "$_sub_domain" |
||||
|
_debug _domain "$_domain" |
||||
|
|
||||
|
dnsRecordURI="dns_zones/$_domain_id/dns_records" |
||||
|
|
||||
|
_netlify_rest GET "$dnsRecordURI" "" "$NETLIFY_ACCESS_TOKEN" |
||||
|
|
||||
|
_record_id=$(echo "$response" | _egrep_o "\"type\":\"TXT\",[^\}]*\"value\":\"$txt\"" | head -n 1 | _egrep_o "\"id\":\"[^\"\}]*\"" | cut -d : -f 2 | tr -d \" ) |
||||
|
_debug _record_id "$_record_id" |
||||
|
if [ "$_record_id" ]; then |
||||
|
_netlify_rest DELETE "$dnsRecordURI/$_record_id" "" "$NETLIFY_ACCESS_TOKEN" |
||||
|
_code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")" |
||||
|
if [ "$_code" = "200" ] || [ "$_code" = '204' ]; then |
||||
|
_info "validation value removed" |
||||
|
return 0 |
||||
|
else |
||||
|
_err "error removing validation value ($_code)" |
||||
|
return 1 |
||||
|
fi |
||||
|
return 0 |
||||
|
fi |
||||
|
return 1 |
||||
|
} |
||||
|
|
||||
|
#################### Private functions below ################################## |
||||
|
|
||||
|
_get_root() { |
||||
|
domain=$1 |
||||
|
accesstoken=$2 |
||||
|
i=1 |
||||
|
p=1 |
||||
|
|
||||
|
_netlify_rest GET "dns_zones" "" "$accesstoken" |
||||
|
|
||||
|
while true; do |
||||
|
h=$(printf "%s" "$domain" | cut -d . -f $i-100) |
||||
|
_debug2 "Checking domain: $h" |
||||
|
if [ -z "$h" ]; then |
||||
|
#not valid |
||||
|
_err "Invalid domain" |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
if _contains "$response" "\"name\":\"$h\"" >/dev/null; then |
||||
|
_domain_id=$(echo "$response" | _egrep_o "\"[^\"]*\",\"name\":\"$h" | cut -d , -f 1 | tr -d \" ) |
||||
|
if [ "$_domain_id" ]; then |
||||
|
if [ "$i" = 1 ]; then |
||||
|
#create the record at the domain apex (@) if only the domain name was provided as --domain-alias |
||||
|
_sub_domain="@" |
||||
|
else |
||||
|
_sub_domain=$(echo "$domain" | cut -d . -f 1-$p) |
||||
|
fi |
||||
|
_domain=$h |
||||
|
return 0 |
||||
|
fi |
||||
|
return 1 |
||||
|
fi |
||||
|
p=$i |
||||
|
i=$(_math "$i" + 1) |
||||
|
done |
||||
|
return 1 |
||||
|
} |
||||
|
|
||||
|
_netlify_rest() { |
||||
|
m=$1 |
||||
|
ep="$2" |
||||
|
data="$3" |
||||
|
_debug "$ep" |
||||
|
|
||||
|
token_trimmed=$(echo "$NETLIFY_ACCESS_TOKEN" | tr -d '"') |
||||
|
|
||||
|
export _H1="Content-Type: application/json" |
||||
|
export _H2="Authorization: Bearer $token_trimmed" |
||||
|
|
||||
|
:>"$HTTP_HEADER" |
||||
|
|
||||
|
if [ "$m" != "GET" ]; then |
||||
|
_debug data "$data" |
||||
|
response="$(_post "$data" "$NETLIFY_URL$ep" "" "$m")" |
||||
|
else |
||||
|
response="$(_get "$NETLIFY_URL$ep")" |
||||
|
fi |
||||
|
|
||||
|
if [ "$?" != "0" ]; then |
||||
|
_err "error $ep" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug2 response "$response" |
||||
|
return 0 |
||||
|
} |
@ -0,0 +1,348 @@ |
|||||
|
#!/usr/bin/env sh |
||||
|
|
||||
|
# OpenStack Designate API plugin |
||||
|
# |
||||
|
# This requires you to have OpenStackClient and python-desginateclient |
||||
|
# installed. |
||||
|
# |
||||
|
# You will require Keystone V3 credentials loaded into your environment, which |
||||
|
# could be either password or v3applicationcredential type. |
||||
|
# |
||||
|
# Author: Andy Botting <andy@andybotting.com> |
||||
|
|
||||
|
######## Public functions ##################### |
||||
|
|
||||
|
# Usage: dns_openstack_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" |
||||
|
dns_openstack_add() { |
||||
|
fulldomain=$1 |
||||
|
txtvalue=$2 |
||||
|
_debug fulldomain "$fulldomain" |
||||
|
_debug txtvalue "$txtvalue" |
||||
|
|
||||
|
_dns_openstack_credentials || return $? |
||||
|
_dns_openstack_check_setup || return $? |
||||
|
_dns_openstack_find_zone || return $? |
||||
|
_dns_openstack_get_recordset || return $? |
||||
|
_debug _recordset_id "$_recordset_id" |
||||
|
if [ -n "$_recordset_id" ]; then |
||||
|
_dns_openstack_get_records || return $? |
||||
|
_debug _records "$_records" |
||||
|
fi |
||||
|
_dns_openstack_create_recordset || return $? |
||||
|
} |
||||
|
|
||||
|
# Usage: dns_openstack_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" |
||||
|
# Remove the txt record after validation. |
||||
|
dns_openstack_rm() { |
||||
|
fulldomain=$1 |
||||
|
txtvalue=$2 |
||||
|
_debug fulldomain "$fulldomain" |
||||
|
_debug txtvalue "$txtvalue" |
||||
|
|
||||
|
_dns_openstack_credentials || return $? |
||||
|
_dns_openstack_check_setup || return $? |
||||
|
_dns_openstack_find_zone || return $? |
||||
|
_dns_openstack_get_recordset || return $? |
||||
|
_debug _recordset_id "$_recordset_id" |
||||
|
if [ -n "$_recordset_id" ]; then |
||||
|
_dns_openstack_get_records || return $? |
||||
|
_debug _records "$_records" |
||||
|
fi |
||||
|
_dns_openstack_delete_recordset || return $? |
||||
|
} |
||||
|
|
||||
|
#################### Private functions below ################################## |
||||
|
|
||||
|
_dns_openstack_create_recordset() { |
||||
|
|
||||
|
if [ -z "$_recordset_id" ]; then |
||||
|
_info "Creating a new recordset" |
||||
|
if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record "$txtvalue" "$_zone_id" "$fulldomain."); then |
||||
|
_err "No recordset ID found after create" |
||||
|
return 1 |
||||
|
fi |
||||
|
else |
||||
|
_info "Updating existing recordset" |
||||
|
# Build new list of --record <rec> args for update |
||||
|
_record_args="--record $txtvalue" |
||||
|
for _rec in $_records; do |
||||
|
_record_args="$_record_args --record $_rec" |
||||
|
done |
||||
|
# shellcheck disable=SC2086 |
||||
|
if ! _recordset_id=$(openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain."); then |
||||
|
_err "Recordset update failed" |
||||
|
return 1 |
||||
|
fi |
||||
|
fi |
||||
|
|
||||
|
_max_retries=60 |
||||
|
_sleep_sec=5 |
||||
|
_retry_times=0 |
||||
|
while [ "$_retry_times" -lt "$_max_retries" ]; do |
||||
|
_retry_times=$(_math "$_retry_times" + 1) |
||||
|
_debug3 _retry_times "$_retry_times" |
||||
|
|
||||
|
_record_status=$(openstack recordset show -c status -f value "$_zone_id" "$_recordset_id") |
||||
|
_info "Recordset status is $_record_status" |
||||
|
if [ "$_record_status" = "ACTIVE" ]; then |
||||
|
return 0 |
||||
|
elif [ "$_record_status" = "ERROR" ]; then |
||||
|
return 1 |
||||
|
else |
||||
|
_sleep $_sleep_sec |
||||
|
fi |
||||
|
done |
||||
|
|
||||
|
_err "Recordset failed to become ACTIVE" |
||||
|
return 1 |
||||
|
} |
||||
|
|
||||
|
_dns_openstack_delete_recordset() { |
||||
|
|
||||
|
if [ "$_records" = "$txtvalue" ]; then |
||||
|
_info "Only one record found, deleting recordset" |
||||
|
if ! openstack recordset delete "$_zone_id" "$fulldomain." >/dev/null; then |
||||
|
_err "Failed to delete recordset" |
||||
|
return 1 |
||||
|
fi |
||||
|
else |
||||
|
_info "Found existing records, updating recordset" |
||||
|
# Build new list of --record <rec> args for update |
||||
|
_record_args="" |
||||
|
for _rec in $_records; do |
||||
|
if [ "$_rec" = "$txtvalue" ]; then |
||||
|
continue |
||||
|
fi |
||||
|
_record_args="$_record_args --record $_rec" |
||||
|
done |
||||
|
# shellcheck disable=SC2086 |
||||
|
if ! openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain." >/dev/null; then |
||||
|
_err "Recordset update failed" |
||||
|
return 1 |
||||
|
fi |
||||
|
fi |
||||
|
} |
||||
|
|
||||
|
_dns_openstack_get_root() { |
||||
|
# Take the full fqdn and strip away pieces until we get an exact zone name |
||||
|
# match. For example, _acme-challenge.something.domain.com might need to go |
||||
|
# into something.domain.com or domain.com |
||||
|
_zone_name=$1 |
||||
|
_zone_list=$2 |
||||
|
while [ "$_zone_name" != "" ]; do |
||||
|
_zone_name="$(echo "$_zone_name" | sed 's/[^.]*\.*//')" |
||||
|
echo "$_zone_list" | while read -r id name; do |
||||
|
if _startswith "$_zone_name." "$name"; then |
||||
|
echo "$id" |
||||
|
fi |
||||
|
done |
||||
|
done | _head_n 1 |
||||
|
} |
||||
|
|
||||
|
_dns_openstack_find_zone() { |
||||
|
if ! _zone_list="$(openstack zone list -c id -c name -f value)"; then |
||||
|
_err "Can't list zones. Check your OpenStack credentials" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug _zone_list "$_zone_list" |
||||
|
|
||||
|
if ! _zone_id="$(_dns_openstack_get_root "$fulldomain" "$_zone_list")"; then |
||||
|
_err "Can't find a matching zone. Check your OpenStack credentials" |
||||
|
return 1 |
||||
|
fi |
||||
|
_debug _zone_id "$_zone_id" |
||||
|
} |
||||
|
|
||||
|
_dns_openstack_get_records() { |
||||
|
if ! _records=$(openstack recordset show -c records -f value "$_zone_id" "$fulldomain."); then |
||||
|
_err "Failed to get records" |
||||
|
return 1 |
||||
|
fi |
||||
|
return 0 |
||||
|
} |
||||
|
|
||||
|
_dns_openstack_get_recordset() { |
||||
|
if ! _recordset_id=$(openstack recordset list -c id -f value --name "$fulldomain." "$_zone_id"); then |
||||
|
_err "Failed to get recordset" |
||||
|
return 1 |
||||
|
fi |
||||
|
return 0 |
||||
|
} |
||||
|
|
||||
|
_dns_openstack_check_setup() { |
||||
|
if ! _exists openstack; then |
||||
|
_err "OpenStack client not found" |
||||
|
return 1 |
||||
|
fi |
||||
|
} |
||||
|
|
||||
|
_dns_openstack_credentials() { |
||||
|
_debug "Check OpenStack credentials" |
||||
|
|
||||
|
# If we have OS_AUTH_URL already set in the environment, then assume we want |
||||
|
# to use those, otherwise use stored credentials |
||||
|
if [ -n "$OS_AUTH_URL" ]; then |
||||
|
_debug "OS_AUTH_URL env var found, using environment" |
||||
|
else |
||||
|
_debug "OS_AUTH_URL not found, loading stored credentials" |
||||
|
OS_AUTH_URL="${OS_AUTH_URL:-$(_readaccountconf_mutable OS_AUTH_URL)}" |
||||
|
OS_IDENTITY_API_VERSION="${OS_IDENTITY_API_VERSION:-$(_readaccountconf_mutable OS_IDENTITY_API_VERSION)}" |
||||
|
OS_AUTH_TYPE="${OS_AUTH_TYPE:-$(_readaccountconf_mutable OS_AUTH_TYPE)}" |
||||
|
OS_APPLICATION_CREDENTIAL_ID="${OS_APPLICATION_CREDENTIAL_ID:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID)}" |
||||
|
OS_APPLICATION_CREDENTIAL_SECRET="${OS_APPLICATION_CREDENTIAL_SECRET:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET)}" |
||||
|
OS_USERNAME="${OS_USERNAME:-$(_readaccountconf_mutable OS_USERNAME)}" |
||||
|
OS_PASSWORD="${OS_PASSWORD:-$(_readaccountconf_mutable OS_PASSWORD)}" |
||||
|
OS_PROJECT_NAME="${OS_PROJECT_NAME:-$(_readaccountconf_mutable OS_PROJECT_NAME)}" |
||||
|
OS_PROJECT_ID="${OS_PROJECT_ID:-$(_readaccountconf_mutable OS_PROJECT_ID)}" |
||||
|
OS_USER_DOMAIN_NAME="${OS_USER_DOMAIN_NAME:-$(_readaccountconf_mutable OS_USER_DOMAIN_NAME)}" |
||||
|
OS_USER_DOMAIN_ID="${OS_USER_DOMAIN_ID:-$(_readaccountconf_mutable OS_USER_DOMAIN_ID)}" |
||||
|
OS_PROJECT_DOMAIN_NAME="${OS_PROJECT_DOMAIN_NAME:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_NAME)}" |
||||
|
OS_PROJECT_DOMAIN_ID="${OS_PROJECT_DOMAIN_ID:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_ID)}" |
||||
|
fi |
||||
|
|
||||
|
# Check each var and either save or clear it depending on whether its set. |
||||
|
# The helps us clear out old vars in the case where a user may want |
||||
|
# to switch between password and app creds |
||||
|
_debug "OS_AUTH_URL" "$OS_AUTH_URL" |
||||
|
if [ -n "$OS_AUTH_URL" ]; then |
||||
|
export OS_AUTH_URL |
||||
|
_saveaccountconf_mutable OS_AUTH_URL "$OS_AUTH_URL" |
||||
|
else |
||||
|
unset OS_AUTH_URL |
||||
|
_clearaccountconf SAVED_OS_AUTH_URL |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_IDENTITY_API_VERSION" "$OS_IDENTITY_API_VERSION" |
||||
|
if [ -n "$OS_IDENTITY_API_VERSION" ]; then |
||||
|
export OS_IDENTITY_API_VERSION |
||||
|
_saveaccountconf_mutable OS_IDENTITY_API_VERSION "$OS_IDENTITY_API_VERSION" |
||||
|
else |
||||
|
unset OS_IDENTITY_API_VERSION |
||||
|
_clearaccountconf SAVED_OS_IDENTITY_API_VERSION |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_AUTH_TYPE" "$OS_AUTH_TYPE" |
||||
|
if [ -n "$OS_AUTH_TYPE" ]; then |
||||
|
export OS_AUTH_TYPE |
||||
|
_saveaccountconf_mutable OS_AUTH_TYPE "$OS_AUTH_TYPE" |
||||
|
else |
||||
|
unset OS_AUTH_TYPE |
||||
|
_clearaccountconf SAVED_OS_AUTH_TYPE |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_APPLICATION_CREDENTIAL_ID" "$OS_APPLICATION_CREDENTIAL_ID" |
||||
|
if [ -n "$OS_APPLICATION_CREDENTIAL_ID" ]; then |
||||
|
export OS_APPLICATION_CREDENTIAL_ID |
||||
|
_saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID "$OS_APPLICATION_CREDENTIAL_ID" |
||||
|
else |
||||
|
unset OS_APPLICATION_CREDENTIAL_ID |
||||
|
_clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_ID |
||||
|
fi |
||||
|
|
||||
|
_secure_debug "OS_APPLICATION_CREDENTIAL_SECRET" "$OS_APPLICATION_CREDENTIAL_SECRET" |
||||
|
if [ -n "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then |
||||
|
export OS_APPLICATION_CREDENTIAL_SECRET |
||||
|
_saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET "$OS_APPLICATION_CREDENTIAL_SECRET" |
||||
|
else |
||||
|
unset OS_APPLICATION_CREDENTIAL_SECRET |
||||
|
_clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_SECRET |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_USERNAME" "$OS_USERNAME" |
||||
|
if [ -n "$OS_USERNAME" ]; then |
||||
|
export OS_USERNAME |
||||
|
_saveaccountconf_mutable OS_USERNAME "$OS_USERNAME" |
||||
|
else |
||||
|
unset OS_USERNAME |
||||
|
_clearaccountconf SAVED_OS_USERNAME |
||||
|
fi |
||||
|
|
||||
|
_secure_debug "OS_PASSWORD" "$OS_PASSWORD" |
||||
|
if [ -n "$OS_PASSWORD" ]; then |
||||
|
export OS_PASSWORD |
||||
|
_saveaccountconf_mutable OS_PASSWORD "$OS_PASSWORD" |
||||
|
else |
||||
|
unset OS_PASSWORD |
||||
|
_clearaccountconf SAVED_OS_PASSWORD |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_PROJECT_NAME" "$OS_PROJECT_NAME" |
||||
|
if [ -n "$OS_PROJECT_NAME" ]; then |
||||
|
export OS_PROJECT_NAME |
||||
|
_saveaccountconf_mutable OS_PROJECT_NAME "$OS_PROJECT_NAME" |
||||
|
else |
||||
|
unset OS_PROJECT_NAME |
||||
|
_clearaccountconf SAVED_OS_PROJECT_NAME |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_PROJECT_ID" "$OS_PROJECT_ID" |
||||
|
if [ -n "$OS_PROJECT_ID" ]; then |
||||
|
export OS_PROJECT_ID |
||||
|
_saveaccountconf_mutable OS_PROJECT_ID "$OS_PROJECT_ID" |
||||
|
else |
||||
|
unset OS_PROJECT_ID |
||||
|
_clearaccountconf SAVED_OS_PROJECT_ID |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_USER_DOMAIN_NAME" "$OS_USER_DOMAIN_NAME" |
||||
|
if [ -n "$OS_USER_DOMAIN_NAME" ]; then |
||||
|
export OS_USER_DOMAIN_NAME |
||||
|
_saveaccountconf_mutable OS_USER_DOMAIN_NAME "$OS_USER_DOMAIN_NAME" |
||||
|
else |
||||
|
unset OS_USER_DOMAIN_NAME |
||||
|
_clearaccountconf SAVED_OS_USER_DOMAIN_NAME |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_USER_DOMAIN_ID" "$OS_USER_DOMAIN_ID" |
||||
|
if [ -n "$OS_USER_DOMAIN_ID" ]; then |
||||
|
export OS_USER_DOMAIN_ID |
||||
|
_saveaccountconf_mutable OS_USER_DOMAIN_ID "$OS_USER_DOMAIN_ID" |
||||
|
else |
||||
|
unset OS_USER_DOMAIN_ID |
||||
|
_clearaccountconf SAVED_OS_USER_DOMAIN_ID |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_PROJECT_DOMAIN_NAME" "$OS_PROJECT_DOMAIN_NAME" |
||||
|
if [ -n "$OS_PROJECT_DOMAIN_NAME" ]; then |
||||
|
export OS_PROJECT_DOMAIN_NAME |
||||
|
_saveaccountconf_mutable OS_PROJECT_DOMAIN_NAME "$OS_PROJECT_DOMAIN_NAME" |
||||
|
else |
||||
|
unset OS_PROJECT_DOMAIN_NAME |
||||
|
_clearaccountconf SAVED_OS_PROJECT_DOMAIN_NAME |
||||
|
fi |
||||
|
|
||||
|
_debug "OS_PROJECT_DOMAIN_ID" "$OS_PROJECT_DOMAIN_ID" |
||||
|
if [ -n "$OS_PROJECT_DOMAIN_ID" ]; then |
||||
|
export OS_PROJECT_DOMAIN_ID |
||||
|
_saveaccountconf_mutable OS_PROJECT_DOMAIN_ID "$OS_PROJECT_DOMAIN_ID" |
||||
|
else |
||||
|
unset OS_PROJECT_DOMAIN_ID |
||||
|
_clearaccountconf SAVED_OS_PROJECT_DOMAIN_ID |
||||
|
fi |
||||
|
|
||||
|
if [ "$OS_AUTH_TYPE" = "v3applicationcredential" ]; then |
||||
|
# Application Credential auth |
||||
|
if [ -z "$OS_APPLICATION_CREDENTIAL_ID" ] || [ -z "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then |
||||
|
_err "When using OpenStack application credentials, OS_APPLICATION_CREDENTIAL_ID" |
||||
|
_err "and OS_APPLICATION_CREDENTIAL_SECRET must be set." |
||||
|
_err "Please check your credentials and try again." |
||||
|
return 1 |
||||
|
fi |
||||
|
else |
||||
|
# Password auth |
||||
|
if [ -z "$OS_USERNAME" ] || [ -z "$OS_PASSWORD" ]; then |
||||
|
_err "OpenStack username or password not found." |
||||
|
_err "Please check your credentials and try again." |
||||
|
return 1 |
||||
|
fi |
||||
|
|
||||
|
if [ -z "$OS_PROJECT_NAME" ] && [ -z "$OS_PROJECT_ID" ]; then |
||||
|
_err "When using password authentication, OS_PROJECT_NAME or" |
||||
|
_err "OS_PROJECT_ID must be set." |
||||
|
_err "Please check your credentials and try again." |
||||
|
return 1 |
||||
|
fi |
||||
|
fi |
||||
|
|
||||
|
return 0 |
||||
|
} |
Write
Preview
Loading…
Cancel
Save
Reference in new issue