William Sellitti
2 years ago
1 changed files with 123 additions and 0 deletions
@ -0,0 +1,123 @@ |
|||
#!/usr/bin/env bash |
|||
|
|||
# Deploy certificates to a proxmox virtual environment node using the API. |
|||
# |
|||
# Environment variables that can be set are: |
|||
# `DEPLOY_PROXMOXVE_SERVER`: The hostname of the proxmox ve node. Defaults to |
|||
# _cdomain. |
|||
# `DEPLOY_PROXMOXVE_SERVER_PORT`: The port number the management interface is on. |
|||
# Defaults to 8006. |
|||
# `DEPLOY_PROXMOXVE_NODE_NAME`: The name of the node we'll be connecting to. |
|||
# Defaults to the host portion of the server |
|||
# domain name. |
|||
# `DEPLOY_PROXMOXVE_USER`: The user we'll connect as. Defaults to root. |
|||
# `DEPLOY_PROXMOXVE_USER_REALM`: The authentication realm the user authenticates |
|||
# with. Defaults to pam. |
|||
# `DEPLOY_PROXMOXVE_API_TOKEN_NAME`: The name of the API token created for the |
|||
# user account. Defaults to acme. |
|||
# `DEPLOY_PROXMOXVE_API_TOKEN_KEY`: The API token. Required. |
|||
|
|||
proxmoxve_deploy(){ |
|||
_cdomain="$1" |
|||
_ckey="$2" |
|||
_ccert="$3" |
|||
_cca="$4" |
|||
_cfullchain="$5" |
|||
|
|||
_debug _cdomain "$_cdomain" |
|||
_debug _ckey "$_ckey" |
|||
_debug _ccert "$_ccert" |
|||
_debug _cca "$_cca" |
|||
_debug _cfullchain "$_cfullchain" |
|||
|
|||
# "Sane" defaults. |
|||
_target_hostname="$_cdomain" |
|||
if [ ! -z "$DEPLOY_PROXMOXVE_SERVER" ];then |
|||
_target_hostname="$DEPLOY_PROXMOXVE_SERVER" |
|||
fi |
|||
|
|||
_target_port="8006" |
|||
if [ ! -z "$DEPLOY_PROXMOXVE_SERVER_PORT" ];then |
|||
_target_port="$DEPLOY_PROXMOXVE_SERVER_PORT" |
|||
fi |
|||
|
|||
if [ ! -z "$DEPLOY_PROXMOXVE_NODE_NAME" ];then |
|||
_node_name="$DEPLOY_PROXMOXVE_NODE_NAME" |
|||
else |
|||
_node_name=$(echo "$_target_hostname"|cut -d. -f1) |
|||
fi |
|||
|
|||
# Complete URL. |
|||
_target_url="https://${_target_hostname}:${_target_port}/api2/json/nodes/${_node_name}/certificates/custom" |
|||
|
|||
# More "sane" defaults. |
|||
_proxmoxve_user="root" |
|||
if [ ! -z "$_proxmoxve_user" ];then |
|||
_proxmoxve_user="$DEPLOY_PROXMOXVE_USER" |
|||
fi |
|||
|
|||
_proxmoxve_user_realm="pam" |
|||
if [ ! -z "$DEPLOY_PROXMOXVE_USER_REALM" ];then |
|||
_proxmoxve_user_realm="$DEPLOY_PROXMOXVE_USER_REALM" |
|||
fi |
|||
|
|||
_proxmoxve_api_token_name="acme" |
|||
if [ ! -z "$DEPLOY_PROXMOXVE_API_TOKEN_NAME" ];then |
|||
_proxmoxve_api_token_name="$DEPLOY_PROXMOXVE_API_TOKEN_NAME" |
|||
fi |
|||
|
|||
# This is required. |
|||
_proxmoxve_api_token_key="$DEPLOY_PROXMOXVE_API_TOKEN_KEY" |
|||
if [ -z "$_proxmoxve_api_token_key" ];then |
|||
_err "API key not provided." |
|||
return 1 |
|||
fi |
|||
|
|||
# PVE API Token header value. Used in "Authorization: PVEAPIToken". |
|||
_proxmoxve_header_api_token="${_proxmoxve_user}@${_proxmoxve_user_realm}!${_proxmoxve_api_token_name}=${_proxmoxve_api_token_key}" |
|||
|
|||
# Generate the data file curl will pass as the data. |
|||
_proxmoxve_temp_data="/tmp/proxmoxve_api/$_cdomain" |
|||
_proxmoxve_temp_data_file="$_proxmoxve_temp_data/body.json" |
|||
# We delete this directory at the end of the script to avoid any conflicts. |
|||
if [ ! -d "$_proxmoxve_temp_data" ];then |
|||
mkdir -p "$_proxmoxve_temp_data" |
|||
# Set to 700 since this file will contain the private key contents. |
|||
chmod 700 "$_proxmoxve_temp_data" |
|||
fi |
|||
# Ugly. I hate putting heredocs inside functions because heredocs don't account |
|||
# for whitespace correctly but it _does_ work and is several times cleaner |
|||
# than anything else I had here. |
|||
# |
|||
# This creates a temporary data file that curl will use as the data being |
|||
# posted to the webserver. |
|||
cat << HEREDOC > "$_proxmoxve_temp_data_file" |
|||
{ |
|||
"certificates": "$(cat $_cfullchain|tr '\n' ':'|sed 's/:/\\n/g')", |
|||
"key": "$(cat $_ckey|tr '\n' ':'|sed 's/:/\\n/g')", |
|||
"node":"$_node_name", |
|||
"restart":"1", |
|||
"force":"1" |
|||
} |
|||
HEREDOC |
|||
|
|||
# Push certificates to server. |
|||
# |
|||
# --insecure is to ignore certificate errors. |
|||
# --fail is to fail the script if the http return code is not 200. |
|||
if curl -X "POST" --header "Content-Type: application/json" \ |
|||
--header "Authorization: PVEAPIToken=${_proxmoxve_header_api_token}" \ |
|||
--data "@${_proxmoxve_temp_data_file}" \ |
|||
--insecure --fail \ |
|||
"${_target_url}" |
|||
then |
|||
_info "Successfully updated certificate for $_cdomain." |
|||
rm -r "$_proxmoxve_temp_data" |
|||
return 0 |
|||
else |
|||
_err "Unable to update certificate for $_cdomain." |
|||
rm -r "$_proxmoxve_temp_data" |
|||
return 1 |
|||
fi |
|||
|
|||
} |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue