Skip to content
This repository was archived by the owner on Aug 30, 2020. It is now read-only.

Commit dd9a62e

Browse files
author
Jörg Herzinger
committed
initial commit
0 parents  commit dd9a62e

12 files changed

+450
-0
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Gemfile.lock

Gemfile

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
source 'https://rcrs.rbinternational.com/artifactory/api/gems/gems/'
2+
3+
gem 'mixlib-shellout', '~> 2.3.2'

Jenkinsfile

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
pipeline {
2+
agent { label 'master' }
3+
4+
options {
5+
buildDiscarder(logRotator(numToKeepStr:'20'))
6+
disableConcurrentBuilds()
7+
timeout(time: 30, unit: 'MINUTES')
8+
}
9+
triggers {
10+
// pollSCM('H/4 * * * *')
11+
}
12+
13+
// parameters {
14+
// string(name: 'workspaces', defaultValue: '', description: 'The workspaces separated by a space to check, plan and apply.')
15+
// }
16+
17+
stages {
18+
stage('Init') {
19+
steps {
20+
script {
21+
ansiColor('xterm') {
22+
sh("rake23 init")
23+
}
24+
}
25+
}
26+
}
27+
28+
stage('Certbot') {
29+
steps {
30+
script {
31+
try {
32+
ansiColor('xterm') {
33+
sh("rake23 certbot:renew")
34+
}
35+
} catch(err) {
36+
currentBuild.result = 'UNSTABLE'
37+
}
38+
}
39+
}
40+
}
41+
42+
stage('Chef Vault') {
43+
steps {
44+
ansiColor('xterm') {
45+
sh("rake23 chef_vault:upload")
46+
}
47+
}
48+
}
49+
50+
stage('Hashicorp Vault') {
51+
// when {
52+
// allOf {
53+
// branch 'master'
54+
// expression { return resultSuccess() }
55+
// }
56+
// }
57+
steps {
58+
ansiColor('xterm') {
59+
sh("rake23 hashicorp_vault:upload")
60+
}
61+
}
62+
}
63+
64+
stage('Git push') {
65+
steps {
66+
ansiColor('xterm') {
67+
sh("rake23 git:push")
68+
}
69+
}
70+
}
71+
72+
stage('Cleanup') {
73+
// when {
74+
// allOf {
75+
// branch 'master'
76+
// expression { return resultSuccess() }
77+
// expression { return approved }
78+
// }
79+
// }
80+
steps {
81+
script {
82+
ansiColor('xterm') {
83+
sh("rake23 cleanup")
84+
}
85+
}
86+
}
87+
}
88+
}
89+
}

LICENSE

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
MIT License
2+
3+
Copyright (c) 2018 ByteSource Technology Consulting GmbH
4+
5+
Permission is hereby granted, free of charge, to any person obtaining a copy
6+
of this software and associated documentation files (the "Software"), to deal
7+
in the Software without restriction, including without limitation the rights
8+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9+
copies of the Software, and to permit persons to whom the Software is
10+
furnished to do so, subject to the following conditions:
11+
12+
The above copyright notice and this permission notice shall be included in all
13+
copies or substantial portions of the Software.
14+
15+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21+
SOFTWARE.

README.md

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
# Letsencrypt automation wrapper
2+
3+
## Using it
4+
5+
Clone this repository and change the origin to an internal private git repo of your choice. This repo will in the end contain the certificates you register. Make sure adequate permissions are set up!
6+
7+
### Requirements
8+
9+
To run this you need at least:
10+
11+
* Git
12+
* Docker
13+
* Ruby (>= 2)
14+
15+
### Config
16+
17+
Create a file called `config.json` alongside the `config.default.json` and fill in the changes you want. An example of all available config settings is given here:
18+
19+
```
20+
{
21+
"docker_environment": {
22+
"https_proxy": "http://proxy.service.com:5678",
23+
"http_proxy": "http://proxy.service.com:5678",
24+
"no_proxy": ".service.com"
25+
},
26+
"certbot": {
27+
"docker_image": "docker.local/certbot/dns-route53:v0.22.0",
28+
"docker_container": "certbot",
29+
"aws_credentials": "~/.aws/credentials",
30+
"email": "[email protected]",
31+
"server": "https://acme-staging-v02.api.letsencrypt.org/directory"
32+
},
33+
"chef": {
34+
"docker_image": "docker.local/chef/chefdk:v2",
35+
"data_bag": "letsencrypt",
36+
"admins": ["admin1", "admin2"]
37+
},
38+
"backends": [
39+
"chef_vault"
40+
],
41+
"certificates": {
42+
"_star_.my.domain.com": {
43+
"domains": ["*.my.domain.com", "my.domain.com"],
44+
"chef_vault": {
45+
"clients": ["client1", "client2"],
46+
"search": "search term"
47+
}
48+
},
49+
"sometest.domain.com": {
50+
"domains": ["sometest.domain.com", "some-test.domain.com"],
51+
"hashicorp_vault": {
52+
"permissions_to_set": "a"
53+
}
54+
}
55+
}
56+
}
57+
```
58+
59+
The two public ACME Servers are:
60+
61+
* https://acme-staging-v02.api.letsencrypt.org/directory
62+
* https://acme-v02.api.letsencrypt.org/directory
63+
64+
### Run manually
65+
66+
To run the tasks manually check out the available rake tasks with `rake -T`. To initialize the project you have to register an account at LetsEncrypt once. To do so run:
67+
68+
```
69+
rake init
70+
rake certbot:register
71+
```
72+
73+
once and commit the changes.
74+
75+
### Running in Jenkins
76+
77+
There is a Jenkinsfile available in this repo which should do everything for you once you are set up.
78+
79+
## Updating
80+
81+
Add this repo as a remote
82+
83+
```
84+
git remote add update https://github.com/bytesourceoss/letsencrypt-automation.git
85+
```
86+
87+
And fetch the changes you want
88+
89+
```
90+
git fetch update master # Fetch changes from master
91+
git fetch update refs/tags/1.0.0 # Fetch a specific tag
92+
```
93+
94+
# ToDo
95+
96+
Pretty much everything I guess...
97+
98+
* How to upload only changed certificates
99+
* Read state from git?
100+
* Keep state file with changes?

Rakefile

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
require 'date'
2+
sh '/bin/bash lib/init.sh' if !File.exist?('Gemfile.lock') || (Date.today - File.mtime('Gemfile.lock').to_date).to_i > 20
3+
4+
require 'bundler/setup'
5+
require_relative 'lib/helpers'
6+
require_relative 'lib/git'
7+
require_relative 'lib/certbot'
8+
require_relative 'lib/chef_vault'
9+
10+
Rake.application.options.suppress_backtrace_pattern = %r{/} # Suppress trace when running. Using --trace still works
11+
12+
desc 'Initialize project'
13+
task :init do
14+
Helpers.log Certbot.init
15+
# ChefVault.init if Helpers.config['backends'].key?('chef_vault')
16+
# HashicorpVault.init if Helpers.config['backends'].key?('hashicorp_vault')
17+
end
18+
19+
desc 'Displays Help'
20+
task :help do
21+
puts 'How to use these rake taks:
22+
Check the available tasks with rake23 -T.'
23+
end
24+
25+
namespace :git do
26+
desc 'Commit and push repository'
27+
task :push do
28+
Git.push
29+
end
30+
end
31+
32+
namespace :certbot do
33+
desc 'Register Certbot account'
34+
task :register do
35+
Helpers.log Certbot.register
36+
end
37+
38+
desc 'Run arbitrary certbot command passed as parameter'
39+
task :run, [:cmd] do |_t, args|
40+
Helpers.log Certbot.run(args[:cmd])
41+
end
42+
43+
desc 'Run certbot to obtain or renew certificates'
44+
task :renew do
45+
Helpers.config['certificates'].each do |name, props|
46+
Helpers.log Certbot.renew(name, props['domains'])
47+
end
48+
end
49+
50+
desc 'Run certbot to revoke a certificate'
51+
task :revoke, [:cert] do |_t, args|
52+
Helpers.log Certbot.revoke(args[:cert])
53+
end
54+
end
55+
56+
namespace :chef_vault do
57+
desc 'Upload all changed certificates as chef vaults'
58+
task :upload do
59+
ChefVault.upload
60+
end
61+
end
62+
63+
desc 'Cleanup all temporary files, docker containers etc'
64+
task :cleanup do
65+
Helpers.log Certbot.cleanup
66+
end

config.default.json

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
{
2+
"docker_environment": {
3+
},
4+
"certbot": {
5+
"docker_image": "certbot/dns-route53:v0.22.0",
6+
"docker_container": "certbot",
7+
"aws_credentials": "~/.aws/credentials",
8+
"email": "[email protected]",
9+
"server": "https://acme-staging-v02.api.letsencrypt.org/directory"
10+
},
11+
"chef": {
12+
"docker_image": "chef/chefdk:2",
13+
"data_bag": "letsencrypt",
14+
"admins": ["admin1", "admin2"]
15+
},
16+
"backends": [
17+
"chef_vault"
18+
],
19+
"certificates": {
20+
}
21+
}

lib/certbot.rb

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
require_relative 'helpers'
2+
3+
# Cerbot module
4+
module Certbot
5+
extend self
6+
7+
def init
8+
Helpers.run_command("docker run -itd #{Helpers.environment} --name #{Helpers.config['certbot']['docker_container']} -v `pwd`/etc_letsencrypt:/etc/letsencrypt -v #{Helpers.config['certbot']['aws_credentials']}:/root/.aws/credentials --entrypoint '/bin/sh' #{Helpers.config['certbot']['docker_image']}")
9+
end
10+
11+
def cleanup
12+
Helpers.run_command("docker rm -f #{Helpers.config['certbot']['docker_container']}")
13+
end
14+
15+
def register
16+
run("register --agree-tos -m #{Helpers.config['certbot']['email']}")
17+
end
18+
19+
# Renew a certificate if necessary. Parameters are usually ready from the config file
20+
#
21+
# @param name [String] The name of the certificate
22+
#
23+
# @param domains [Array] The domains for this certificate
24+
#
25+
def renew(name, domains)
26+
Helpers.info_log("Registering/Renewing certificate #{name} for domains #{domains.join(',')}")
27+
run("certonly --non-interactive --dns-route53 --cert-name #{name} --domains #{domains.join(',')}")
28+
end
29+
30+
def run(cmd)
31+
Helpers.run_command("docker exec -i #{Helpers.config['certbot']['docker_container']} certbot --server #{Helpers.config['certbot']['server']} --debug #{cmd}")
32+
end
33+
end

lib/chef_vault.rb

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# Chef Vault module
2+
module ChefVault
3+
extend self
4+
5+
def init
6+
7+
end
8+
end

lib/git.rb

Whitespace-only changes.

0 commit comments

Comments
 (0)