-
Notifications
You must be signed in to change notification settings - Fork 0
/
template_start_script.sh
167 lines (120 loc) · 5.55 KB
/
template_start_script.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#!/bin/bash
set -x
. shared_logging.sh
###############################
## ACtion - _CHANGE_TO_REQUIRED_APP_CERT_DUR_VARIABLE to the required Variable
## ACtion - Update INST_LOCFILE & CERT_LOCATION
#################################
HOST_FQDN=`hostname -f`
INST_LOCFILE="{file or process to check that APP is initialised}"
HN=`hostname -f`
#MX_CONTAINER_NAME
CERT_LOCATION="./cert"
CERT_NAME="[&replace_lower_app_name&]"
CERT_DB_LOCATION="./.postgresql"
CERT_DB_NAME="${MX_POSTGRES_USER}"
check_step_ca () {
#check_step_ca ${number_of_loops} ${sleep duration}
for (( i=1; i<=${1}; i++ )); do
curl -sk ${MX_STEP_HOST}/roots.pem -o stepCA.pem
retVal=$?
if [[ $retVal -eq 0 ]];then
let stepca_cdur=$(step ca provisioner list --ca-url=${MX_STEP_HOST} --root=./stepCA.pem |jq -r '.[0].claims.maxTLSCertDuration | split("h")[0]')
let app_cdur=$(echo $MX_[&REPLACE_UPPER_APP_NAME&]_CERT_DUR |sed "s/h//")
if [[ "$app_cdur" -le "$stepca_cdur" ]]; then
return 0
else
logwarn "Step is available but the max certificate expiry is not set correctly, this app script wants $app_cdur duration. Waiting for step-ca as its currently $stepca_cdur: attempt $i / ${1}"
fi
fi
sleep ${2}
done
return 1
}
initialise_app () {
loginfo "initial setup of application"
FP=$(step certificate fingerprint stepCA.pem)
step ca bootstrap --ca-url ${MX_STEP_HOST} --fingerprint ${FP}
#app server certificate
step ca certificate ${MX_CONTAINER_NAME} ${CERT_LOCATION}/${CERT_NAME}.crt ${CERT_LOCATION}/${CERT_NAME}.key --not-after ${MX_[&REPLACE_UPPER_APP_NAME&]_CERT_DUR} --san ${MX_CONTAINER_NAME} --san $HOST_FQDN --provisioner-password-file <(set +x;echo -n `shared_get_info.sh STEP PW`;set -x)
#db user connection certificate
step ca certificate ${CERT_DB_NAME} ${CERT_DB_LOCATION}/${CERT_DB_NAME}.crt ${CERT_DB_LOCATION}/${CERT_DB_NAME}.key --not-after ${MX_[&REPLACE_UPPER_APP_NAME&]_CERT_DUR} --san ${CERT_DB_NAME} --san $HOST_FQDN --provisioner-password-file <(set +x;echo -n `shared_get_info.sh STEP PW`;set -x)
}
renew () {
loginfo "checking certificate for renewal"
step certificate verify ${CERT_LOCATION}/${CERT_NAME}.crt --roots ${STEPPATH}/certs/root_ca.crt --host=${MX_CONTAINER_NAME}
retVal=$?
if [ $retVal -eq 0 ];then
loginfo "renew ${CERT_NAME} certificate"
step ca renew -f ${CERT_LOCATION}/${CERT_NAME}.crt ${CERT_LOCATION}/${CERT_NAME}.key
step ca renew -f ${CERT_DB_LOCATION}/${CERT_DB_NAME}.crt ${CERT_DB_LOCATION}/${CERT_DB_NAME}.key
else
logwarn "${CERT_NAME} certificate expired or other error "
loginfo "recreate ${CERT_NAME} certificate"
rm -f ${CERT_LOCATION}/${CERT_NAME}.crt ${CERT_LOCATION}/${CERT_NAME}.key
rm -r ${CERT_DB_LOCATION}/${CERT_DB_NAME}.crt ${CERT_DB_LOCATION}/${CERT_DB_NAME}.key
step ca certificate ${MX_CONTAINER_NAME} ${CERT_LOCATION}/${CERT_NAME}.crt ${CERT_LOCATION}/${CERT_NAME}.key --not-after ${MX_[&REPLACE_UPPER_APP_NAME&]_CERT_DUR} --san ${MX_CONTAINER_NAME} --san $HOST_FQDN --provisioner-password-file <(set +x;echo -n `shared_get_info.sh STEP PW`;set -x)
#db user connection certificate
step ca certificate ${CERT_DB_NAME} ${CERT_DB_LOCATION}/${CERT_DB_NAME}.crt ${CERT_DB_LOCATION}/${CERT_DB_NAME}.key --not-after ${MX_[&REPLACE_UPPER_APP_NAME&]_CERT_DUR} --san ${CERT_DB_NAME} --san $HOST_FQDN --provisioner-password-file <(set +x;echo -n `shared_get_info.sh STEP PW`;set -x)
cp -p ${STEPPATH}/certs/root_ca.crt ${CERT_DB_LOCATION}/root.crt
fi
}
config_file () {
loginfo "config_file"
}
startup () {
loginfo "startup"
}
post_startup_init () {
loginfo "post start initialisation actions"
}
stopapp () {
loginfo "stopping "
}
shutdown_stopapp () {
stopapp
exit 0
}
andcheck () {
loginfo "waiting to check certificate"
while true
do
step certificate needs-renewal --expires-in ${TX_[&REPLACE_UPPER_APP_NAME&]_EXP_CHECK} ${CERT_LOCATION}/${CERT_NAME}.crt
retVal=$?
if [ $retVal -eq 0 ];then
renew
loginfo "certificates refreshed "
# Select method to restart or stop start app to pick up renewed certifiate
#reload_config
#pkill -P $$
#startup
fi
sleep 30m
done
}
trap shutdown_stopapp TERM INT
if [[ ! -f ${INST_LOCFILE} ]];then
if check_step_ca 2 10; then
loginfo "setup MX_APP"
initialise_app
config_file
startup
sleep 25
post_startup_init
andcheck
else
logerr "Exiting setup as step ca cant be contacted"
fi
else
if check_step_ca 2 10; then
loginfo "Renew certificate and startup MX_APP"
renew
startup
andcheck
else
logerr "Failure to connect to step-ca - cant renew certificates but starting [&REPLACE_UPPER_APP_NAME&] and certificates may cause issues "
startup
andcheck
fi
fi
tail -f /dev/null