3 # OpenStack Barbican deploy hook
5 # This requires you to have OpenStackClient and python-barbicanclient
8 # You will require Keystone V3 credentials loaded into your environment, which
9 # could be either password or v3applicationcredential type.
11 # Author: Andy Botting <andy@andybotting.com>
20 _debug _cdomain
"$_cdomain"
22 _debug _ccert
"$_ccert"
24 _debug _cfullchain
"$_cfullchain"
26 if ! _exists openstack
; then
27 _err
"OpenStack client not found"
31 _openstack_credentials ||
return $?
33 _info
"Generate import pkcs12"
34 _import_pkcs12
="$(_mktemp)"
35 if ! _openstack_to_pkcs
"$_import_pkcs12" "$_ckey" "$_ccert" "$_cca"; then
36 _err
"Error creating pkcs12 certificate"
39 _debug _import_pkcs12
"$_import_pkcs12"
40 _base64_pkcs12
=$
(_base64
"multiline" <"$_import_pkcs12")
42 secretHrefs
=$
(_openstack_get_secrets
)
43 _debug secretHrefs
"$secretHrefs"
44 _openstack_store_secret ||
return $?
46 if [ -n "$secretHrefs" ]; then
47 _info
"Cleaning up existing secret"
48 _openstack_delete_secrets ||
return $?
51 _info
"Certificate successfully deployed"
55 _openstack_store_secret
() {
56 if ! openstack secret store
--name "$_cdomain." -t 'application/octet-stream' -e base64
--payload "$_base64_pkcs12"; then
57 _err
"Failed to create OpenStack secret"
63 _openstack_delete_secrets
() {
64 echo "$secretHrefs" |
while read -r secretHref
; do
65 _info
"Deleting old secret $secretHref"
66 if ! openstack secret delete
"$secretHref"; then
67 _err
"Failed to delete OpenStack secret"
74 _openstack_get_secrets
() {
75 if ! secretHrefs
=$
(openstack secret list
-f value
--name "$_cdomain." | cut
-d' ' -f1); then
76 _err
"Failed to list secrets"
82 _openstack_to_pkcs
() {
83 # The existing _toPkcs command can't allow an empty password, due to sh
84 # -z test, so copied here and forcing the empty password.
90 ${ACME_OPENSSL_BIN:-openssl} pkcs12
-export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:"
93 _openstack_credentials
() {
94 _debug
"Check OpenStack credentials"
96 # If we have OS_AUTH_URL already set in the environment, then assume we want
97 # to use those, otherwise use stored credentials
98 if [ -n "$OS_AUTH_URL" ]; then
99 _debug
"OS_AUTH_URL env var found, using environment"
101 _debug
"OS_AUTH_URL not found, loading stored credentials"
102 OS_AUTH_URL
="${OS_AUTH_URL:-$(_readaccountconf_mutable OS_AUTH_URL)}"
103 OS_IDENTITY_API_VERSION
="${OS_IDENTITY_API_VERSION:-$(_readaccountconf_mutable OS_IDENTITY_API_VERSION)}"
104 OS_AUTH_TYPE
="${OS_AUTH_TYPE:-$(_readaccountconf_mutable OS_AUTH_TYPE)}"
105 OS_APPLICATION_CREDENTIAL_ID
="${OS_APPLICATION_CREDENTIAL_ID:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID)}"
106 OS_APPLICATION_CREDENTIAL_SECRET
="${OS_APPLICATION_CREDENTIAL_SECRET:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET)}"
107 OS_USERNAME
="${OS_USERNAME:-$(_readaccountconf_mutable OS_USERNAME)}"
108 OS_PASSWORD
="${OS_PASSWORD:-$(_readaccountconf_mutable OS_PASSWORD)}"
109 OS_PROJECT_NAME
="${OS_PROJECT_NAME:-$(_readaccountconf_mutable OS_PROJECT_NAME)}"
110 OS_PROJECT_ID
="${OS_PROJECT_ID:-$(_readaccountconf_mutable OS_PROJECT_ID)}"
111 OS_USER_DOMAIN_NAME
="${OS_USER_DOMAIN_NAME:-$(_readaccountconf_mutable OS_USER_DOMAIN_NAME)}"
112 OS_USER_DOMAIN_ID
="${OS_USER_DOMAIN_ID:-$(_readaccountconf_mutable OS_USER_DOMAIN_ID)}"
113 OS_PROJECT_DOMAIN_NAME
="${OS_PROJECT_DOMAIN_NAME:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_NAME)}"
114 OS_PROJECT_DOMAIN_ID
="${OS_PROJECT_DOMAIN_ID:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_ID)}"
117 # Check each var and either save or clear it depending on whether its set.
118 # The helps us clear out old vars in the case where a user may want
119 # to switch between password and app creds
120 _debug
"OS_AUTH_URL" "$OS_AUTH_URL"
121 if [ -n "$OS_AUTH_URL" ]; then
123 _saveaccountconf_mutable OS_AUTH_URL
"$OS_AUTH_URL"
126 _clearaccountconf SAVED_OS_AUTH_URL
129 _debug
"OS_IDENTITY_API_VERSION" "$OS_IDENTITY_API_VERSION"
130 if [ -n "$OS_IDENTITY_API_VERSION" ]; then
131 export OS_IDENTITY_API_VERSION
132 _saveaccountconf_mutable OS_IDENTITY_API_VERSION
"$OS_IDENTITY_API_VERSION"
134 unset OS_IDENTITY_API_VERSION
135 _clearaccountconf SAVED_OS_IDENTITY_API_VERSION
138 _debug
"OS_AUTH_TYPE" "$OS_AUTH_TYPE"
139 if [ -n "$OS_AUTH_TYPE" ]; then
141 _saveaccountconf_mutable OS_AUTH_TYPE
"$OS_AUTH_TYPE"
144 _clearaccountconf SAVED_OS_AUTH_TYPE
147 _debug
"OS_APPLICATION_CREDENTIAL_ID" "$OS_APPLICATION_CREDENTIAL_ID"
148 if [ -n "$OS_APPLICATION_CREDENTIAL_ID" ]; then
149 export OS_APPLICATION_CREDENTIAL_ID
150 _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID
"$OS_APPLICATION_CREDENTIAL_ID"
152 unset OS_APPLICATION_CREDENTIAL_ID
153 _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_ID
156 _secure_debug
"OS_APPLICATION_CREDENTIAL_SECRET" "$OS_APPLICATION_CREDENTIAL_SECRET"
157 if [ -n "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then
158 export OS_APPLICATION_CREDENTIAL_SECRET
159 _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET
"$OS_APPLICATION_CREDENTIAL_SECRET"
161 unset OS_APPLICATION_CREDENTIAL_SECRET
162 _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_SECRET
165 _debug
"OS_USERNAME" "$OS_USERNAME"
166 if [ -n "$OS_USERNAME" ]; then
168 _saveaccountconf_mutable OS_USERNAME
"$OS_USERNAME"
171 _clearaccountconf SAVED_OS_USERNAME
174 _secure_debug
"OS_PASSWORD" "$OS_PASSWORD"
175 if [ -n "$OS_PASSWORD" ]; then
177 _saveaccountconf_mutable OS_PASSWORD
"$OS_PASSWORD"
180 _clearaccountconf SAVED_OS_PASSWORD
183 _debug
"OS_PROJECT_NAME" "$OS_PROJECT_NAME"
184 if [ -n "$OS_PROJECT_NAME" ]; then
185 export OS_PROJECT_NAME
186 _saveaccountconf_mutable OS_PROJECT_NAME
"$OS_PROJECT_NAME"
188 unset OS_PROJECT_NAME
189 _clearaccountconf SAVED_OS_PROJECT_NAME
192 _debug
"OS_PROJECT_ID" "$OS_PROJECT_ID"
193 if [ -n "$OS_PROJECT_ID" ]; then
195 _saveaccountconf_mutable OS_PROJECT_ID
"$OS_PROJECT_ID"
198 _clearaccountconf SAVED_OS_PROJECT_ID
201 _debug
"OS_USER_DOMAIN_NAME" "$OS_USER_DOMAIN_NAME"
202 if [ -n "$OS_USER_DOMAIN_NAME" ]; then
203 export OS_USER_DOMAIN_NAME
204 _saveaccountconf_mutable OS_USER_DOMAIN_NAME
"$OS_USER_DOMAIN_NAME"
206 unset OS_USER_DOMAIN_NAME
207 _clearaccountconf SAVED_OS_USER_DOMAIN_NAME
210 _debug
"OS_USER_DOMAIN_ID" "$OS_USER_DOMAIN_ID"
211 if [ -n "$OS_USER_DOMAIN_ID" ]; then
212 export OS_USER_DOMAIN_ID
213 _saveaccountconf_mutable OS_USER_DOMAIN_ID
"$OS_USER_DOMAIN_ID"
215 unset OS_USER_DOMAIN_ID
216 _clearaccountconf SAVED_OS_USER_DOMAIN_ID
219 _debug
"OS_PROJECT_DOMAIN_NAME" "$OS_PROJECT_DOMAIN_NAME"
220 if [ -n "$OS_PROJECT_DOMAIN_NAME" ]; then
221 export OS_PROJECT_DOMAIN_NAME
222 _saveaccountconf_mutable OS_PROJECT_DOMAIN_NAME
"$OS_PROJECT_DOMAIN_NAME"
224 unset OS_PROJECT_DOMAIN_NAME
225 _clearaccountconf SAVED_OS_PROJECT_DOMAIN_NAME
228 _debug
"OS_PROJECT_DOMAIN_ID" "$OS_PROJECT_DOMAIN_ID"
229 if [ -n "$OS_PROJECT_DOMAIN_ID" ]; then
230 export OS_PROJECT_DOMAIN_ID
231 _saveaccountconf_mutable OS_PROJECT_DOMAIN_ID
"$OS_PROJECT_DOMAIN_ID"
233 unset OS_PROJECT_DOMAIN_ID
234 _clearaccountconf SAVED_OS_PROJECT_DOMAIN_ID
237 if [ "$OS_AUTH_TYPE" = "v3applicationcredential" ]; then
238 # Application Credential auth
239 if [ -z "$OS_APPLICATION_CREDENTIAL_ID" ] ||
[ -z "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then
240 _err
"When using OpenStack application credentials, OS_APPLICATION_CREDENTIAL_ID"
241 _err
"and OS_APPLICATION_CREDENTIAL_SECRET must be set."
242 _err
"Please check your credentials and try again."
247 if [ -z "$OS_USERNAME" ] ||
[ -z "$OS_PASSWORD" ]; then
248 _err
"OpenStack username or password not found."
249 _err
"Please check your credentials and try again."
253 if [ -z "$OS_PROJECT_NAME" ] && [ -z "$OS_PROJECT_ID" ]; then
254 _err
"When using password authentication, OS_PROJECT_NAME or"
255 _err
"OS_PROJECT_ID must be set."
256 _err
"Please check your credentials and try again."