add a command svcmgr implementation allowing for freeform actions upon renewal
#43
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ferringb
changed the title
command svcmgr implementation allowing for freeform actions upon renewalcommand svcmgr implementation allowing for freeform actions upon renewal, add openrc support
ferringb
changed the title
command svcmgr implementation allowing for freeform actions upon renewal, add openrc supportcommand svcmgr implementation allowing for freeform actions upon renewal
added 2 commits
April 25, 2018 10:57
Specifically, re-add encapsulation for action validity checks, and collapse all existing implentations down into just abusing a shim template for this.
If a cert specifies 'service_manager' setting as 'command', then action is passed to /bin/bash -c (or /bin/sh if bash can't be found). This allows custom actions to be taken- things beyond just init scripts. Note that there are multiple CERTMGR_* variables exposed to the shell code invoked; this is to allow for the target to decide what to do when these things change.
kisom
approved these changes
Apr 25, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Not all certificates are managed for services- there are scenarios where it's desirable to invoke some freeform shell when a cert renewals. Simple example for kubernetes static pods- touching the manifest definition to trigger a reload of the pod. While a systemd oneshot unit could be written, that's a pain in the ass and cumbersome for what is at it's core a literal
touch somepath.To support this new svcmgr the existing implementations had to be refactored a fair bit; they were collapsed into one stub implementation specifically.
Finally, the command svcmgr also exposes various CERTMGR_* environment variables to the shell code it's executing- this is intended to allow for whatever is being invoked to have enough information to be able to make decisions on it's own.