From 5e042615222415c38e3bd77c84837c133fe81c28 Mon Sep 17 00:00:00 2001 From: Humenius Date: Wed, 27 May 2020 09:46:59 +0200 Subject: [PATCH 1/6] Add environment variable CSV parsing for DOMAIN --- run.sh | 98 +++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 66 insertions(+), 32 deletions(-) diff --git a/run.sh b/run.sh index 934b419..3534731 100755 --- a/run.sh +++ b/run.sh @@ -12,40 +12,63 @@ dump() { rm -rf $WORKDIR/* log "Dumping certificates" - traefik-certs-dumper file --version v2 --crt-name "cert" --crt-ext ".pem" --key-name "key" --key-ext ".pem" --domain-subdir --dest /tmp/work --source /traefik/acme.json >/dev/null - - if - [[ -f /tmp/work/${DOMAIN}/cert.pem && -f /tmp/work/${DOMAIN}/key.pem && -f /output/cert.pem && -f /output/key.pem ]] && \ - diff -q ${WORKDIR}/${DOMAIN}/cert.pem /output/cert.pem >/dev/null && \ - diff -q ${WORKDIR}/${DOMAIN}/key.pem /output/key.pem >/dev/null - then - log "Certificate and key still up to date, doing nothing" - else - log "Certificate or key differ, updating" - mv ${WORKDIR}/${DOMAIN}/*.pem /output/ - - if [[ ! -z "${OVERRIDE_UID}" && ! -z "${OVERRIDE_GID}" ]]; then - if [[ ! "${OVERRIDE_UID}" =~ $re || ! "${OVERRIDE_GID}" =~ $re ]]; then - #Check on UID - if [[ ! "${OVERRIDE_UID}" =~ $re ]]; then - log "OVERRIDE_UID=${OVERRIDE_UID} is not an integer." - fi - #Check on GID - if [[ ! "${OVERRIDE_GID}" =~ $re ]]; then - log "OVERRIDE_GID=${OVERRIDE_GID} is not an integer." - fi - log "Combination ${OVERRIDE_UID}:${OVERRIDE_GID} is invalid. Skipping file ownership change..." + traefik-certs-dumper file \ + --version v2 \ + --crt-name "cert" \ + --crt-ext ".pem" \ + --key-name "key" \ + --key-ext ".pem" \ + --domain-subdir \ + --dest /tmp/work \ + --source /traefik/acme.json >/dev/null + + if [ "${DOMAINS#}" -gt 1 ]; then + for i in "${DOMAINS[@]}" ; do + if + [[ -f /tmp/work/${i}/cert.pem && -f /tmp/work/${i}/key.pem && -f /output/${i}/cert.pem && -f /output/${i}/key.pem ]] && \ + diff -q ${WORKDIR}/${i}/cert.pem /output/cert.pem >/dev/null && \ + diff -q ${WORKDIR}/${i}/key.pem /output/key.pem >/dev/null + then + log "Certificate and key for '${i}' still up to date, doing nothing" else - log "Changing ownership of certificate and key" - chown "${OVERRIDE_UID}":"${OVERRIDE_GID}" /output/*.pem + log "Certificate or key for '${i}' differ, updating" + mv ${WORKDIR}/${i}/*.pem /output/ fi + done + else + if + [[ -f /tmp/work/${DOMAIN}/cert.pem && -f /tmp/work/${DOMAIN}/key.pem && -f /output/cert.pem && -f /output/key.pem ]] && \ + diff -q ${WORKDIR}/${DOMAIN}/cert.pem /output/cert.pem >/dev/null && \ + diff -q ${WORKDIR}/${DOMAIN}/key.pem /output/key.pem >/dev/null + then + log "Certificate and key for '${DOMAIN}' still up to date, doing nothing" + else + log "Certificate or key for '${DOMAIN}' differ, updating" + mv ${WORKDIR}/${DOMAIN}/*.pem /output/ fi + fi - if [ ! -z "${CONTAINERS#}" ]; then - log "Trying to restart containers" - restart_containers + if [[ ! -z "${OVERRIDE_UID}" && ! -z "${OVERRIDE_GID}" ]]; then + if [[ ! "${OVERRIDE_UID}" =~ $re || ! "${OVERRIDE_GID}" =~ $re ]]; then + #Check on UID + if [[ ! "${OVERRIDE_UID}" =~ $re ]]; then + log "OVERRIDE_UID=${OVERRIDE_UID} is not an integer." + fi + #Check on GID + if [[ ! "${OVERRIDE_GID}" =~ $re ]]; then + log "OVERRIDE_GID=${OVERRIDE_GID} is not an integer." + fi + log "Combination ${OVERRIDE_UID}:${OVERRIDE_GID} is invalid. Skipping file ownership change..." + else + log "Changing ownership of certificates and keys" + find /output/ -type f -name "*.pem" | xargs -0 chown "${OVERRIDE_UID}":"${OVERRIDE_GID}" fi fi + + if [ ! -z "${CONTAINERS#}" ]; then + log "Trying to restart containers" + restart_containers + fi } restart_containers() { @@ -101,12 +124,16 @@ begins_with_short_option() { } _arg_restart_containers= +CONTAINERS= +DOMAINS= print_help() { printf '%s\n' "traefik-certs-dumper bash script by Humenius " printf 'Usage: %s [-r|--restart-containers ] [-h|--help]\n' "$0" printf '\t%s\n' "-r, --restart-containers: Restart containers passed as comma-separated container names (no default)" printf '\t%s\n' "-h, --help: Prints help" + printf 'Environment variables:\n' + printf '\t%s\n' "DOMAIN: Domains whose certificates will be extracted" } parse_commandline() { @@ -141,8 +168,8 @@ parse_commandline() { } split_list() { - IFS=',' read -ra CONTAINERS <<<"$1" - log "Values split! Got '${CONTAINERS[@]}'" + IFS=',' read -ra "$2" <<< "$1" + log "Values split! Got '${$2[@]}'" } ############################################### @@ -150,10 +177,17 @@ split_list() { parse_commandline "$@" if [ -z "${_arg_restart_containers}" ]; then - log "--restart-containers is empty. Won't restart containers." + log "--restart-containers is empty. Won't attempt to restart containers." else log "Got value of --restart-containers: ${_arg_restart_containers}. Splitting values." - split_list "${_arg_restart_containers}" + split_list "${_arg_restart_containers}" CONTAINERS +fi + +if [ -z "${DOMAIN}" ]; then + die "Environment variable 'DOMAIN' mustn't be empty. Exiting..." 1 +else + log "Got value of 'DOMAIN': ${DOMAIN}. Splitting values." + split_list "${DOMAIN}" DOMAINS fi mkdir -p ${WORKDIR} From ac5b53e40a101b413dbf583bc80aa58a9553e2ff Mon Sep 17 00:00:00 2001 From: Humenius Date: Wed, 27 May 2020 10:24:59 +0200 Subject: [PATCH 2/6] #5: Remove split_list() due to usage of two separate arrays --- run.sh | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/run.sh b/run.sh index 3534731..31c2c93 100755 --- a/run.sh +++ b/run.sh @@ -1,4 +1,5 @@ #!/bin/bash +set -e WORKDIR=/tmp/work/ re='^[0-9]+$' @@ -167,11 +168,6 @@ parse_commandline() { done } -split_list() { - IFS=',' read -ra "$2" <<< "$1" - log "Values split! Got '${$2[@]}'" -} - ############################################### parse_commandline "$@" @@ -180,14 +176,16 @@ if [ -z "${_arg_restart_containers}" ]; then log "--restart-containers is empty. Won't attempt to restart containers." else log "Got value of --restart-containers: ${_arg_restart_containers}. Splitting values." - split_list "${_arg_restart_containers}" CONTAINERS + IFS=',' read -ra CONTAINERS <<< "$_arg_restart_containers" + log "Values split! Got '${CONTAINERS[@]}'" fi if [ -z "${DOMAIN}" ]; then - die "Environment variable 'DOMAIN' mustn't be empty. Exiting..." 1 + die "Environment variable DOMAIN mustn't be empty. Exiting..." 1 else - log "Got value of 'DOMAIN': ${DOMAIN}. Splitting values." - split_list "${DOMAIN}" DOMAINS + log "Got value of DOMAIN: ${DOMAIN}. Splitting values." + IFS=',' read -ra DOMAINS <<< "$DOMAIN" + log "Values split! Got '${DOMAINS[@]}'" fi mkdir -p ${WORKDIR} From 9fa16e7c4ee5830fff11042345854ca370cb75fd Mon Sep 17 00:00:00 2001 From: Humenius Date: Wed, 27 May 2020 10:38:00 +0200 Subject: [PATCH 3/6] #5: Fix domain array count check and attempt to fix pipe "find" into "xargs chown" --- run.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/run.sh b/run.sh index 31c2c93..63aa62f 100755 --- a/run.sh +++ b/run.sh @@ -23,12 +23,12 @@ dump() { --dest /tmp/work \ --source /traefik/acme.json >/dev/null - if [ "${DOMAINS#}" -gt 1 ]; then + if [ "${#DOMAINS[@]}" -gt 1 ]; then for i in "${DOMAINS[@]}" ; do if [[ -f /tmp/work/${i}/cert.pem && -f /tmp/work/${i}/key.pem && -f /output/${i}/cert.pem && -f /output/${i}/key.pem ]] && \ - diff -q ${WORKDIR}/${i}/cert.pem /output/cert.pem >/dev/null && \ - diff -q ${WORKDIR}/${i}/key.pem /output/key.pem >/dev/null + diff -q ${WORKDIR}/${i}/cert.pem /output/{$i}/cert.pem >/dev/null && \ + diff -q ${WORKDIR}/${i}/key.pem /output/{$i}/key.pem >/dev/null then log "Certificate and key for '${i}' still up to date, doing nothing" else @@ -62,7 +62,7 @@ dump() { log "Combination ${OVERRIDE_UID}:${OVERRIDE_GID} is invalid. Skipping file ownership change..." else log "Changing ownership of certificates and keys" - find /output/ -type f -name "*.pem" | xargs -0 chown "${OVERRIDE_UID}":"${OVERRIDE_GID}" + find /output/ -type f -name "*.pem" -print0 | xargs chown "${OVERRIDE_UID}":"${OVERRIDE_GID}" fi fi From 0b19643c400a7361fa0b1be156884190891d0da9 Mon Sep 17 00:00:00 2001 From: Humenius Date: Wed, 27 May 2020 10:48:12 +0200 Subject: [PATCH 4/6] #5: Fix paths in dumping step --- run.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/run.sh b/run.sh index 63aa62f..4ddadcd 100755 --- a/run.sh +++ b/run.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e -WORKDIR=/tmp/work/ +WORKDIR=/tmp/work re='^[0-9]+$' ############################################### @@ -10,7 +10,7 @@ re='^[0-9]+$' dump() { log "Clearing dumping directory" - rm -rf $WORKDIR/* + rm -rf ${WORKDIR}/* log "Dumping certificates" traefik-certs-dumper file \ @@ -26,19 +26,19 @@ dump() { if [ "${#DOMAINS[@]}" -gt 1 ]; then for i in "${DOMAINS[@]}" ; do if - [[ -f /tmp/work/${i}/cert.pem && -f /tmp/work/${i}/key.pem && -f /output/${i}/cert.pem && -f /output/${i}/key.pem ]] && \ + [[ -f ${WORKDIR}/${i}/cert.pem && -f ${WORKDIR}/${i}/key.pem && -f /output/${i}/cert.pem && -f /output/${i}/key.pem ]] && \ diff -q ${WORKDIR}/${i}/cert.pem /output/{$i}/cert.pem >/dev/null && \ diff -q ${WORKDIR}/${i}/key.pem /output/{$i}/key.pem >/dev/null then log "Certificate and key for '${i}' still up to date, doing nothing" else log "Certificate or key for '${i}' differ, updating" - mv ${WORKDIR}/${i}/*.pem /output/ + mv ${WORKDIR}/${i}/*.pem /output/${i} fi done else if - [[ -f /tmp/work/${DOMAIN}/cert.pem && -f /tmp/work/${DOMAIN}/key.pem && -f /output/cert.pem && -f /output/key.pem ]] && \ + [[ -f ${WORKDIR}/${DOMAIN}/cert.pem && -f ${WORKDIR}/${DOMAIN}/key.pem && -f /output/cert.pem && -f /output/key.pem ]] && \ diff -q ${WORKDIR}/${DOMAIN}/cert.pem /output/cert.pem >/dev/null && \ diff -q ${WORKDIR}/${DOMAIN}/key.pem /output/key.pem >/dev/null then From 6ff527ae53d1a7b8bfe14e3ff7423ca3df73e6e6 Mon Sep 17 00:00:00 2001 From: Humenius Date: Wed, 27 May 2020 10:54:08 +0200 Subject: [PATCH 5/6] #5: Create subfolders if they don't exist --- run.sh | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/run.sh b/run.sh index 4ddadcd..43a4dc6 100755 --- a/run.sh +++ b/run.sh @@ -1,7 +1,8 @@ #!/bin/bash set -e -WORKDIR=/tmp/work +workdir=/tmp/work +outputdir=/output re='^[0-9]+$' ############################################### @@ -10,7 +11,7 @@ re='^[0-9]+$' dump() { log "Clearing dumping directory" - rm -rf ${WORKDIR}/* + rm -rf ${workdir}/* log "Dumping certificates" traefik-certs-dumper file \ @@ -26,26 +27,29 @@ dump() { if [ "${#DOMAINS[@]}" -gt 1 ]; then for i in "${DOMAINS[@]}" ; do if - [[ -f ${WORKDIR}/${i}/cert.pem && -f ${WORKDIR}/${i}/key.pem && -f /output/${i}/cert.pem && -f /output/${i}/key.pem ]] && \ - diff -q ${WORKDIR}/${i}/cert.pem /output/{$i}/cert.pem >/dev/null && \ - diff -q ${WORKDIR}/${i}/key.pem /output/{$i}/key.pem >/dev/null + [[ -f ${workdir}/${i}/cert.pem && -f ${workdir}/${i}/key.pem && -f ${outputdir}/${i}/cert.pem && -f ${outputdir}/${i}/key.pem ]] && \ + diff -q ${workdir}/${i}/cert.pem ${outputdir}/{$i}/cert.pem >/dev/null && \ + diff -q ${workdir}/${i}/key.pem ${outputdir}/{$i}/key.pem >/dev/null then log "Certificate and key for '${i}' still up to date, doing nothing" else log "Certificate or key for '${i}' differ, updating" - mv ${WORKDIR}/${i}/*.pem /output/${i} + local dir=${outputdir}/${i} + [ -a "$dir" ] || \ + mkdir -p $dir && \ + mv ${workdir}/${i}/*.pem $dir fi done else if - [[ -f ${WORKDIR}/${DOMAIN}/cert.pem && -f ${WORKDIR}/${DOMAIN}/key.pem && -f /output/cert.pem && -f /output/key.pem ]] && \ - diff -q ${WORKDIR}/${DOMAIN}/cert.pem /output/cert.pem >/dev/null && \ - diff -q ${WORKDIR}/${DOMAIN}/key.pem /output/key.pem >/dev/null + [[ -f ${workdir}/${DOMAIN}/cert.pem && -f ${workdir}/${DOMAIN}/key.pem && -f ${outputdir}/cert.pem && -f ${outputdir}/key.pem ]] && \ + diff -q ${workdir}/${DOMAIN}/cert.pem ${outputdir}/cert.pem >/dev/null && \ + diff -q ${workdir}/${DOMAIN}/key.pem ${outputdir}/key.pem >/dev/null then log "Certificate and key for '${DOMAIN}' still up to date, doing nothing" else log "Certificate or key for '${DOMAIN}' differ, updating" - mv ${WORKDIR}/${DOMAIN}/*.pem /output/ + mv ${workdir}/${DOMAIN}/*.pem ${outputdir}/ fi fi @@ -62,7 +66,7 @@ dump() { log "Combination ${OVERRIDE_UID}:${OVERRIDE_GID} is invalid. Skipping file ownership change..." else log "Changing ownership of certificates and keys" - find /output/ -type f -name "*.pem" -print0 | xargs chown "${OVERRIDE_UID}":"${OVERRIDE_GID}" + find ${outputdir}/ -type f -name "*.pem" -print0 | xargs chown "${OVERRIDE_UID}":"${OVERRIDE_GID}" fi fi @@ -188,7 +192,7 @@ else log "Values split! Got '${DOMAINS[@]}'" fi -mkdir -p ${WORKDIR} +mkdir -p ${workdir} dump while true; do From c25dd8b8b821a0d262ba1ef0270713660bdb5934 Mon Sep 17 00:00:00 2001 From: Humenius Date: Wed, 27 May 2020 10:58:38 +0200 Subject: [PATCH 6/6] #5: Update README.md to explain usage of multiple domains dumping --- README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README.md b/README.md index 4bee180..fa72c4f 100644 --- a/README.md +++ b/README.md @@ -67,5 +67,26 @@ services: - OVERRIDE_GID=1000 ``` +### Extract multiple domains +This Docker image is able to extract multiple domains as well. +Use environment variable `DOMAIN` and add you domains as a comma-separated list. +After certificate dumping, the certificates can be found in the domains' subdirectories respectively. +(`/output/DOMAIN[i]/...`) +If you specify a single domain, the output folder remains the same as in previous versions (< v1.3 - `/output`). +```yaml +version: '3.7' + +services: + certdumper: + image: humenius/traefik-certs-dumper:latest + container_name: traefik_certdumper + volumes: + - ./traefik/acme:/traefik:ro + - ./output:/output:rw + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + DOMAIN: example.com,example.org,example.net,hello.example.in +``` + ## Help! If you need help using this image, have suggestions or want to report a problem, feel free to open an issue on GitHub!