Rework letsencrypt

This patch is adding "API layer" to letsencrypt
images which is represented by set of scripts inside.

This scripts are called by kolla-ansible orchestration.

Change-Id: I61b70fb4e12ba03b96e79004e735d2ead0f52319

docker/haproxy/haproxy-ssh/Dockerfile.j2

@@ -13,6 +13,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
     {% set haproxy_ssh_packages = [
         'openssh-server',
         'openssh-clients',
+        'rsync',
     ] %}
 
 # NOTE(mgoddard): The centos:8 image contains a /run/nologin file, which
@@ -23,6 +24,7 @@ RUN rm -f /run/nologin
     {% set haproxy_ssh_packages = [
         'openssh-server',
         'openssh-client',
+        'rsync',
     ] %}
 
 RUN mkdir -p /var/run/sshd \
@@ -36,5 +38,7 @@ COPY extend_start.sh /usr/local/bin/kolla_extend_start
 RUN chmod 644 /usr/local/bin/kolla_extend_start \
     && sed -ri 's/session(\s+)required(\s+)pam_loginuid.so/session\1optional\2pam_loginuid.so/' /etc/pam.d/sshd
 
+COPY update-haproxy-cert.sh /usr/bin/update-haproxy-cert
+
 {% block haproxy_ssh_footer %}{% endblock %}
 {% block footer %}{% endblock %}

docker/haproxy/haproxy-ssh/extend_start.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-SSH_HOST_KEY_TYPES=( "ecdsa" )
+SSH_HOST_KEY_TYPES=( "rsa" "dsa" "ecdsa" "ed25519" )
 
 for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
     KEY_PATH=/etc/ssh/ssh_host_${key_type}_key
@@ -12,5 +12,26 @@ done
 mkdir -p /var/lib/haproxy/.ssh
 
 if [[ $(stat -c %U:%G /var/lib/haproxy/.ssh) != "haproxy:haproxy" ]]; then
-    sudo chown haproxy: /var/lib/haproxy/.ssh
+    chown haproxy: /var/lib/haproxy/.ssh
 fi
+
+FOLDERS_LEGO="/etc/letsencrypt /etc/letsencrypt/backups"
+USERGROUP="haproxy:haproxy"
+
+for folder in ${FOLDERS_LEGO}; do
+    mkdir -p ${folder}
+
+    if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP}" ]]; then
+        chown ${USERGROUP} ${folder}
+    fi
+
+    if [[ "${folder}" == "/etc/letsencrypt" ]]; then
+        if [[ $(stat -c %a ${folder}) != "751" ]]; then
+            chmod 751 ${folder}
+        fi
+    else
+        if [[ $(stat -c %a ${folder}) != "755" ]]; then
+            chmod 755 ${folder}
+        fi
+    fi
+done

docker/haproxy/haproxy-ssh/update-haproxy-cert.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+
+function haproxy_transaction_start {
+    local cert_input=${1}
+    local cert_dest=${2}
+
+    local transaction_result=""
+    local transaction_grep_check=""
+
+    transaction_grep_check="Transaction (created|updated) for certificate $(echo $cert_dest | sed -e 's|/|\\/|g')!"
+    transaction_result=$(echo -e "set ssl cert ${cert_dest} <<\n$(cat ${cert_input})\n" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock -)
+    if echo "${transaction_result}" | grep -Pq "${transaction_grep_check}"; then
+        echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} started."
+    else
+        echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed."
+        exit 1
+    fi
+
+    local cert_input_sha1=""
+    local cert_dest_sha1=""
+
+    cert_input_sha1=$(openssl x509 -noout -fingerprint -sha1 -inform pem -in ${cert_input} | awk -F '=' '{print $2}' | sed -e 's/://g')
+    cert_dest_sha1=$(echo "show ssl cert *${cert_dest}" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock - | awk -F 'SHA1 FingerPrint: ' '{print $2}' | sed '/^$/d')
+    if [ "${cert_input_sha1}" = "${cert_dest_sha1}" ]; then
+        echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} successfull."
+    else
+        echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Transaction ${cert_input} -> ${cert_dest} failed."
+        exit 1
+    fi
+}
+
+function haproxy_upload_to_memory {
+    local cert_input=${1}
+    local cert_dest=${2}
+
+    local cert_upload_output=""
+
+    cert_upload_output=$(echo "commit ssl cert ${cert_dest}" | socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock -)
+    if echo "${cert_upload_output}" | grep -q "Success!"; then
+        echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_dest} - update] Certificate ${cert_input} uploaded to haproxy memory."
+    else
+        echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [ERROR] [${cert_dest} - update] Certificate ${cert_input} upload to haproxy memory failed."
+        exit 1
+    fi
+}
+
+function haproxy_write_to_disk {
+    local cert_input=${1}
+    local cert_haproxy_path=${2}
+
+    local cert_backup_suffix=""
+    local cert_backup_path=""
+    local cert_backup_name=""
+
+    cert_backup_suffix="-$(date +%Y-%m-%d-%H-%M-%S).pem"
+    cert_backup_path=$(echo "${cert_input}" | awk -v suffix="$cert_backup_suffix" -F '.pem' '{print $1suffix}')
+    cert_backup_name=$(echo ${cert_backup_path} | awk -F '/' '{print $NF}')
+    mkdir -p /etc/letsencrypt/backups
+    echo "$(date +%Y/%m-%d) $(date +%H:%M:%S) [INFO] [${cert_haproxy_path} - update] Backuping currently loaded ${cert_haproxy_path} -> /etc/letsencrypt/backups/${cert_backup_name}"
+    cp -a ${cert_haproxy_path} /etc/letsencrypt/backups/${cert_backup_name}
+    cp -a ${cert_input} ${cert_haproxy_path}
+    rm -f ${cert_input}
+}
+
+
+# Parser
+
+INTERNAL_SET="false"
+EXTERNAL_SET="false"
+
+VALID_ARGS=$(getopt -o ie --long internal,external -- "$@")
+if [[ $? -ne 0 ]]; then
+    exit 1;
+fi
+
+eval set -- "$VALID_ARGS"
+while [ : ]; do
+    case "$1" in
+        -i | --internal)
+            CERT_TYPE="internal"
+            INTERNAL_SET="true"
+            shift
+            ;;
+        -e | --external)
+            CERT_TYPE="external"
+            EXTERNAL_SET="true"
+            shift
+            ;;
+        --) shift;
+            break
+            ;;
+    esac
+done
+
+if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
+    if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then
+        echo "[e] Only --internal or --external parameter is allowed at a time"
+        exit 1
+    fi
+    if [ "${INTERNAL_SET}" = "true" ]; then
+        HAPROXY_CERT_INCOMING_PATH="/var/lib/haproxy/haproxy-internal.pem"
+        HAPROXY_CERT_PATH="/etc/haproxy/certificates/haproxy-internal.pem"
+    else
+        HAPROXY_CERT_INCOMING_PATH="/var/lib/haproxy/haproxy.pem"
+        HAPROXY_CERT_PATH="/etc/haproxy/certificates/haproxy.pem"
+    fi
+fi
+
+# Main
+
+haproxy_transaction_start ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH}
+haproxy_upload_to_memory ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH}
+haproxy_write_to_disk ${HAPROXY_CERT_INCOMING_PATH} ${HAPROXY_CERT_PATH}

docker/letsencrypt/Dockerfile.j2

@@ -1,38 +0,0 @@
-FROM {{ namespace }}/{{ image_prefix }}openstack-base:{{ tag }}
-{% block labels %}
-LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
-{% endblock %}
-
-{% block letsencrypt_header %}{% endblock %}
-
-{% import "macros.j2" as macros with context %}
-
-{% if base_package_type == 'rpm' %}
-    {% set letsencrypt_packages = [
-        'openssh-clients',
-        'cronie'
-    ] %}
-{% elif base_package_type == 'deb' %}
-    {% set letsencrypt_packages = [
-        'openssh-client',
-        'cron'
-    ] %}
-{% endif %}
-{{ macros.install_packages(letsencrypt_packages | customizable("packages")) }}
-
-COPY extend_start.sh /usr/local/bin/kolla_extend_start
-RUN chmod 644 /usr/local/bin/kolla_extend_start
-
-{% block lego_repository %}
-ENV lego_version=4.6.0
-ENV lego_download_url=https://github.com/go-acme/lego/releases/download/v${lego_version}/lego_v${lego_version}_linux_{{debian_arch}}.tar.gz
-{% endblock %}
-
-{% block lego_install %}
-RUN curl -o /tmp/lego.tar.gz ${lego_download_url} \
-    && tar xvf /tmp/lego.tar.gz -C /opt/ \
-    && rm -f /tmp/lego.tar.gz
-{% endblock %}
-
-{% block letsencrypt_footer %}{% endblock %}
-{% block footer %}{% endblock %}

docker/letsencrypt/extend_start.sh

@@ -1,10 +0,0 @@
-#!/bin/bash
-
-if [[ ! -d "/var/log/kolla/letsencrypt" ]]; then
-    mkdir -p /var/log/kolla/letsencrypt
-fi
-if [[ $(stat -c %a /var/log/kolla/letsencrypt) != "755" ]]; then
-    chmod 755 /var/log/kolla/letsencrypt
-fi
-
-. /usr/local/bin/kolla_httpd_setup

docker/letsencrypt/letsencrypt-base/Dockerfile.j2

@@ -0,0 +1,14 @@
+FROM {{ namespace }}/{{ image_prefix }}base:{{ tag }}
+{% block labels %}
+LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
+{% endblock %}
+
+{% block letsencrypt_base_header %}{% endblock %}
+
+{% import "macros.j2" as macros with context %}
+
+{{ macros.install_packages(cinder_base_packages | customizable("packages")) }}
+
+COPY extend_start.sh /usr/local/bin/kolla_extend_start
+
+{% block letsencrypt_base_footer %}{% endblock %}

docker/letsencrypt/letsencrypt-base/extend_start.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# Logs
+
+if [[ ! -d "/var/log/kolla/letsencrypt" ]]; then
+    mkdir -p /var/log/kolla/letsencrypt
+fi
+if [[ $(stat -c %a /var/log/kolla/letsencrypt) != "755" ]]; then
+    chmod 755 /var/log/kolla/letsencrypt
+fi
+
+# Structure for lego and webserver
+
+FOLDERS_LEGO="/etc/letsencrypt /etc/letsencrypt/lego /etc/letsencrypt/lego/internal /etc/letsencrypt/lego/external"
+FOLDERS_WEBSERVER="/etc/letsencrypt/http-01 /etc/letsencrypt/http-01/.well-known /etc/letsencrypt/http-01/.well-known/acme-challenge"
+
+if [[ "${KOLLA_BASE_DISTRO}" =~ debian|ubuntu ]]; then
+    USER="www-data"
+    GROUP="www-data"
+    USERGROUP_WEBSERVER="${USER}:${GROUP}"
+    USERGROUP="haproxy:haproxy"
+else
+    USER="apache"
+    GROUP="apache"
+    USERGROUP_WEBSERVER="${USER}:${GROUP}"
+    USERGROUP="haproxy:haproxy"
+fi
+
+for folder in ${FOLDERS_LEGO}; do
+    if [[ ! -d "${folder}" ]]; then
+        mkdir -p ${folder}
+    fi
+
+    if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP}" ]]; then
+        if getent passwd ${USER} 2 > /dev/null; then
+            chown ${USERGROUP} ${folder}
+        fi
+    fi
+
+    if [[ "${folder}" == "/etc/letsencrypt" ]]; then
+        if [[ $(stat -c %a ${folder}) != "751" ]]; then
+            chmod 751 ${folder}
+        fi
+    else
+        if [[ $(stat -c %a ${folder}) != "755" ]]; then
+            chmod 755 ${folder}
+        fi
+    fi
+done
+
+for folder in ${FOLDERS_WEBSERVER}; do
+    if [[ ! -d "${folder}" ]]; then
+        mkdir -p ${folder}
+    fi
+
+    if [[ $(stat -c %U:%G ${folder}) != "${USERGROUP_WEBSERVER}" ]]; then
+        if getent passwd ${USER} 2 > /dev/null; then
+            chown ${USERGROUP_WEBSERVER} ${folder}
+        fi
+    fi
+
+    if [[ $(stat -c %a ${folder}) != "755" ]]; then
+        chmod 755 ${folder}
+    fi
+done
+
+if [ -e /usr/local/bin/kolla_letsencrypt_extend_start ]; then
+    . /usr/local/bin/kolla_letsencrypt_extend_start
+fi

docker/letsencrypt/letsencrypt-lego/Dockerfile.j2

@@ -0,0 +1,50 @@
+FROM {{ namespace }}/{{ image_prefix }}letsencrypt-base:{{ tag }}
+{% block labels %}
+LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
+{% endblock %}
+
+{% block letsencrypt_lego_header %}{% endblock %}
+
+{% import "macros.j2" as macros with context %}
+
+{{ macros.configure_user(name='letsencrypt', shell='/bin/bash') }}
+
+{% if base_package_type == 'rpm' %}
+    {% set letsencrypt_lego_packages = [
+        'openssh-clients',
+        'cronie',
+        'rsync'
+    ] %}
+{% elif base_package_type == 'deb' %}
+    {% set letsencrypt_lego_packages = [
+        'openssh-client',
+        'cron',
+        'rsync'
+    ] %}
+{% endif %}
+{{ macros.install_packages(letsencrypt_lego_packages | customizable("packages")) }}
+
+{% block letsencrypt_lego_repository_version %}
+ARG letsencrypt_lego_version=4.6.0
+{% if debian_arch == 'arm64' %}
+ARG letsencrypt_lego_sha256sum=f5cecda8880d04ffc394049852a797ec120aebf0203ab0f1b877a0cd89bb0b3e
+{% else %}
+ARG letsencrypt_lego_sha256sum=c0c408788cdec96a4697300211c3944a050bb3d62ed3525a5409c136c94e09cb
+{% endif %}
+ARG letsencrypt_lego_url=https://github.com/go-acme/lego/releases/download/v${letsencrypt_lego_version}/lego_v${letsencrypt_lego_version}_linux_{{debian_arch}}.tar.gz
+{% endblock %}
+
+{% block letsencrypt_lego_install %}
+RUN curl -L -o /tmp/lego.tar.gz ${letsencrypt_lego_url} \
+    && echo "${letsencrypt_lego_sha256sum} /tmp/lego.tar.gz" | sha256sum -c \
+    && tar xvf /tmp/lego.tar.gz -C /opt/ \
+    && rm -f /tmp/lego.tar.gz
+{% endblock %}
+
+COPY letsencrypt-certificates.sh /usr/bin/letsencrypt-certificates
+COPY sync-and-update-certificate.sh /usr/bin/sync-and-update-certificate
+
+RUN chmod +x /usr/bin/letsencrypt-certificates /usr/bin/sync-and-update-certificate
+
+{% block letsencrypt_lego_footer %}{% endblock %}
+{% block footer %}{% endblock %}

docker/letsencrypt/letsencrypt-lego/letsencrypt-certificates.sh

@@ -0,0 +1,167 @@
+#!/bin/bash
+
+function log_info {
+    local message="${1}"
+
+    echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}"
+}
+
+function log_error {
+    local message="${1}"
+
+    echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}"
+}
+
+function obtain_or_renew_certificate {
+    local certificate_fqdns="${1}"
+    local certificate_type="${2}"
+    local listen_port="${3}"
+    local valid_days="${4}"
+    local acme_url="${5}"
+    local mail="${6}"
+    local letsencrypt_ssh_port="${7}"
+
+    certificate_domain_opts=$(echo ${certificate_fqdns} | sed -r -e 's/^/,/g' -e 's/,/--domains=/g' -e 's/--/ --/g')
+    certificate_fqdn=$(echo ${certificate_fqdns} | awk -F ',' '{print $1}')
+    certificate_fqdns=$(echo ${certificate_fqdns} | sed -r 's/,/\ /g')
+
+    if [ -d "/etc/letsencrypt/lego/${certificate_type}/certificates" ]; then
+        garbage_count=$(find /etc/letsencrypt/lego/${certificate_type}/certificates/ -type f | grep -v "${certificate_fqdn}" | wc -l)
+        if [ ${garbage_count} -ne 0 ]; then
+            log_info "[${certificate_fqdn} - cron] Cleaning up garbage in certificates directory."
+            find /etc/letsencrypt/lego/${certificate_type}/certificates/ -type f | grep -v "${certificate_fqdn}" | xargs rm -f
+        fi
+    fi
+
+    if [ -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ]; then
+        certificate_current_fqdns=$(openssl x509 -text -in /etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem \
+                                    | grep DNS: \
+                                    | sed -r -e 's/\ *DNS://g'  -e 's/^/,/g' -e 's/$/,/g')
+
+        local domains_add=""
+        for i in ${certificate_fqdns}; do
+            if ! echo "${certificate_current_fqdns}" | grep -q ",${i},"; then
+                domains_add="${domains_add} ${i}"
+            fi
+        done
+        domains_add=$(echo "${domains_add}" | sed -r -e 's/^\ //g' -e 's/\ /, /g')
+
+        if [ "${domains_add}" != "" ]; then
+            log_info "[${certificate_fqdn} - cron] Domains ${domains_add} will be added to certificate."
+            rm -f /etc/letsencrypt/lego/${certificate_type}/certificates/*
+        fi
+    fi
+
+    [ ! -e "/etc/letsencrypt/lego/${certificate_type}/certificates/${certificate_fqdn}.pem" ] && local lego_action="run" || local lego_action="renew"
+
+    log_info "[INFO] [${certificate_fqdn} - cron] Obtaining certificate for domains ${certificate_fqdns}."
+    /opt/lego --email="${mail}" \
+              ${certificate_domain_opts} \
+              --server "${acme_url}" \
+              --path "/etc/letsencrypt/lego/${certificate_type}/" \
+              --http.webroot "/etc/letsencrypt/http-01" \
+              --http.port ${listen_port} \
+              --cert.timeout ${valid_days} \
+              --accept-tos \
+              --http \
+              --pem ${lego_action} \
+              --${lego_action}-hook="/usr/bin/sync-and-update-certificate --${certificate_type} --fqdn ${certificate_fqdn} --haproxies-ssh ${letsencrypt_ssh_port}"
+}
+
+
+# Parser
+
+INTERNAL_SET="false"
+EXTERNAL_SET="false"
+LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log"
+
+
+VALID_ARGS=$(getopt -o ief:p:d:m:a:v:h: --long internal,external,fqdns:,port:,days:,mail:,acme:,vips:,haproxies-ssh: -- "$@")
+if [[ $? -ne 0 ]]; then
+    exit 1;
+fi
+
+eval set -- "$VALID_ARGS"
+while [ : ]; do
+    case "$1" in
+        -i | --internal)
+            CERT_TYPE="internal"
+            INTERNAL_SET="true"
+            shift
+            ;;
+        -e | --external)
+            CERT_TYPE="external"
+            EXTERNAL_SET="true"
+            shift
+            ;;
+        -f | --fqdns)
+            FQDNS="${2}"
+            shift 2
+            ;;
+        -p | --port)
+            PORT="${2}"
+            shift 2
+            ;;
+        -d | --days)
+            DAYS="${2}"
+            shift 2
+            ;;
+        -m | --mail)
+            MAIL="${2}"
+            shift 2
+            ;;
+        -a | --acme)
+            ACME="${2}"
+            shift 2
+            ;;
+        -v | --vips)
+            VIPS="${2}"
+            shift 2
+            ;;
+        -h | --haproxies-ssh)
+            LETSENCRYPT_SSH_PORT="${2}"
+            shift 2
+            ;;
+        --) shift;
+            break
+            ;;
+    esac
+done
+
+FQDN=$(echo "${FQDNS}" | awk -F ',' '{print $1}')
+
+if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
+    if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then
+        log_error "[${FQDN} - cron] Only --internal or --external parameter is allowed at a time."
+        exit 1
+    fi
+
+    LETSENCRYPT_VIP_ADDRESSES="$(echo ${VIPS} | sed -e 's/,/|/g')"
+    if [ "${INTERNAL_SET}" = "true" ]; then
+        LETSENCRYPT_INTERNAL_FQDNS="${FQDNS}"
+    fi
+
+    if [ "${EXTERNAL_SET}" = "true" ]; then
+        LETSENCRYPT_EXTERNAL_FQDNS="${FQDNS}"
+    fi
+
+
+    if ip a | egrep -q "${LETSENCRYPT_VIP_ADDRESSES}"; then
+        log_info "[${FQDN} - cron] This Letsencrypt-lego host is active..."
+        if [ "${LETSENCRYPT_INTERNAL_FQDNS}" != "" ]; then
+            log_info "[${FQDN} - cron] Processing domains ${LETSENCRYPT_INTERNAL_FQDNS}"
+            obtain_or_renew_certificate ${LETSENCRYPT_INTERNAL_FQDNS} internal ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
+        fi
+
+        if [ "${LETSENCRYPT_EXTERNAL_FQDNS}" != "" ]; then
+            log_info "[INFO] [${FQDN} - cron] Processing domains ${LETSENCRYPT_EXTERNAL_FQDNS}"
+            obtain_or_renew_certificate ${LETSENCRYPT_EXTERNAL_FQDNS} external ${PORT} ${DAYS} ${ACME} ${MAIL} ${LETSENCRYPT_SSH_PORT}
+        fi
+    else
+        log_info "[${FQDN} - cron] This Letsencrypt-lego host is passive, nothing to do..."
+    fi
+fi
+
+if [ -d "/etc/letsencrypt/lego" ]; then
+    chown -R haproxy:haproxy /etc/letsencrypt/lego
+fi

docker/letsencrypt/letsencrypt-lego/sync-and-update-certificate.sh

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+function log_info {
+    local message="${1}"
+
+    echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [INFO] ${message}"
+}
+
+function log_error {
+    local message="${1}"
+
+    echo "$(date +%Y/%m/%d) $(date +%H:%M:%S) [ERROR] ${message}"
+}
+
+
+# Parser
+
+INTERNAL_SET="false"
+EXTERNAL_SET="false"
+LOG_FILE="/var/log/kolla/letsencrypt/lesencrypt-lego.log"
+
+
+VALID_ARGS=$(getopt -o ief:l: --long internal,external,fqdn:,haproxies-ssh: -- "$@")
+if [[ $? -ne 0 ]]; then
+    exit 1;
+fi
+
+eval set -- "$VALID_ARGS"
+while [ : ]; do
+    case "$1" in
+        -i | --internal)
+            CERT_TYPE="internal"
+            INTERNAL_SET="true"
+            shift
+            ;;
+        -e | --external)
+            CERT_TYPE="external"
+            EXTERNAL_SET="true"
+            shift
+            ;;
+        -f | --fqdn)
+            FQDN="${2}"
+            shift 2
+            ;;
+        -l | --haproxies-ssh)
+            HAPROXIES_SSH_HOSTS_PORT="${2}"
+            shift 2
+            ;;
+        --) shift;
+            break
+            ;;
+    esac
+done
+
+if [ "${INTERNAL_SET}" = "true" ] || [ "${EXTERNAL_SET}" = "true" ]; then
+    if [ "${INTERNAL_SET}" = "${EXTERNAL_SET}" ]; then
+        log_error "[${FQDN} - hook] Only --internal or --external parameter is allowed at a time"
+        exit 1
+    fi
+
+    HAPROXIES_SSH_HOSTS_PORT=$(echo ${HAPROXIES_SSH_HOSTS_PORT} | sed -e 's/,/ /g')
+
+    for i in ${HAPROXIES_SSH_HOSTS_PORT}; do
+
+        server=$(echo $i | awk -F ':' '{print $1}')
+        port=$(echo $i | awk -F ':' '{print $2}')
+
+        if ! ip a | grep -q "${server}"; then
+
+            log_info "[${FQDN} - hook] Rsync lego data /etc/letsencrypt/lego/ to server ${server} and port ${port}"
+            rsync -a -e "ssh -p ${port} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" /etc/letsencrypt/lego/ haproxy@${server}:/etc/letsencrypt/lego/ --delete >/dev/null 2>&1
+            if [ "$?" -eq 0 ]; then
+                log_info "[${FQDN} - hook] Rsync Successfull."
+            fi
+
+        else
+            log_info "[${FQDN} - hook] Rsync lego data /etc/letsencrypt/lego/ to server ${server} and port ${port} not needed."
+        fi
+
+        if [ "${INTERNAL_SET}" = "true" ]; then
+            internal_cert_path=$(find /etc/letsencrypt/lego/internal/ -name '*.pem')
+            sed -i '/^$/d' ${internal_cert_path}
+            rsync -av -e "ssh -p ${port} -o StrictHostKeyChecking=no -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" ${internal_cert_path} haproxy@${server}:/var/lib/haproxy/haproxy-internal.pem --delete >/dev/null 2>&1
+            ssh -p ${port} -i /var/lib/letsencrypt/.ssh/id_rsa -o StrictHostKeyChecking=no haproxy@${server} "/usr/bin/update-haproxy-cert --internal"
+        else
+            external_cert_path=$(find /etc/letsencrypt/lego/external/ -name '*.pem')
+            sed -i '/^$/d' ${external_cert_path}
+            rsync -av -e "ssh -p ${port} -o StrictHostKeyChecking=no -o IdentityFile=/var/lib/letsencrypt/.ssh/id_rsa" ${external_cert_path} haproxy@${server}:/var/lib/haproxy/haproxy.pem --delete >/dev/null 2>&1
+            ssh -p ${port} -i /var/lib/letsencrypt/.ssh/id_rsa -o StrictHostKeyChecking=no haproxy@${server} "/usr/bin/update-haproxy-cert --external"
+        fi
+
+    done
+fi

docker/letsencrypt/letsencrypt-webserver/Dockerfile.j2

@@ -0,0 +1,32 @@
+FROM {{ namespace }}/{{ image_prefix }}letsencrypt-base:{{ tag }}
+{% block labels %}
+LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build_date }}"
+{% endblock %}
+
+{% block letsencrypt_webserver_header %}{% endblock %}
+
+{% import "macros.j2" as macros with context %}
+
+{% if base_package_type == 'rpm' %}
+    {% set letsencrypt_webserver_packages = [
+        'httpd',
+        'mod_ssl'
+    ] %}
+{% elif base_package_type == 'deb' %}
+    {% set letsencrypt_webserver_packages = [
+        'apache2'
+    ] %}
+{% endif %}
+{{ macros.install_packages(letsencrypt_webserver_packages | customizable("packages")) }}
+
+{% if base_package_type == 'rpm' %}
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
+{% elif base_package_type == 'deb' %}
+RUN echo > /etc/apache2/ports.conf
+{% endif %}
+
+COPY extend_start.sh /usr/local/bin/kolla_letsencrypt_extend_start
+
+{% block letsencrypt_webserver_footer %}{% endblock %}
+{% block footer %}{% endblock %}

docker/letsencrypt/letsencrypt-webserver/extend_start.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+. /usr/local/bin/kolla_httpd_setup

releasenotes/notes/add-api-layer-to-letsencrypt-images-9db42c763b7d13ad.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds an API layer to letsencrypt image which are represented by set of
+    scripts. Those scripts are called from kolla-ansible orchestration.