forked from OpenConext/OpenConext-deploy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
prep-env
executable file
·122 lines (94 loc) · 4.03 KB
/
prep-env
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/bin/bash
#
# This script will generate new password, secrets and certificates for OpenConext environment
#
# It is to be used before any Ansible command.
#
# When a password must be sha-encoded, the clear-text password must be set before the sha-encoded
# Key for the sha-encoded password must be the same as the clear-text password with the '_sha'
#
# ----- configuration
ENV_DIR="environments"
ENVEXT_DIR="environments-external"
SKELETON_DIR="${ENV_DIR}/template"
SECRET_VARS_TEMPLATE="${SKELETON_DIR}/secrets/skeleton.yml"
# ----- End configuration
SCRIPT=$(readlink -f "$0")
BASEDIR=$(dirname "$SCRIPT")
BASENAME=$(basename "$SCRIPT")
# ----- Input handling
if [ $# -lt 2 ]
then
echo "INFO: No arguments supplied, syntax: $BASENAME environment domain"
exit 1
fi
if [ $# -gt 3 ]
then
echo "ERROR: Only 2 or 3 arguments expected, syntax: $BASENAME environment domain [secret-vars-file]"
exit 1
fi
# ----- End Input handing
# ----- Make sure Java is installed
type java >/dev/null 2>&1 || { echo >&2 "Java is required, but it's not installed. Please install it and rerun this script"; exit; }
# ----- End check Java presence
if [ $# -eq 3 ]
then
SECRET_VARS_FILE=$3
echo "INFO: Using file " $SECRET_VARS_FILE " for containing the secrets."
fi
trap 'rm -f $SV_FILE; echo "Error: Operation not completed, please restart command"' EXIT INT TERM
tempfile() {
tempprefix=$(basename "$0")
mktemp /tmp/${tempprefix}.XXXXXX
}
OC_ENV=$1
OC_BASEDOMAIN=$2
SECRET_VARS_FILE="${ENVEXT_DIR}/${OC_ENV}/secrets/${OC_ENV}.yml"
CERT_FILES_BASE="${ENVEXT_DIR}/${OC_ENV}/files/certs/star.${OC_BASEDOMAIN}"
EBCERT_FILES_BASE="${ENVEXT_DIR}/${OC_ENV}/files/certs/engineblock"
SHIBCERT_FILES_BASE="${ENVEXT_DIR}/${OC_ENV}/files/certs/shib-sp"
OIDCCERT_FILES_BASE="${ENVEXT_DIR}/${OC_ENV}/files/certs/oidc"
CACERT_FILES_BASE="${ENVEXT_DIR}/${OC_ENV}/files/certs/ca"
echo "OC_ENV: $OC_ENV"
echo "OC_BASEDOMAIN: $OC_BASEDOMAIN"
echo "SCRIPT: $SCRIPT"
echo "BASEDIR: $BASEDIR"
echo "BASENAME: $BASENAME"
echo "SECRET_VARS_TEMPLATE: $SECRET_VARS_TEMPLATE"
echo "SECRET_VARS_FILE: $SECRET_VARS_FILE"
echo "CERT_CONF_TEMP: $CERT_CONF_TEMP"
echo "CERT_FILES_BASE: $CERT_FILES_BASE"
echo "EBCERT_FILES_BASE: $EBCERT_FILES_BASE"
echo "SHIBCERT_FILES_BASE: $SHIBCERT_FILES_BASE"
echo "OIDCCERT_FILES_BASE: $OIDCCERT_FILES_BASE"
# Clear destination env dir while I'm testing this script, we might want to skip this eventually
rm -rf "${ENVEXT_DIR}/${OC_ENV}"
# Create environments_external dir
mkdir -p "${ENVEXT_DIR}"
# Copy template to new OC_ENV
cp -a "${SKELETON_DIR}" "${ENVEXT_DIR}/${OC_ENV}"
# Generate new certificates
scripts/gen_certs.sh $OC_ENV $OC_BASEDOMAIN $EBCERT_FILES_BASE
scripts/gen_certs.sh $OC_ENV $OC_BASEDOMAIN $SHIBCERT_FILES_BASE
scripts/gen_certs.sh $OC_ENV $OC_BASEDOMAIN $OIDCCERT_FILES_BASE
# Create a Tink key set
scripts/gen_tink_keyset_oidc.sh $OIDCCERT_FILES_BASE.keyset
# Generate Secret vars
scripts/gen_secrets.sh $SECRET_VARS_TEMPLATE $EBCERT_FILES_BASE $SHIBCERT_FILES_BASE $OIDCCERT_FILES_BASE $SECRET_VARS_FILE
# Move the generated OIDC cert to its own directory
mkdir "${ENVEXT_DIR}/${OC_ENV}/files/certs/oidc/"
mv "$OIDCCERT_FILES_BASE.crt" "${ENVEXT_DIR}/${OC_ENV}/files/certs/oidc/oidcsaml.crt"
# Move group_vars skeleton.yml to OC_ENV.yml
mv "${ENVEXT_DIR}/${OC_ENV}/group_vars/template.yml" "${ENVEXT_DIR}/${OC_ENV}/group_vars/${OC_ENV}.yml"
# Replace %env% and %base_domain% with OC_ENV
sed -i "s/%env%/${OC_ENV}/g" ${ENVEXT_DIR}/${OC_ENV}/*/${OC_ENV}.yml
sed -i "s/%base_domain%/${OC_BASEDOMAIN}/g" ${ENVEXT_DIR}/${OC_ENV}/*/${OC_ENV}.yml
# Remove skeleton secrets file from target
rm -f "${ENVEXT_DIR}/${OC_ENV}/secrets/skeleton.yml"
# Replace %env% with OC_ENV in inventory
sed -i "s/%env%/${OC_ENV}/g" ${ENVEXT_DIR}/${OC_ENV}/inventory
echo -e "\n\n*** Please replace all following placeholders ***\n"
grep -R '%*%' "${ENVEXT_DIR}/${OC_ENV}"
echo -e "\nPlease rename the file "${ENVEXT_DIR}/${OC_ENV}"/host_vars/template.yml to the hostname of your target VM ("${ENVEXT_DIR}/${OC_ENV}"/host_vars/yourhostname.yml)\n"
trap '' EXIT
exit 0