Cleanup, redeploy, deal with expired certs

dotege.go

@@ -31,7 +31,7 @@ func monitorSignals() <-chan bool {
 	return done
 }
 
-func main() {
+func createLogger() *zap.SugaredLogger {
 	zapConfig := zap.NewDevelopmentConfig()
 	zapConfig.DisableCaller = true
 	zapConfig.DisableStacktrace = true
@@ -39,12 +39,17 @@ func main() {
 	zapConfig.OutputPaths = []string{"stdout"}
 	zapConfig.ErrorOutputPaths = []string{"stdout"}
 	logger, _ := zapConfig.Build()
-	sugar := logger.Sugar()
-	sugar.Info("Dotege is starting")
-
-	doneChan := monitorSignals()
+	return logger.Sugar()
+}
 
-	config := model.Config{
+func createConfig() *model.Config {
+	return &model.Config{
+		Templates: []model.TemplateConfig{
+			{
+				Source:      "./templates/haproxy.cfg.tpl",
+				Destination: "haproxy.cfg",
+			},
+		},
 		Labels: model.LabelConfig{
 			Hostnames:   "com.chameth.vhost",
 			RequireAuth: "com.chameth.auth",
@@ -52,54 +57,74 @@ func main() {
 		DefaultCertActions:     model.COMBINE | model.FLATTEN,
 		DefaultCertDestination: "/data/certs/",
 	}
+}
 
-	dockerStopChan := make(chan struct{})
-	dockerClient, err := client.NewEnvClient()
+func createTemplateGenerator(logger *zap.SugaredLogger, config *model.Config) *TemplateGenerator {
+	templateGenerator := NewTemplateGenerator(logger)
+	for _, template := range config.Templates {
+		templateGenerator.AddTemplate(template)
+	}
+	return templateGenerator
+}
+
+func createCertificateManager(logger *zap.SugaredLogger) *CertificateManager {
+	certificateManager := NewCertificateManager(logger, lego.LEDirectoryStaging, certcrypto.EC256, env.GetOrDefaultString("DOTEGE_DNS_PROVIDER", ""), "/config/certs.json")
+	err := certificateManager.Init(env.GetOrDefaultString("DOTEGE_ACME_EMAIL", ""))
 	if err != nil {
 		panic(err)
 	}
+	return certificateManager
+}
 
-	templateGenerator := NewTemplateGenerator(sugar)
-	templateGenerator.AddTemplate(model.TemplateConfig{
-		Source:      "./templates/haproxy.cfg.tpl",
-		Destination: "haproxy.cfg",
-	})
+func main() {
+	logger := createLogger()
+	logger.Info("Dotege is starting")
+
+	doneChan := monitorSignals()
+	config := createConfig()
 
-	certificateManager := NewCertificateManager(sugar, lego.LEDirectoryStaging, certcrypto.EC256, env.GetOrDefaultString("DOTEGE_DNS_PROVIDER", ""), "/config/certs.json")
-	err = certificateManager.Init(env.GetOrDefaultString("DOTEGE_ACME_EMAIL", ""))
+	dockerStopChan := make(chan struct{})
+	dockerClient, err := client.NewEnvClient()
 	if err != nil {
 		panic(err)
 	}
 
-	timer := time.NewTimer(time.Hour)
-	timer.Stop()
+	templateGenerator := createTemplateGenerator(logger, config)
+	certificateManager := createCertificateManager(logger)
+
+	jitterTimer := time.NewTimer(time.Minute)
+	redeployTimer := time.NewTicker(time.Hour * 24)
 	containers := make(map[string]model.Container)
 
 	go func() {
 		err := monitorContainers(dockerClient, dockerStopChan, func(container model.Container) {
 			containers[container.Name] = container
-			timer.Reset(100 * time.Millisecond)
-			err, _ = certificateManager.GetCertificate(getHostnamesForContainer(container, config))
+			jitterTimer.Reset(100 * time.Millisecond)
+			err, _ = certificateManager.GetCertificate(getHostnamesForContainer(container, *config))
 		}, func(name string) {
 			delete(containers, name)
-			timer.Reset(100 * time.Millisecond)
+			jitterTimer.Reset(100 * time.Millisecond)
 		})
 
 		if err != nil {
-			sugar.Fatal("Error monitoring containers: ", err.Error())
+			logger.Fatal("Error monitoring containers: ", err.Error())
 		}
 	}()
 
 	go func() {
 		for {
 			select {
-			case <-timer.C:
-				hostnames := getHostnames(containers, config)
+			case <-jitterTimer.C:
+				hostnames := getHostnames(containers, *config)
 				templateGenerator.Generate(Context{
 					Containers: containers,
 					Hostnames:  hostnames,
 				})
-				//certDeployer.UpdateHostnames(hostnames)
+			case <-redeployTimer.C:
+				logger.Info("Performing periodic certificate refresh")
+				for _, container := range containers {
+					err, _ = certificateManager.GetCertificate(getHostnamesForContainer(container, *config))
+				}
 			}
 		}
 	}()

lego.go

@@ -184,8 +184,12 @@ func (c *CertificateManager) register() error {
 func (c *CertificateManager) GetCertificate(domains []string) (error, *SavedCertificate) {
 	existing := c.loadCert(domains)
 	if existing != nil {
-		c.logger.Debugf("Returning existing certificate for request %s", domains)
-		return nil, existing
+		if existing.NotAfter.Before(time.Now().Add(time.Hour * 24 * 31)) {
+			c.logger.Debugf("Found existing certificate for %s, but it expires soon; renewing", domains)
+		} else {
+			c.logger.Debugf("Returning existing certificate for request %s", domains)
+			return nil, existing
+		}
 	}
 
 	request := certificate.ObtainRequest{
@@ -226,7 +230,25 @@ func domainsMatch(domains1, domains2 []string) bool {
 	return true
 }
 
+func (c *CertificateManager) removeCerts(domains []string) {
+	var newCerts []*SavedCertificate
+	for _, cert := range c.data.Certs {
+		if !domainsMatch(cert.Domains, domains) {
+			newCerts = append(newCerts, cert)
+		}
+	}
+
+	diff := len(c.data.Certs) - len(newCerts)
+
+	if diff > 0 {
+		c.logger.Debugf("Removed %d certificates matching %s", diff, domains)
+		c.data.Certs = newCerts
+	}
+}
+
 func (c *CertificateManager) saveCert(domains []string, cert *certificate.Resource) (error, *SavedCertificate) {
+	c.removeCerts(domains)
+
 	savedCert := &SavedCertificate{
 		Domains:           domains,
 		Certificate:       cert.Certificate,