First pass at a certificate deployer

certs/deployer.go

@@ -0,0 +1,102 @@
+package certs
+
+import (
+	"github.com/csmith/dotege/model"
+	"go.uber.org/zap"
+	"io/ioutil"
+	"os"
+	"path"
+	"time"
+)
+
+// CertificateDeployer deploys certificates according to their configuration.
+type CertificateDeployer struct {
+	logger        *zap.SugaredLogger
+	certChannel   <-chan model.FoundCertificate
+	deployChannel chan bool
+	certs         map[string]model.FoundCertificate
+	hostnames     map[string]*model.Hostname
+}
+
+// NewCertificateDeployer creates a new CertificateDeployer.
+func NewCertificateDeployer(logger *zap.SugaredLogger, channel <-chan model.FoundCertificate) *CertificateDeployer {
+	deployer := &CertificateDeployer{
+		logger:        logger,
+		certChannel:   channel,
+		deployChannel: make(chan bool, 1),
+		certs:         make(map[string]model.FoundCertificate),
+	}
+
+	go deployer.monitor()
+	go deployer.deployAll()
+
+	return deployer
+}
+
+func (c *CertificateDeployer) monitor() {
+	select {
+	case cert := <-c.certChannel:
+		c.certs[cert.Hostname] = cert
+		c.deployChannel <- true
+	}
+}
+
+func (c *CertificateDeployer) deployAll() {
+	select {
+	case <-c.deployChannel:
+		c.logger.Debug("Checking for certificates requiring deploySingle")
+		for _, hostname := range c.hostnames {
+			if cert, ok := c.certs[hostname.Name]; ok {
+				c.deploySingle(cert, hostname)
+			}
+		}
+	}
+}
+
+func (c *CertificateDeployer) deploySingle(cert model.FoundCertificate, hostname *model.Hostname) {
+	if (hostname.CertActions & model.COMBINE) == model.COMBINE {
+		chain := c.readFile(cert.FullChain)
+		pkey := c.readFile(cert.PrivateKey)
+		c.deployFile("combined.pem", append(chain, pkey...), cert.ModTime, hostname)
+	} else {
+		c.deployFile("cert.pem", c.readFile(cert.Cert), cert.ModTime, hostname)
+		c.deployFile("chain.pem", c.readFile(cert.Chain), cert.ModTime, hostname)
+		c.deployFile("fullchain.pem", c.readFile(cert.FullChain), cert.ModTime, hostname)
+		c.deployFile("privkey.pem", c.readFile(cert.PrivateKey), cert.ModTime, hostname)
+	}
+}
+
+func (c *CertificateDeployer) deployFile(name string, content []byte, modTime time.Time, hostname *model.Hostname) {
+	var target string
+	if (hostname.CertActions & model.FLATTEN) == model.FLATTEN {
+		target = path.Join(hostname.CertDestination, hostname.Name+".pem")
+	} else {
+		target = path.Join(hostname.CertDestination, hostname.Name, name)
+	}
+
+	info, err := os.Stat(target)
+	if err != nil && info.ModTime().After(modTime) {
+		c.logger.Debugf("Not writing %s as it was modified more recently than our cert", target)
+		return
+	}
+
+	err = ioutil.WriteFile(target, content, 0700)
+	if err != nil {
+		c.logger.Warnf("Unable to write certificate %s - %s", target, err.Error())
+	} else {
+		c.logger.Info("Updated certificate file %s", target)
+	}
+}
+
+func (c *CertificateDeployer) readFile(name string) []byte {
+	data, err := ioutil.ReadFile(name)
+	if err != nil {
+		c.logger.Errorf("Unable to read certificate file %s - %s", name, err.Error())
+	}
+	return data
+}
+
+func (c *CertificateDeployer) UpdateHostnames(hostnames map[string]*model.Hostname) {
+	c.hostnames = hostnames
+	c.deployChannel <- true
+}

dotege.go

@@ -61,6 +61,7 @@ func main() {
 
 	certMonitor := certs.NewCertificateManager(sugar, certChan)
 	certMonitor.AddDirectory("/data/certrequests/certs")
+	certDeployer := certs.NewCertificateDeployer(sugar, certChan)
 
 	templateGenerator := NewTemplateGenerator(sugar)
 	templateGenerator.AddTemplate(model.TemplateConfig{
@@ -89,10 +90,12 @@ func main() {
 				delete(containers, name)
 				timer.Reset(100 * time.Millisecond)
 			case <-timer.C:
+				hostnames := getHostnames(containers, config)
 				templateGenerator.Generate(Context{
 					Containers: containers,
-					Hostnames:  getHostnames(containers, config),
+					Hostnames:  hostnames,
 				})
+				certDeployer.UpdateHostnames(hostnames)
 			}
 		}
 	}()

model/model.go

@@ -52,6 +52,7 @@ type TemplateConfig struct {
 
 // FoundCertificate describes a certificate we've located on disk.
 type FoundCertificate struct {
+	Hostname   string
 	Cert       string
 	Chain      string
 	FullChain  string