feat(*): install certbot with pip

Offer alternative method of installing certbot with pip. Currently untested on most supported platforms.
saltstack-formulas · Aug 2, 2021 · 756a272 · 756a272
1 parent 852f110
commit 756a272
Show file tree

Hide file tree

Showing 10 changed files with 160 additions and 5 deletions.
diff --git a/kitchen.yml b/kitchen.yml
@@ -446,6 +446,24 @@ suites:
     verifier:
       inspec_tests:
         - path: test/integration/git
+  - name: pip
+    provisioner:
+      state_top:
+        base:
+          '*':
+            - letsencrypt._mapdata
+            - letsencrypt.install
+            - letsencrypt.config
+      pillars:
+        top.sls:
+          base:
+            '*':
+              - letsencrypt
+      pillars_from_files:
+        letsencrypt.sls: test/salt/pillar/pip.sls
+    verifier:
+      inspec_tests:
+        - path: test/integration/pip
   - name: deb
     includes:
       - debian-11-tiamat-py3

diff --git a/letsencrypt/defaults.yaml b/letsencrypt/defaults.yaml
@@ -10,9 +10,9 @@ letsencrypt:
   _cli_path: /usr/bin/certbot
   # Only used for the pkg install method (install_method = package), internal var
   _default_pkg: certbot
-  # Only used for the git install methods (install_method = git)
+  # Only used for the git or pip install methods (install_method = (git|pip))
   cli_install_dir: /opt/letsencrypt
-  # Only used for the git install methods (install_method = git).
+  # Only used for the git or pip install methods (install_method = (git|pip)).
   # If you want to have specific version of certbot you can enable it. The
   # version value should match a certbot/certbot branch version: 0.30.x
   config_dir:

diff --git a/letsencrypt/domains.sls b/letsencrypt/domains.sls
@@ -15,7 +15,11 @@
 {% else %}
   {% set check_cert_cmd = '/usr/local/bin/check_letsencrypt_cert.sh' %}
   {% set renew_cert_cmd = '/usr/local/bin/renew_letsencrypt_cert.sh' %}
-  {% set create_cert_cmd = letsencrypt.cli_install_dir ~ '/letsencrypt-auto' %}
+  {% if letsencrypt.install_method == 'pip' %}
+    {% set create_cert_cmd = letsencrypt.cli_install_dir ~ '/bin/certbot' %}
+  {% else %}
+    {% set create_cert_cmd = letsencrypt.cli_install_dir ~ '/letsencrypt-auto' %}
+  {% endif %}
 
   {% set old_check_cert_cmd_state = 'managed' %}
   {% set old_renew_cert_cmd_state = 'managed' %}

diff --git a/letsencrypt/files/renew_letsencrypt_cert.sh.jinja b/letsencrypt/files/renew_letsencrypt_cert.sh.jinja
@@ -2,7 +2,11 @@
 {% from "letsencrypt/map.jinja" import letsencrypt with context %}
 COMMON_NAME="$1"
 
+{% if letsencrypt.install_method == 'pip' %}
+{{ letsencrypt.cli_install_dir }}/bin/certbot renew --non-interactive || exit 1
+{% else %}
 {{ letsencrypt.cli_install_dir }}/letsencrypt-auto renew --non-interactive || exit 1
+{% endif %}
   cat {{ letsencrypt.config_dir.path }}/live/${COMMON_NAME}/fullchain.pem \
   {{ letsencrypt.config_dir.path }}/live/${COMMON_NAME}/privkey.pem \
   > {{ letsencrypt.config_dir.path }}/live/${COMMON_NAME}/fullchain-privkey.pem || exit 1

diff --git a/letsencrypt/install.sls b/letsencrypt/install.sls
@@ -38,5 +38,19 @@ letsencrypt-client:
     - target: {{ letsencrypt.cli_install_dir }}
     - force_reset: True
   {%-   endif %}
+  {%- elif letsencrypt.install_method == 'pip' %}
+  pkg.installed:
+    - pkgs:
+      - python3
+      - virtualenv
+  virtualenv.managed:
+    - name: {{ letsencrypt.cli_install_dir }}
+    - python: python3
+    - pip_pkgs:
+  {%-   if letsencrypt.version is defined and letsencrypt.version|length %}
+      - certbot=={{ letsencrypt.version }}
+  {%-   else %}
+      - certbot
+  {%-   endif %}
   {%- endif %}
     - reload_modules: True
diff --git a/pillar.example b/pillar.example
@@ -13,9 +13,9 @@ letsencrypt:
     - python3-certbot-apache
     # - python3-certbot-nginx
     # - python3-dns-route53
-  # Only used for the git install methods (install_method = git)
+  # Only used for the git or pip install methods (install_method = (git|pip))
   cli_install_dir: /opt/letsencrypt
-  # Only used for the git install methods (install_method = git).
+  # Only used for the git or pip install methods (install_method = git|pip)).
   # If you want to have specific version of certbot you can enable it. The
   # version value should match a certbot/certbot branch.
   version: 0.30.x

diff --git a/test/integration/pip/README.md b/test/integration/pip/README.md
@@ -0,0 +1,50 @@
+# InSpec Profile: `git`
+
+This shows the implementation of the `pip` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).
+
+## Verify a profile
+
+InSpec ships with built-in features to verify a profile structure.
+
+```bash
+$ inspec check git
+Summary
+-------
+Location: git
+Profile: profile
+Controls: 4
+Timestamp: 2019-06-24T23:09:01+00:00
+Valid: true
+
+Errors
+------
+
+Warnings
+--------
+```
+
+## Execute a profile
+
+To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.
+
+```bash
+$ inspec exec git
+..
+
+Finished in 0.0025 seconds (files took 0.12449 seconds to load)
+8 examples, 0 failures
+```
+
+## Execute a specific control from a profile
+
+To run one control from the profile use `inspec exec /path/to/profile --controls name`.
+
+```bash
+$ inspec exec git --controls package
+.
+
+Finished in 0.0025 seconds (files took 0.12449 seconds to load)
+1 examples, 0 failures
+```
+
+See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb).
diff --git a/test/integration/pip/controls/letsencrypt_spec.rb b/test/integration/pip/controls/letsencrypt_spec.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+describe file('/opt/letsencrypt') do
+  it { should be_directory }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should be_readable }
+  its('size') { should be > 25 }
+end
+
+describe file('/etc/letsencrypt/cli.ini') do
+  it { should be_file }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should be_readable }
+  its('size') { should be > 1 }
+  its('content') do
+    should match 'server = https://acme-staging.api.letsencrypt.org/directory'
+  end
+  its('content') { should match 'authenticator = standalone' }
+  its('content') { should match 'File managed by Salt' }
+end
diff --git a/test/integration/pip/inspec.yml b/test/integration/pip/inspec.yml
@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+name: pip
+title: letsencrypt formula
+maintainer: SaltStack Formulas
+license: Apache-2.0
+# yamllint disable-line rule:line-length
+summary: Verify that the letsencrypt formula is setup and configured correctly using `pip`
+depends:
+  - name: share
+    path: test/integration/share
+supports:
+  - platform-name: debian
+  - platform-name: ubuntu
+  - platform-name: centos
+  - platform-name: fedora
+  - platform-name: opensuse
+  - platform-name: suse
+  - platform-name: freebsd
+  - platform-name: openbsd
+  - platform-name: amazon
+  - platform-name: oracle
+  - platform-name: arch
+  - platform-name: gentoo
+  - platform-name: almalinux
+  - platform-name: rocky
+  - platform: windows
diff --git a/test/salt/pillar/pip.sls b/test/salt/pillar/pip.sls
@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+letsencrypt:
+  install_method: pip
+  version: 0.26.1
+  config: |
+    server = https://acme-staging.api.letsencrypt.org/directory
+    email = saltstack-letsencrypt-formula@example.com
+    authenticator = standalone
+    agree-tos = True
+    renew-by-default = True
+  domainsets:
+    www:
+      - letsencrypt-formula.example.com