Add deploy script for Kemp Loadmaster #6352
Conversation
| _debug _cfullchain "$_cfullchain" | ||
|
|
||
| if ! _exists jq; then | ||
| _err "jq not found" |
There was a problem hiding this comment.
add return 1 here if jq is not fuond.
deploy/kemplm.sh
Outdated
| fi | ||
|
|
||
| # Rename wildcard certs, kemp accepts only alphanumeric names | ||
| _kemp_domain=$(echo "${_cdomain}" | sed 's/\*/wildcard/') |
deploy/kemplm.sh
Outdated
| _debug _kemp_domain "$_kemp_domain" | ||
|
|
||
| # Clear traces of incorrectly stored values | ||
| _clearaccountconf DEPLOY_KEMP_TOKEN |
There was a problem hiding this comment.
why to clear the account conf ?
There was a problem hiding this comment.
Pull Request Overview
A script to automate certificate deployment to a Kemp Loadmaster via its API.
- Adds
kemplm_deployfunction to list existing certificates and upload new ones. - Handles wildcard certificate renaming, config persistence, and success/error reporting.
- Encodes fullchain and key into base64 for the API request.
Comments suppressed due to low confidence (2)
deploy/kemplm.sh:50
- [nitpick] In the error message, capitalize “URL” for consistency (
...Loadmaster URL is not found...).
_err "Kemp Loadmaster url is not found, please define DEPLOY_KEMP_URL."
deploy/kemplm.sh:14
- [nitpick] Variables like
_cdomain,_ckey,_ccert, etc., are terse and may be unclear. Consider renaming to more descriptive names such asdomain,key_file,cert_file,ca_file, andfullchain_file.
_cdomain="$1"
| _debug _cfullchain "$_cfullchain" | ||
|
|
||
| if ! _exists jq; then | ||
| _err "jq not found" |
There was a problem hiding this comment.
After logging the missing jq error, the function should immediately exit. Add return 1 (or exit 1) after _err to prevent further execution when jq is not installed.
| _err "jq not found" | |
| _err "jq not found" | |
| return 1 |
Copilot uses AI. Check for mistakes.
deploy/kemplm.sh
Outdated
|
|
||
| # Upload new certificate to Kemp Loadmaster | ||
| _kemp_upload_cert=$(_mktemp) | ||
| cat "${_cfullchain}" "${_ckey}" | base64 -w 0 >"${_kemp_upload_cert}" |
There was a problem hiding this comment.
[nitpick] The -w 0 flag for base64 is GNU-specific and may not work in all /bin/sh environments. Consider either switching the shebang to bash or using a more portable base64 invocation (e.g., without -w).
| cat "${_cfullchain}" "${_ckey}" | base64 -w 0 >"${_kemp_upload_cert}" | |
| cat "${_cfullchain}" "${_ckey}" | base64 | tr -d '\n' >"${_kemp_upload_cert}" |
Copilot uses AI. Check for mistakes.
deploy/kemplm.sh
Outdated
| _post_request="{\"cmd\": \"addcert\", \"apikey\": \"${DEPLOY_KEMP_TOKEN}\", \"replace\": ${_kemp_replace_cert}, \"cert\": \"${_kemp_domain}\", \"data\": \"${_post_data}\"}" | ||
| _debug3 _post_request "${_post_request}" | ||
| _kemp_post_result=$(_post "${_post_request}" "${DEPLOY_KEMP_URL}/accessv2") |
There was a problem hiding this comment.
[nitpick] The _post_request variable is reused for both listing and adding certificates, which can be confusing. Use distinct names (e.g., _list_request and _add_request) to improve readability.
| _post_request="{\"cmd\": \"addcert\", \"apikey\": \"${DEPLOY_KEMP_TOKEN}\", \"replace\": ${_kemp_replace_cert}, \"cert\": \"${_kemp_domain}\", \"data\": \"${_post_data}\"}" | |
| _debug3 _post_request "${_post_request}" | |
| _kemp_post_result=$(_post "${_post_request}" "${DEPLOY_KEMP_URL}/accessv2") | |
| _add_request="{\"cmd\": \"addcert\", \"apikey\": \"${DEPLOY_KEMP_TOKEN}\", \"replace\": ${_kemp_replace_cert}, \"cert\": \"${_kemp_domain}\", \"data\": \"${_post_data}\"}" | |
| _debug3 _add_request "${_add_request}" | |
| _kemp_post_result=$(_post "${_add_request}" "${DEPLOY_KEMP_URL}/accessv2") |
Copilot uses AI. Check for mistakes.
deploy/kemplm.sh
Outdated
| # Do not check for a valid SSL certificate | ||
| export HTTPS_INSECURE=1 | ||
|
|
||
| # Check if certificate is already installed | ||
| _info "Check if certificate is already present" | ||
| _post_request="{\"cmd\": \"listcert\", \"apikey\": \"${DEPLOY_KEMP_TOKEN}\"}" | ||
| _debug3 _post_request "${_post_request}" | ||
| _kemp_cert_count=$(_post "${_post_request}" "${DEPLOY_KEMP_URL}/accessv2" | jq -r '.cert[] | .name' | grep -c "${_kemp_domain}") |
There was a problem hiding this comment.
Exporting HTTPS_INSECURE=1 disables SSL verification globally, which can introduce security risks elsewhere. Consider passing an explicit --insecure flag (or equivalent) to only the API client command, or scope the environment variable more narrowly.
| # Do not check for a valid SSL certificate | |
| export HTTPS_INSECURE=1 | |
| # Check if certificate is already installed | |
| _info "Check if certificate is already present" | |
| _post_request="{\"cmd\": \"listcert\", \"apikey\": \"${DEPLOY_KEMP_TOKEN}\"}" | |
| _debug3 _post_request "${_post_request}" | |
| _kemp_cert_count=$(_post "${_post_request}" "${DEPLOY_KEMP_URL}/accessv2" | jq -r '.cert[] | .name' | grep -c "${_kemp_domain}") | |
| # Check if certificate is already installed | |
| _info "Check if certificate is already present" | |
| _post_request="{\"cmd\": \"listcert\", \"apikey\": \"${DEPLOY_KEMP_TOKEN}\"}" | |
| _debug3 _post_request "${_post_request}" | |
| _kemp_cert_count=$(HTTPS_INSECURE=1 _post "${_post_request}" "${DEPLOY_KEMP_URL}/accessv2" | jq -r '.cert[] | .name' | grep -c "${_kemp_domain}") |
Copilot uses AI. Check for mistakes.
|
Thank you for the feedback and I'm sorry if this script is not up with the standards, I'm not a developer and this is my first contribution to this project. I implemented all the givem suggestions. |
|
add the usage here: |
I've added the usage to the wiki page: https://github.com/acmesh-official/acme.sh/wiki/deployhooks#38-deploy-to-kemp-loadmaster-load-balancer |
This is a small script to deploy certs to a Kemp Loadmaster via API.