createAutomationPolicies ensures that automated certificates for this app are managed properly. This adds up to two automation policies: one for the public names, and one for the internal names. If a catch-all automation policy exists, it will be shallow-copied and used as the base for the new ones
(ctx caddy.Context, internalNames, tailscaleNames []string)
| 595 | // base for the new ones (this is important for preserving behavior the |
| 596 | // user intends to be "defaults"). |
| 597 | func (app *App) createAutomationPolicies(ctx caddy.Context, internalNames, tailscaleNames []string) error { |
| 598 | // before we begin, loop through the existing automation policies |
| 599 | // and, for any ACMEIssuers we find, make sure they're filled in |
| 600 | // with default values that might be specified in our HTTP app; also |
| 601 | // look for a base (or "catch-all" / default) automation policy, |
| 602 | // which we're going to essentially require, to make sure it has |
| 603 | // those defaults, too |
| 604 | var basePolicy *caddytls.AutomationPolicy |
| 605 | var foundBasePolicy bool |
| 606 | if app.tlsApp.Automation == nil { |
| 607 | // we will expect this to not be nil from now on |
| 608 | app.tlsApp.Automation = new(caddytls.AutomationConfig) |
| 609 | } |
| 610 | for _, ap := range app.tlsApp.Automation.Policies { |
| 611 | // on-demand policies can have the tailscale manager added implicitly |
| 612 | // if there's no explicit manager configured -- for convenience |
| 613 | if ap.OnDemand && len(ap.Managers) == 0 { |
| 614 | var ts caddytls.Tailscale |
| 615 | if err := ts.Provision(ctx); err != nil { |
| 616 | return err |
| 617 | } |
| 618 | ap.Managers = []certmagic.Manager{ts} |
| 619 | |
| 620 | // must reprovision the automation policy so that the underlying |
| 621 | // CertMagic config knows about the updated Managers |
| 622 | if err := ap.Provision(app.tlsApp); err != nil { |
| 623 | return fmt.Errorf("re-provisioning automation policy: %v", err) |
| 624 | } |
| 625 | } |
| 626 | |
| 627 | // set up default issuer -- honestly, this is only |
| 628 | // really necessary because the HTTP app is opinionated |
| 629 | // and has settings which could be inferred as new |
| 630 | // defaults for the ACMEIssuer in the TLS app (such as |
| 631 | // what the HTTP and HTTPS ports are) |
| 632 | if ap.Issuers == nil { |
| 633 | var err error |
| 634 | ap.Issuers, err = caddytls.DefaultIssuersProvisioned(ctx) |
| 635 | if err != nil { |
| 636 | return err |
| 637 | } |
| 638 | } |
| 639 | for _, iss := range ap.Issuers { |
| 640 | if acmeIssuer, ok := iss.(acmeCapable); ok { |
| 641 | err := app.fillInACMEIssuer(acmeIssuer.GetACMEIssuer()) |
| 642 | if err != nil { |
| 643 | return err |
| 644 | } |
| 645 | } |
| 646 | } |
| 647 | |
| 648 | // while we're here, is this the catch-all/base policy? |
| 649 | if !foundBasePolicy && len(ap.SubjectsRaw) == 0 { |
| 650 | basePolicy = ap |
| 651 | foundBasePolicy = true |
| 652 | } |
| 653 | } |
| 654 |
no test coverage detected