Make disabling haproxy-sockets explicit because of a change in configparser,...

Make disabling haproxy-sockets explicit because of a change in configparser, document arguments in the config file.

Make disabling haproxy-sockets explicit because of a change in configparser,...
Make disabling haproxy-sockets explicit because of a change in configparser, document arguments in the config file.
19de1f85 · Chris · b924b8f9 · 19de1f85 · 19de1f85
Commit 19de1f85 authored Sep 11, 2019 by Chris
--- a/config/stapled.conf
+++ b/config/stapled.conf
@@ -37,9 +37,14 @@ file-extensions=crt,pem,cer
 ;; ignore=[no-ocsp/*.crt, /etc/ssl/private/not_a_real_crt.pem]
 ; ignore=ssl-cert-snakeoil.key

+;; Recursively scan the paths specified by --cert-paths for certificates.
+; recursive
+
 [validity]

-;; Uncomment to update every staple at startup. Leave commented to try to
+;; Don't re-use existing ocsp files, refresh all staples regardless of their
+;; validity. By default existing staples are recycled if they are valid for
+;; longer than the minimum_validity setting. Leave commented to try to
 ;; re-use staples that are still valid long enough (See `minimum-validity`
 ;; directive)
 ; no-recycle
@@ -58,14 +63,22 @@ daemon

 ;; Amount of threads to use for the renewal process. Increasing this will only
 ;; help if the daemon is sitting idle, e.g. waiting for OCSP responses for
-;; longerperiods of time. It can help increase concurrency to a certain point
-;; but ifyou really need to fetch high volumes of staples, you should start
+;; longer periods of time. It can help increase concurrency to a certain point
+;; but if you really need to fetch high volumes of staples, you should start
 ;; more processes.
 renewal-threads=5

 ;; How long the scheduler should sleep between each scheduling attempt.
 refresh-interval=30

+;; Run only a one-off staple renewal and quit stapled when done. Note that this
+;; will still spawn the same amount of threads as a normal process would for
+;; performance reasons as well as consistency between one-off and normal runs.
+;; This setting overrides the --refresh-interval setting because a refresh is
+;; not scheduled during one-off runs. The --daemon and --no-daemon/--interactive
+;; arguments are also ignored.
+; one-off
+
 [logging]
 ;; Log to syslog, you can not set a `logdir` to only log to syslog, or
 ;; enable both at the same time. Uncomment to enable.
@@ -86,6 +99,15 @@ logdir=/var/log/stapled/
 ;; https://cbonte.github.io/haproxy-dconv/1.7/management.html#9.3-set%20ssl%20ocsp-response
 haproxy-sockets=[/var/run/haproxy/admin.sock]

+;; By default stapled will try to connect to the default socket path, which can
+;; be changed or set to an empty list by the --haproxy-sockets argument.
+;; The --no-haproxy-sockets argument explicitly disables the haproxy socket
+;; connection and overrides the --haproxy-sockets argument's paths if set.
+;; Note that this does NOT disable the --haproxy-config argument, i.e.: if a
+;; haproxy config is set, it will be parsed for certificate paths, without
+;; matching sockets.
+; no-haproxy-sockets
+
 ;; Use HAProxy config files as the source of cert-paths and socket mappings.
 ;; Setting this will merge your `cert-paths` with paths found in the specified
 ;; HAProxy config files. Sockets defined in `haproxy-sockets` will also be
@@ -103,8 +125,3 @@ haproxy-sockets=[/var/run/haproxy/admin.sock]
 ;; and/or `syslog` to prevent output on stdout while logging the set verbosity
 ;; level to a file or syslog. Uncomment to enable
 ; quiet
-
-;; Don't re-use existing ocsp files, refresh all staples regardless of their
-;; validity. By default existing staples are recycled if they are valid for
-;; longer than the minimum_validity setting.
-; no-recycle
--- a/stapled/__main__.py
+++ b/stapled/__main__.py
@@ -217,8 +217,7 @@ def get_cli_arg_parser():
    )
    parser.add(
        '--no-haproxy-sockets',
-        action='store_false',
-        dest='haproxy_sockets',
+        action='store_true',
        help=(
            "Disable HAProxy sockets, overrides ``--haproxy-sockets`` if "
            "specified in the config file."
@@ -348,8 +347,8 @@ def init():
    # config files, de-duplicated.
    cert_paths = haproxy_socket_mapping.keys()

-    # Determine if we need to start a stapleadder thread.
-    if not any(haproxy_socket_mapping.values()):
+    # Determine if we need to start a staple adder thread.
+    if args.no_haproxy_sockets or not any(haproxy_socket_mapping.values()):
        haproxy_socket_mapping = None

    daemon_kwargs = dict(
@@ -501,7 +500,7 @@ def __get_haproxy_socket_mapping(args):
        for path in paths:
            # When certificate path is already in the mapping add the socket
            # file to the mapping if haproxy_sockets is not disabled.
-            if args.haproxy_sockets is False:
+            if args.no_haproxy_sockets:
                # haproxy_sockets are disabled, just ensure the path is in the
                # mapping without sockets.
                mapping[path] = []