Merge pull request #8624 from dokku/8623-expose-certs-add-and-certs-remove-to-plugins-via-triggers-or-sourceable-functions

Expose certs-set and certs-remove plugin triggers
2026-05-18 05:05:46 +02:00 · 2026-05-13 00:09:47 -04:00
parent b096d0f131 b4e3d85024
commit 6cb5d472e5
8 changed files with 156 additions and 23 deletions
--- a/docs/development/plugin-triggers.md
+++ b/docs/development/plugin-triggers.md
@@ -411,6 +411,42 @@ elif [[ "$KEY_TYPE" == "key" ]]; then
 fi
 ```

+### `certs-remove`
+
+- Description: Removes the SSL cert/key pair from an app and fires the `post-certs-remove` and `post-domains-update` triggers. Fails if no app-specific SSL endpoint is defined.
+- Invoked by:
+- Arguments: `$APP`
+- Example:
+
+```shell
+#!/usr/bin/env bash
+# Removes the SSL endpoint for an app
+
+set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
+
+APP="$1"
+
+dokku certs:remove "$APP"
+```
+
+### `certs-set`
+
+- Description: Installs an SSL cert/key pair onto an app and fires the `post-certs-update` and `post-domains-update` triggers. `$CRT_FILE` and `$KEY_FILE` must be paths to readable PEM-encoded files.
+- Invoked by:
+- Arguments: `$APP $CRT_FILE $KEY_FILE`
+- Example:
+
+```shell
+#!/usr/bin/env bash
+# Installs a cert/key pair for an app
+
+set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
+
+APP="$1"; CRT_FILE="$2"; KEY_FILE="$3"
+
+dokku certs:add "$APP" "$CRT_FILE" "$KEY_FILE"
+```
+
 ### `check-deploy`

 - Description: Allows you to run checks on a deploy before Dokku allows the container to handle requests.
--- a/plugins/certs/certs-remove
+++ b/plugins/certs/certs-remove
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
+source "$PLUGIN_AVAILABLE_PATH/certs/internal-functions"
+set -eo pipefail
+[[ $DOKKU_TRACE ]] && set -x
+
+trigger-certs-certs-remove() {
+  declare desc="removes the SSL cert/key pair from an app"
+  declare trigger="certs-remove"
+  declare APP="$1"
+
+  verify_app_name "$APP"
+  fn-certs-remove "$APP"
+}
+
+trigger-certs-certs-remove "$@"
--- a/plugins/certs/certs-set
+++ b/plugins/certs/certs-set
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
+source "$PLUGIN_AVAILABLE_PATH/certs/internal-functions"
+set -eo pipefail
+[[ $DOKKU_TRACE ]] && set -x
+
+trigger-certs-certs-set() {
+  declare desc="installs an SSL cert/key pair onto an app"
+  declare trigger="certs-set"
+  declare APP="$1" CRT_FILE="$2" KEY_FILE="$3"
+
+  verify_app_name "$APP"
+  fn-certs-set "$APP" "$CRT_FILE" "$KEY_FILE"
+}
+
+trigger-certs-certs-set "$@"
--- a/plugins/certs/internal-functions
+++ b/plugins/certs/internal-functions
@@ -4,6 +4,48 @@ source "$PLUGIN_AVAILABLE_PATH/certs/functions"
 set -eo pipefail
 [[ $DOKKU_TRACE ]] && set -x

+fn-certs-set() {
+  declare desc="installs an SSL cert/key pair onto an app"
+  declare APP="$1" CRT_FILE="$2" KEY_FILE="$3"
+  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"
+
+  if [[ -z "$CRT_FILE" ]] || [[ -z "$KEY_FILE" ]]; then
+    dokku_log_fail "Both CRT and KEY file paths are required"
+  fi
+
+  if [[ ! -r "$CRT_FILE" ]]; then
+    dokku_log_fail "CRT file specified not found, please check file paths"
+  fi
+
+  if [[ ! -r "$KEY_FILE" ]]; then
+    dokku_log_fail "KEY file specified not found, please check file paths"
+  fi
+
+  mkdir -p "$APP_SSL_PATH"
+  rm -f "$APP_SSL_PATH/server.crt" "$APP_SSL_PATH/server.key"
+  cp "$CRT_FILE" "$APP_SSL_PATH/server.crt"
+  cp "$KEY_FILE" "$APP_SSL_PATH/server.key"
+  chmod 750 "$APP_SSL_PATH"
+  chmod 640 "$APP_SSL_PATH/server.crt" "$APP_SSL_PATH/server.key"
+  plugn trigger post-certs-update "$APP"
+  plugn trigger post-domains-update "$APP"
+}
+
+fn-certs-remove() {
+  declare desc="removes the SSL cert/key pair from an app"
+  declare APP="$1"
+  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"
+
+  if [[ ! -d "$APP_SSL_PATH" ]]; then
+    dokku_log_fail "An app-specific SSL endpoint is not defined"
+  fi
+
+  dokku_log_info1 "Removing SSL endpoint from $APP"
+  rm -rf "$APP_SSL_PATH"
+  plugn trigger post-certs-remove "$APP"
+  plugn trigger post-domains-update "$APP"
+}
+
 cmd-certs-report() {
  declare desc="displays an ssl report for one or more apps"
  declare cmd="certs:report"
--- a/plugins/certs/subcommands/add
+++ b/plugins/certs/subcommands/add
@@ -3,6 +3,7 @@ set -eo pipefail
 [[ $DOKKU_TRACE ]] && set -x
 source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
 source "$PLUGIN_AVAILABLE_PATH/certs/functions"
+source "$PLUGIN_AVAILABLE_PATH/certs/internal-functions"

 is_tar_import() {
  declare desc="determines if we have STDIN open in an attempt to detect a streamed tar import"
@@ -35,7 +36,6 @@ cmd-certs-set() {
  declare APP="$1" CRT_FILE="$2" KEY_FILE="$3"

  verify_app_name "$APP"
-  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"

  if is_file_import "$CRT_FILE" "$KEY_FILE"; then
    # importing from file
@@ -53,7 +53,7 @@ cmd-certs-set() {
    elif [[ $CRT_FILE_COUNT -gt 1 ]]; then
      dokku_log_fail "Tar archive contains more than one .crt file"
    else
-      local CRT_FILE=$CRT_FILE_SEARCH
+      CRT_FILE=$CRT_FILE_SEARCH
    fi

    local KEY_FILE_SEARCH=$(find . -not -path '*/\.*' -type f | grep ".key$")
@@ -63,20 +63,13 @@ cmd-certs-set() {
    elif [[ $KEY_FILE_COUNT -gt 1 ]]; then
      dokku_log_fail "Tar archive contains more than one .key file"
    else
-      local KEY_FILE=$KEY_FILE_SEARCH
+      KEY_FILE=$KEY_FILE_SEARCH
    fi
  else
    dokku_log_fail "Tar archive containing server.crt and server.key expected on stdin"
  fi

-  mkdir -p "$APP_SSL_PATH"
-  rm -f "$APP_SSL_PATH/server.crt" "$APP_SSL_PATH/server.key"
-  cp "$CRT_FILE" "$APP_SSL_PATH/server.crt"
-  cp "$KEY_FILE" "$APP_SSL_PATH/server.key"
-  chmod 750 "$APP_SSL_PATH"
-  chmod 640 "$APP_SSL_PATH/server.crt" "$APP_SSL_PATH/server.key"
-  plugn trigger post-certs-update "$APP"
-  plugn trigger post-domains-update "$APP"
+  fn-certs-set "$APP" "$CRT_FILE" "$KEY_FILE"
 }

 cmd-certs-set "$@"
--- a/plugins/certs/subcommands/remove
+++ b/plugins/certs/subcommands/remove
@@ -2,6 +2,7 @@
 set -eo pipefail
 [[ $DOKKU_TRACE ]] && set -x
 source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
+source "$PLUGIN_AVAILABLE_PATH/certs/internal-functions"

 cmd-certs-remove() {
  declare desc="removes SSL cert/key from specified app"
@@ -10,16 +11,7 @@ cmd-certs-remove() {
  declare APP="$1"

  verify_app_name "$APP"
-  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"
-
-  if [[ -d "$APP_SSL_PATH" ]]; then
-    dokku_log_info1 "Removing SSL endpoint from $APP"
-    rm -rf "$APP_SSL_PATH"
-    plugn trigger post-certs-remove "$APP"
-    plugn trigger post-domains-update "$APP"
-  else
-    dokku_log_fail "An app-specific SSL endpoint is not defined"
-  fi
+  fn-certs-remove "$APP"
 }

 cmd-certs-remove "$@"
--- a/tests/unit/certs.bats
+++ b/tests/unit/certs.bats
@@ -165,6 +165,44 @@ teardown() {
  assert_success
 }

+@test "(certs) certs-set plugin trigger" {
+  run_plugn_trigger certs-set "$TEST_APP" "$BATS_TMPDIR/tls/server.crt" "$BATS_TMPDIR/tls/server.key"
+  echo "output: $output"
+  echo "status: $status"
+  assert_success
+  [[ -f "$DOKKU_ROOT/$TEST_APP/tls/server.crt" ]]
+  [[ -f "$DOKKU_ROOT/$TEST_APP/tls/server.key" ]]
+}
+
+@test "(certs) certs-set plugin trigger missing key file" {
+  run_plugn_trigger certs-set "$TEST_APP" "$BATS_TMPDIR/tls/server.crt" "/nonexistent/server.key"
+  echo "output: $output"
+  echo "status: $status"
+  assert_failure
+  assert_output_contains "KEY file specified not found"
+}
+
+@test "(certs) certs-remove plugin trigger" {
+  run /bin/bash -c "dokku certs:add $TEST_APP $BATS_TMPDIR/tls/server.crt $BATS_TMPDIR/tls/server.key"
+  echo "output: $output"
+  echo "status: $status"
+  assert_success
+
+  run_plugn_trigger certs-remove "$TEST_APP"
+  echo "output: $output"
+  echo "status: $status"
+  assert_success
+  [[ ! -d "$DOKKU_ROOT/$TEST_APP/tls" ]]
+}
+
+@test "(certs) certs-remove plugin trigger without endpoint" {
+  run_plugn_trigger certs-remove "$TEST_APP"
+  echo "output: $output"
+  echo "status: $status"
+  assert_failure
+  assert_output_contains "An app-specific SSL endpoint is not defined"
+}
+
@test "(certs) certs:show" {
  run /bin/bash -c "dokku certs:show fake-app-name 2>&1"
  echo "output: $output"
--- a/tests/unit/test_helper.bash
+++ b/tests/unit/test_helper.bash
@@ -228,7 +228,7 @@ destroy_key() {
  rm -f /tmp/testkey* &>/dev/null || true
 }

-# Run a plugn trigger with the env vars plugn needs, capturing $output/$status via bats `run`.
+# Run a plugn trigger via `dokku plugin:trigger`, capturing $output/$status via bats `run`.
 # Optional VAR=VAL pairs before <trigger> are forwarded as extra env vars on the bash command line.
 # Usage: run_plugn_trigger [VAR=VAL ...] <trigger> <args...>
 run_plugn_trigger() {
@@ -239,7 +239,7 @@ run_plugn_trigger() {
  done
  local TRIGGER="$1"
  shift
-  run /bin/bash -c "PLUGIN_PATH=$PLUGIN_PATH PLUGIN_CORE_AVAILABLE_PATH=$PLUGIN_CORE_AVAILABLE_PATH DOKKU_LIB_ROOT=$DOKKU_LIB_ROOT${extra_env} plugn trigger $TRIGGER $* < /dev/null"
+  run /bin/bash -c "${extra_env} dokku plugin:trigger $TRIGGER $* < /dev/null"
 }

 # Run a single plugin's trigger script directly so other plugins' handlers do not fire.