feat: add hook-timeout to run and renew commands (#2389)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
2025-02-12 16:06:01 +02:00 · 2025-01-03 15:22:00 +01:00 · 2025-01-03 15:22:00 +01:00 · b83c1d5f64
commit b83c1d5f64
parent 5f53d3e87d
4 changed files with 19 additions and 5 deletions
--- a/cmd/cmd_renew.go
+++ b/cmd/cmd_renew.go
@ -25,6 +25,7 @@ const (
 	flgARIWaitToRenewDuration = "ari-wait-to-renew-duration"
 	flgReuseKey               = "reuse-key"
 	flgRenewHook              = "renew-hook"
+	flgRenewHookTimeout       = "renew-hook-timeout"
 	flgNoRandomSleep          = "no-random-sleep"
 	flgForceCertDomains       = "force-cert-domains"
 )
@ -109,6 +110,11 @@ func createRenew() *cli.Command {
 				Name:  flgRenewHook,
 				Usage: "Define a hook. The hook is executed only when the certificates are effectively renewed.",
 			},
+			&cli.DurationFlag{
+				Name:  flgRenewHookTimeout,
+				Usage: "Define the timeout for the hook execution.",
+				Value: 2 * time.Minute,
+			},
 			&cli.BoolFlag{
 				Name: flgNoRandomSleep,
 				Usage: "Do not add a random sleep before the renewal." +
@ -254,7 +260,7 @@ func renewForDomains(ctx *cli.Context, account *Account, keyType certcrypto.KeyT

 	addPathToMetadata(meta, domain, certRes, certsStorage)

-	return launchHook(ctx.String(flgRenewHook), meta)
+	return launchHook(ctx.String(flgRenewHook), ctx.Duration(flgRenewHookTimeout), meta)
 }

 func renewForCSR(ctx *cli.Context, account *Account, keyType certcrypto.KeyType, certsStorage *CertificatesStorage, bundle bool, meta map[string]string) error {
@ -337,7 +343,7 @@ func renewForCSR(ctx *cli.Context, account *Account, keyType certcrypto.KeyType,

 	addPathToMetadata(meta, domain, certRes, certsStorage)

-	return launchHook(ctx.String(flgRenewHook), meta)
+	return launchHook(ctx.String(flgRenewHook), ctx.Duration(flgRenewHookTimeout), meta)
 }

 func needRenewal(x509Cert *x509.Certificate, domain string, days int) bool {
--- a/cmd/cmd_run.go
+++ b/cmd/cmd_run.go
@ -23,6 +23,7 @@ const (
 	flgPreferredChain                 = "preferred-chain"
 	flgAlwaysDeactivateAuthorizations = "always-deactivate-authorizations"
 	flgRunHook                        = "run-hook"
+	flgRunHookTimeout                 = "run-hook-timeout"
 )

 func createRun() *cli.Command {
@ -75,6 +76,11 @@ func createRun() *cli.Command {
 				Name:  flgRunHook,
 				Usage: "Define a hook. The hook is executed when the certificates are effectively created.",
 			},
+			&cli.DurationFlag{
+				Name:  flgRunHookTimeout,
+				Usage: "Define the timeout for the hook execution.",
+				Value: 2 * time.Minute,
+			},
 		},
 	}
 }
@ -129,7 +135,7 @@ func run(ctx *cli.Context) error {

 	addPathToMetadata(meta, cert.Domain, cert, certsStorage)

-	return launchHook(ctx.String(flgRunHook), meta)
+	return launchHook(ctx.String(flgRunHook), ctx.Duration(flgRunHookTimeout), meta)
 }

 func handleTOS(ctx *cli.Context, client *lego.Client) bool {
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -10,12 +10,12 @@ import (
 	"time"
 )

-func launchHook(hook string, meta map[string]string) error {
+func launchHook(hook string, timeout time.Duration, meta map[string]string) error {
 	if hook == "" {
 		return nil
 	}

-	ctxCmd, cancel := context.WithTimeout(context.Background(), 120*time.Second)
+	ctxCmd, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()

 	parts := strings.Fields(hook)
--- a/docs/data/zz_cli_help.toml
+++ b/docs/data/zz_cli_help.toml
@ -74,6 +74,7 @@ OPTIONS:
   --preferred-chain value                   If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
   --always-deactivate-authorizations value  Force the authorizations to be relinquished even if the certificate request was successful.
   --run-hook value                          Define a hook. The hook is executed when the certificates are effectively created.
+   --run-hook-timeout value                  Define the timeout for the hook execution. (default: 2m0s)
   --help, -h                                show help
 """

@ -98,6 +99,7 @@ OPTIONS:
   --preferred-chain value                   If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.
   --always-deactivate-authorizations value  Force the authorizations to be relinquished even if the certificate request was successful.
   --renew-hook value                        Define a hook. The hook is executed only when the certificates are effectively renewed.
+   --renew-hook-timeout value                Define the timeout for the hook execution. (default: 2m0s)
   --no-random-sleep                         Do not add a random sleep before the renewal. We do not recommend using this flag if you are doing your renewals in an automated way. (default: false)
   --force-cert-domains                      Check and ensure that the cert's domain list matches those passed in the domains argument. (default: false)
   --help, -h                                show help