dokku · josegonzalez · Aug 6, 2023 · Aug 1, 2023
diff --git a/docs/development/plugin-triggers.md b/docs/development/plugin-triggers.md
@@ -297,6 +297,21 @@ set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
 # TODO
 ```
 
+### `certs-force`
+
+- Description: Echos `true` if a cert should be simulated for the app, no output otherwise
+- Invoked by:
+- Arguments: `$APP`
+- Example:
+
+```shell
+#!/usr/bin/env bash
+
+set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
+
+# TODO
+```
+
 ### `check-deploy`
 
 - Description: Allows you to run checks on a deploy before Dokku allows the container to handle requests.

diff --git a/docs/networking/proxies/openresty.md b/docs/networking/proxies/openresty.md
@@ -0,0 +1,164 @@
+# OpenResty Proxy
+
+> New as of 0.31.0
+
+Dokku can provide integration with the [OpenResty](https://openresty.org/) proxy service by utilizing the Docker label-based integration implemented by [openresty-docker-proxy](https://github.com/dokku/openresty-docker-proxy).
+
+```
+openresty:report [<app>] [<flag>]            # Displays a openresty report for one or more apps
+openresty:logs [--num num] [--tail]          # Display openresty log output
+openresty:set <app> <property> (<value>)     # Set or clear an openresty property for an app
+openresty:show-config <app>                  # Display openresty compose config
+openresty:start                              # Starts the openresty server
+openresty:stop                               # Stops the openresty server
+```
+
+## Requirements
+
+Using the `openresty` plugin integration requires the `docker-compose-plugin` for Docker. See [this document](https://docs.docker.com/compose/install/) from the Docker documentation for more information on the installation process for the `docker-compose-plugin`.
+
+## Usage
+
+> Warning: As using multiple proxy plugins on a single Dokku installation can lead to issues routing requests to apps, doing so should be avoided. As the default proxy implementation is nginx, users are encouraged to stop the nginx service before switching to OpenResty.
+
+The OpenResty plugin has specific rules for routing requests:
+
+- OpenResty integration is exposed via docker labels attached to containers. Changes in labels require either app deploys or rebuilds.
+- While OpenResty will respect labels associated with other containers, only `web` containers have OpenResty labels injected by the plugin.
+- Only `http:80` and `https:443` port mappings are supported at this time.
+- Requests are routed as soon as the container is running and passing healthchecks.
+
+### Switching to OpenResty
+
+To use the OpenResty plugin, use the `proxy:set` command for the app in question:
+
+```shell
+dokku proxy:set node-js-app openresty
+```
+
+This will enable the docker label-based OpenResty integration. All future deploys will inject the correct labels for OpenResty to read and route requests to containers. Due to the docker label-based integration used by OpenResty, a single deploy or rebuild will be required before requests will route successfully.
+
+```shell
+dokku ps:rebuild node-js-app
+```
+
+Any changes to domains or port mappings will also require either a deploy or rebuild.
+
+### Starting OpenResty container
+
+OpenResty can be started via the `openresty:start` command. This will start a OpenResty container via the `docker compose up` command.
+
+```shell
+dokku openresty:start
+```
+
+### Stopping the OpenResty container
+
+OpenResty may be stopped via the `openresty:stop` command.
+
+```shell
+dokku openresty:stop
+```
+
+The OpenResty container will be stopped and removed from the system. If the container is not running, this command will do nothing.
+
+### Showing the OpenResty compose config
+
+For debugging purposes, it may be useful to show the OpenResty compose config. This can be achieved via the `openresty:show-config` command.
+
+```shell
+dokku openresty:show-config
+```
+
+### Customizing the OpenResty container image
+
+While the default OpenResty image is hardcoded, users may specify an alternative by setting the `image` property with the `--global` flag:
+
+```shell
+dokku openresty:set --global image dokku/openresty-docker-proxy:0.5.6
+```
+
+#### Checking the OpenResty container's logs
+
+It may be necessary to check the OpenResty container's logs to ensure that OpenResty is operating as expected. This can be performed with the `openresty:logs` command.
+
+```shell
+dokku openresty:logs
+```
+
+This command also supports the following modifiers:
+
+```shell
+--num NUM        # the number of lines to display
+--tail           # continually stream logs
+```
+
+You can use these modifiers as follows:
+
+```shell
+dokku openresty:logs --tail --num 10
+```
+
+The above command will show logs continually from the openresty container, with an initial history of 10 log lines
+
+### SSL Configuration
+
+The OpenResty plugin only supports automatic ssl certificates from it's letsencrypt integration. Managed certificates provided by the `certs` plugin are ignored.
+
+#### Enabling letsencrypt integration
+
+By default, letsencrypt is disabled and https port mappings are ignored. To enable, set the `letsencrypt-email` property with the `--global` flag:
+
+```shell
+dokku openresty:set --global letsencrypt-email automated@dokku.sh
+```
+
+After enabling, the OpenResty container will need to be restarted and apps will need to be rebuilt. All http requests will then be redirected to https.
+
+#### Customizing the letsencrypt server
+
+The letsencrypt integration is set to the production letsencrypt server by default. To change this, set the `letsencrypt-server` property with the `--global` flag:
+
+```shell
+dokku openresty:set --global letsencrypt-server https://acme-staging-v02.api.letsencrypt.org/directory
+```
+
+After enabling, the OpenResty container will need to be restarted and apps will need to be rebuilt to retrieve certificates from the new server.
+
+## Displaying OpenResty reports for an app
+
+You can get a report about the app's OpenResty config using the `openresty:report` command:
+
+```shell
+dokku openresty:report
+```
+
+```
+=====> node-js-app openresty information
+       Openresty image:                   dokku/openresty-docker-proxy:0.5.6
+       Openresty letsencrypt email:       automated@dokku.sh
+=====> python-app openresty information
+       Openresty image:                   dokku/openresty-docker-proxy:0.5.6
+       Openresty letsencrypt email:       automated@dokku.sh
+=====> ruby-app openresty information
+       Openresty image:                   dokku/openresty-docker-proxy:0.5.6
+       Openresty letsencrypt email:       automated@dokku.sh
+```
+
+You can run the command for a specific app also.
+
+```shell
+dokku openresty:report node-js-app
+```
+
+```
+=====> node-js-app openresty information
+       Openresty image:                   dokku/openresty-docker-proxy:0.5.6
+       Openresty letsencrypt email:       automated@dokku.sh
+```
+
+You can pass flags which will output only the value of the specific information you want. For example:
+
+```shell
+dokku openresty:report node-js-app --openresty-letsencrypt-email
+```
diff --git a/docs/template.html b/docs/template.html
@@ -178,6 +178,7 @@
             <a href="/{{NAME}}/networking/proxies/caddy/" class="list-group-item">Caddy Proxy</a>
             <a href="/{{NAME}}/networking/proxies/haproxy/" class="list-group-item">Haproxy Proxy</a>
             <a href="/{{NAME}}/networking/proxies/nginx/" class="list-group-item">Nginx Proxy</a>
+            <a href="/{{NAME}}/networking/proxies/openresty/" class="list-group-item">Openresty Proxy</a>
             <a href="/{{NAME}}/networking/proxies/traefik/" class="list-group-item">Traefik Proxy</a>
 
             <a href="#" class="list-group-item disabled">Advanced Usage</a>

diff --git a/dokku b/dokku
@@ -143,6 +143,9 @@ execute_dokku_cmd() {
     nginx | nginx:*)
       local PLUGIN_NAME=${PLUGIN_NAME/nginx/nginx-vhosts}
       ;;
+    openresty | openresty:*)
+      local PLUGIN_NAME=${PLUGIN_NAME/openresty/openresty-vhosts}
+      ;;
     traefik | traefik:*)
       local PLUGIN_NAME=${PLUGIN_NAME/traefik/traefik-vhosts}
       ;;

diff --git a/plugins/20_events/certs-force b/plugins/20_events/certs-force
@@ -0,0 +1 @@
+hook
diff --git a/plugins/caddy-vhosts/certs-force b/plugins/caddy-vhosts/certs-force
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -eo pipefail
+[[ $DOKKU_TRACE ]] && set -x
+source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
+source "$PLUGIN_AVAILABLE_PATH/caddy-vhosts/internal-functions"
+
+trigger-caddy-vhosts-certs-force() {
+  declare desc="caddy-vhosts certs-force plugin trigger"
+  declare trigger="certs-force"
+  declare APP="$1"
+
+  if [[ "$(plugn trigger proxy-type "$APP")" != "caddy" ]]; then
+    return
+  fi
+
+  if [[ -n "$(fn-caddy-letsencrypt-email)" ]]; then
+    echo true
+  fi
+}
+
+trigger-caddy-vhosts-certs-force "$@"
diff --git a/plugins/common/functions b/plugins/common/functions
@@ -506,6 +506,63 @@ copy_from_image() {
   fi
 }
 
+copy_dir_from_image() {
+  declare desc="copy a directory from named image to destination"
+  declare IMAGE="$1" SRC_DIR="$2" DST_DIR="$3"
+  local WORK_DIR=""
+
+  local DOCKER_CREATE_LABEL_ARGS="--label=com.dokku.app-name=$APP"
+
+  if verify_image "$IMAGE"; then
+    if ! is_abs_path "$SRC_DIR"; then
+      if is_image_cnb_based "$IMAGE"; then
+        WORKDIR="/workspace"
+      elif is_image_herokuish_based "$IMAGE" "$APP"; then
+        WORKDIR="/app"
+      else
+        WORKDIR="$("$DOCKER_BIN" image inspect --format '{{.Config.WorkingDir}}' "$IMAGE")"
+      fi
+
+      if [[ -n "$WORKDIR" ]]; then
+        SRC_DIR="${WORKDIR}/${SRC_DIR}"
+      fi
+    fi
+
+    TMP_DIR_COMMAND_OUTPUT=$(mktemp -d "/tmp/dokku-${DOKKU_PID}-${FUNCNAME[0]}.XXXXXX")
+    trap "rm -rf '$TMP_DIR_COMMAND_OUTPUT' &>/dev/null || true" RETURN
+
+    local CID=$("$DOCKER_BIN" container create "${DOCKER_CREATE_LABEL_ARGS[@]}" $DOKKU_GLOBAL_RUN_ARGS "$IMAGE")
+    "$DOCKER_BIN" container cp "$CID:$SRC_DIR" "$TMP_DIR_COMMAND_OUTPUT" 2>/dev/null || true
+    "$DOCKER_BIN" container rm --force "$CID" &>/dev/null
+    plugn trigger scheduler-register-retired "$APP" "$CID"
+
+    # docker cp exits with status 1 when run as non-root user when it tries to chown the file
+    # after successfully copying the file. Thus, we suppress stderr.
+    # ref: https://github.com/dotcloud/docker/issues/3986
+    if [[ ! -d "$TMP_DIR_COMMAND_OUTPUT" ]]; then
+      return 1
+    fi
+
+    pushd "$TMP_DIR_COMMAND_OUTPUT" >/dev/null
+    for filename in *; do
+      if [[ ! -f "$TMP_DIR_COMMAND_OUTPUT/$filename" ]]; then
+        continue
+      fi
+
+      # workaround for CHECKS file when owner is root. seems to only happen when running inside docker
+      dos2unix -l <"$TMP_DIR_COMMAND_OUTPUT/$filename" >"$DST_DIR/$filename"
+
+      # add trailing newline for certain places where file parsing depends on it
+      if [[ "$(tail -c1 "$DST_DIR/$filename")" != "" ]]; then
+        echo "" >>"$DST_DIR/$filename"
+      fi
+    done
+    popd &>/dev/null || pushd "/tmp" >/dev/null
+  else
+    return 1
+  fi
+}
+
 get_app_container_ids() {
   declare desc="returns list of docker container ids for given app and optional container_type"
   local APP="$1"

diff --git a/plugins/common/subprocess.go b/plugins/common/subprocess.go
@@ -124,6 +124,12 @@ func PlugnTriggerOutput(triggerName string, args ...string) ([]byte, error) {
 	return readStdout, err
 }
 
+// PlugnTriggerOutputAsString fires the given plugn trigger with the given args and returns the string contents instead of bytes
+func PlugnTriggerOutputAsString(triggerName string, args ...string) (string, error) {
+	b, err := PlugnTriggerOutput(triggerName, args...)
+	return strings.TrimSpace(string(b[:])), err
+}
+
 // PlugnTriggerSetup sets up a plugn trigger call
 func PlugnTriggerSetup(triggerName string, args ...string) *sh.Session {
 	shellArgs := make([]interface{}, len(args)+2)

diff --git a/plugins/haproxy-vhosts/certs-force b/plugins/haproxy-vhosts/certs-force
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+set -eo pipefail
+[[ $DOKKU_TRACE ]] && set -x
+source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
+source "$PLUGIN_AVAILABLE_PATH/haproxy-vhosts/internal-functions"
+
+trigger-haproxy-vhosts-certs-force() {
+  declare desc="haproxy-vhosts certs-force plugin trigger"
+  declare trigger="certs-force"
+  declare APP="$1"
+
+  if [[ "$(plugn trigger proxy-type "$APP")" != "haproxy" ]]; then
+    return
+  fi
+
+  if [[ -n "$(fn-haproxy-letsencrypt-email)" ]]; then
+    echo true
+  fi
+}
+
+trigger-haproxy-vhosts-certs-force "$@"