- Removed scope exclusion for "standard commit".
- If 'device-and-networks' is excluded (previous behaviour), a certificate for Panorama (always outside of a template) will not be committed (imported to the config but never applied to Panorama). Therefore, panos.sh was only working for certificates used in templates and applied to devices, but not for the Panorama certificate itself.
- According to the official documentation and the XML API Browser, there is no 'policy-and-objects' that can be excluded.
- Although it is not mandatory that the user account is solely dedicated to replace certificates and to perform no other type of operations, it is recommended. If such recommendation is applied, the only changes being committed would be in relation to certificates. Therefore, it should be safe not to exclude any scopes.
- Changed the order for "force commit" from '<commit><partial><force>' (unofficial) to '<commit><force><partial>' (official). Both work, but it is recommended to use what is part of the official documentation and/or XML API Browser.
- Removed unofficial 'policy-and-objects' from commented out code (see above).
- Replaced 'exclude' with 'excluded' from commented out code, as per the official documentation. Both work, but see above.
- Replaced 'acmekeytest' with $_panos_user in the commented out code.
Official documentation: https://docs.paloaltonetworks.com/ngfw/api/pan-os-xml-api-request-types-and-actions/commit
XML API Browser: https://<PANOS HOST>/api
Previous version add bugs that were not properly using the _api_key.
It also enforced to provide PANOS_USER and PANOS_PASSWORD which can be very constraining.
PANOS_KEY now has precedence. If not provided, the script falls back to PANOS_USER and PANOS_PASSWORD.
kislyuk yq (used by Debian packages) does not accept `yq e` and
also returns strings with double quotes.
mikefarah's yq-go (used by Alpine) accepts `yq e` and `yq`.
replace `yq e` with `yq` and also use `-r` switch to remove double
quoting to ensure uniform return values from both yq versions.
Signed-off-by: invario <67800603+invario@users.noreply.github.com>
Before this, some deployment scripts would interact with STDIN and that would cause this loop to skip some elements. By using descriptor 3 we avoid clashing with the very common stdin and stdout.
Before this, the eval call would try to run some commands (if they were compound commands) in the yaml file on the machine running acme.sh
Eval might not be worth it for the little benefit it brings.
The config file checks were returning okay even when there were errors. The yq tool returns "null" when it cannot find what's queried, but exists with a 0 rc still.
