reload kong on cert change (#140)

* Add inotify-tools to apt installs * Reload Kong when CF Instance Identity certs are updated * Refactor Kong env vars into separate script * Add sidecar process for reloading kong when certs are updated * fix path issue with sidecar * fixup comments Co-authored-by: dzaslavskiy <[email protected]>
GSA-TTS · Apr 27, 2022 · ecca6f9 · ecca6f9
1 parent dde44ae
commit ecca6f9
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 14 deletions.
diff --git a/apt.yml b/apt.yml
@@ -4,3 +4,4 @@ repos:
 packages:
   - kong=2.7.1
   - gettext-base
+  - inotify-tools
diff --git a/manifest.yml b/manifest.yml
@@ -15,3 +15,7 @@ applications:
       - route: identity-idva-kong-((ENVIRONMENT_NAME)).apps.internal
     env:
       ENVIRONMENT_NAME: ((ENVIRONMENT_NAME))
+    sidecars:
+      - name: cert-watcher
+        command: ./watch-certs.sh
+        process_types: ['web']
diff --git a/run.sh b/run.sh
@@ -1,23 +1,13 @@
-#!/bin/bash
-set -e
+#!/bin/bash -e
 
-# Make location of libs configurable
-LOCAL='/home/vcap/deps/0/apt/usr/local'
-
-export LD_LIBRARY_PATH=$LOCAL/lib:$LOCAL/lib/lua/5.1/:$LOCAL/openresty/luajit/lib:$LOCAL/openresty/pcre/lib:$LOCAL/openresty/openssl111/lib:$LD_LIBRARY_PATH
-export LUA_PATH="$LOCAL/share/lua/5.1/?.lua;$LOCAL/share/lua/5.1/?/init.lua;$LOCAL/openresty/lualib/?.lua"
-export LUA_CPATH="$LOCAL/lib/lua/5.1/?.so;$LOCAL/openresty/lualib/?.so"
-export PATH=$LOCAL/bin/:$LOCAL/openresty/nginx/sbin:$LOCAL/openresty/bin:$PATH
+source ./set_kong_env.sh
 
 # Ensure references to /usr/local resolve correctly
 grep -irIl '/usr/local' ../deps/0/apt | xargs sed -i -e "s|/usr/local|$LOCAL|"
 
-export KONG_LUA_PACKAGE_PATH=$LUA_PATH
-export KONG_LUA_PACKAGE_CPATH=$LUA_CPATH
-
 # Generate the kong.yaml state file
-/home/vcap/deps/0/apt/usr/bin/envsubst < kong-config.yaml > /home/vcap/app/kong.yaml
-/home/vcap/deps/0/apt/usr/bin/envsubst < kong.conf.template > /home/vcap/app/kong.conf
+envsubst < kong-config.yaml > ~/kong.yaml
+envsubst < kong.conf.template > ~/kong.conf
 
 # Start the main Kong application.
 kong start -c ./kong.conf --v
diff --git a/set_kong_env.sh b/set_kong_env.sh
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+# Make location of libs configurable
+LOCAL='/home/vcap/deps/0/apt/usr/local'
+
+export LD_LIBRARY_PATH=$LOCAL/lib:$LOCAL/lib/lua/5.1/:$LOCAL/openresty/luajit/lib:$LOCAL/openresty/pcre/lib:$LOCAL/openresty/openssl111/lib:$LD_LIBRARY_PATH
+export LUA_PATH="$LOCAL/share/lua/5.1/?.lua;$LOCAL/share/lua/5.1/?/init.lua;$LOCAL/openresty/lualib/?.lua"
+export LUA_CPATH="$LOCAL/lib/lua/5.1/?.so;$LOCAL/openresty/lualib/?.so"
+export PATH=$LOCAL/bin/:$LOCAL/openresty/nginx/sbin:$LOCAL/openresty/bin:$PATH
+
+export KONG_LUA_PACKAGE_PATH=$LUA_PATH
+export KONG_LUA_PACKAGE_CPATH=$LUA_CPATH
diff --git a/watch-certs.sh b/watch-certs.sh
@@ -0,0 +1,17 @@
+#!/bin/bash -e
+
+source ./set_kong_env.sh
+
+# wait to make sure the main kong process has started
+sleep 1m
+
+# Sanity check to ensure 'kong' is on the current $PATH
+kong version 
+
+instance_identity_cert_folder=$(dirname "$CF_INSTANCE_CERT")
+
+# Infinite-loop that will watch the cf instance identity certs for changes
+# and tell kong to reload its configuration if the files are updated.
+while inotifywait -q -e modify "$instance_identity_cert_folder" ; do 
+  kong reload -c ./kong.conf --v
+done