Skip to content

Commit

Permalink
reload kong on cert change (#140)
Browse files Browse the repository at this point in the history
* Add inotify-tools to apt installs

* Reload Kong when CF Instance Identity certs are updated

* Refactor Kong env vars into separate script

* Add sidecar process for reloading kong when certs are updated

* fix path issue with sidecar

* fixup comments

Co-authored-by: dzaslavskiy <[email protected]>
  • Loading branch information
folksgl and dzaslavskiy authored Apr 27, 2022
1 parent dde44ae commit ecca6f9
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 14 deletions.
1 change: 1 addition & 0 deletions apt.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,4 @@ repos:
packages:
- kong=2.7.1
- gettext-base
- inotify-tools
4 changes: 4 additions & 0 deletions manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,7 @@ applications:
- route: identity-idva-kong-((ENVIRONMENT_NAME)).apps.internal
env:
ENVIRONMENT_NAME: ((ENVIRONMENT_NAME))
sidecars:
- name: cert-watcher
command: ./watch-certs.sh
process_types: ['web']
18 changes: 4 additions & 14 deletions run.sh
Original file line number Diff line number Diff line change
@@ -1,23 +1,13 @@
#!/bin/bash
set -e
#!/bin/bash -e

# Make location of libs configurable
LOCAL='/home/vcap/deps/0/apt/usr/local'

export LD_LIBRARY_PATH=$LOCAL/lib:$LOCAL/lib/lua/5.1/:$LOCAL/openresty/luajit/lib:$LOCAL/openresty/pcre/lib:$LOCAL/openresty/openssl111/lib:$LD_LIBRARY_PATH
export LUA_PATH="$LOCAL/share/lua/5.1/?.lua;$LOCAL/share/lua/5.1/?/init.lua;$LOCAL/openresty/lualib/?.lua"
export LUA_CPATH="$LOCAL/lib/lua/5.1/?.so;$LOCAL/openresty/lualib/?.so"
export PATH=$LOCAL/bin/:$LOCAL/openresty/nginx/sbin:$LOCAL/openresty/bin:$PATH
source ./set_kong_env.sh

# Ensure references to /usr/local resolve correctly
grep -irIl '/usr/local' ../deps/0/apt | xargs sed -i -e "s|/usr/local|$LOCAL|"

export KONG_LUA_PACKAGE_PATH=$LUA_PATH
export KONG_LUA_PACKAGE_CPATH=$LUA_CPATH

# Generate the kong.yaml state file
/home/vcap/deps/0/apt/usr/bin/envsubst < kong-config.yaml > /home/vcap/app/kong.yaml
/home/vcap/deps/0/apt/usr/bin/envsubst < kong.conf.template > /home/vcap/app/kong.conf
envsubst < kong-config.yaml > ~/kong.yaml
envsubst < kong.conf.template > ~/kong.conf

# Start the main Kong application.
kong start -c ./kong.conf --v
12 changes: 12 additions & 0 deletions set_kong_env.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash -e

# Make location of libs configurable
LOCAL='/home/vcap/deps/0/apt/usr/local'

export LD_LIBRARY_PATH=$LOCAL/lib:$LOCAL/lib/lua/5.1/:$LOCAL/openresty/luajit/lib:$LOCAL/openresty/pcre/lib:$LOCAL/openresty/openssl111/lib:$LD_LIBRARY_PATH
export LUA_PATH="$LOCAL/share/lua/5.1/?.lua;$LOCAL/share/lua/5.1/?/init.lua;$LOCAL/openresty/lualib/?.lua"
export LUA_CPATH="$LOCAL/lib/lua/5.1/?.so;$LOCAL/openresty/lualib/?.so"
export PATH=$LOCAL/bin/:$LOCAL/openresty/nginx/sbin:$LOCAL/openresty/bin:$PATH

export KONG_LUA_PACKAGE_PATH=$LUA_PATH
export KONG_LUA_PACKAGE_CPATH=$LUA_CPATH
17 changes: 17 additions & 0 deletions watch-certs.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#!/bin/bash -e

source ./set_kong_env.sh

# wait to make sure the main kong process has started
sleep 1m

# Sanity check to ensure 'kong' is on the current $PATH
kong version

instance_identity_cert_folder=$(dirname "$CF_INSTANCE_CERT")

# Infinite-loop that will watch the cf instance identity certs for changes
# and tell kong to reload its configuration if the files are updated.
while inotifywait -q -e modify "$instance_identity_cert_folder" ; do
kong reload -c ./kong.conf --v
done

0 comments on commit ecca6f9

Please sign in to comment.