[docker-restapi]: Fix authentication in restapi (#4383)
- enabling http/https endpoint and mounting the certificates directory - updating the sonic-restapi submodule
This commit is contained in:
parent
2f66b4c545
commit
23aed5ae6a
@ -20,6 +20,9 @@ RUN apt-get update
|
||||
## Clean up
|
||||
RUN apt-get clean -y; apt-get autoclean -y; apt-get autoremove -y
|
||||
|
||||
COPY ["start.sh", "restapi.sh", "/usr/bin/"]
|
||||
COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
|
||||
COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
|
||||
COPY ["critical_processes", "/etc/supervisor"]
|
||||
|
||||
ENTRYPOINT ["/usr/bin/supervisord"]
|
||||
|
@ -0,0 +1,7 @@
|
||||
###############################################################################
|
||||
## Monit configuration for restapi container
|
||||
## process list:
|
||||
## restapi
|
||||
###############################################################################
|
||||
check process restapi matching "/usr/sbin/go-server-server"
|
||||
if does not exist for 5 times within 5 cycles then alert
|
1
dockers/docker-sonic-restapi/critical_processes
Normal file
1
dockers/docker-sonic-restapi/critical_processes
Normal file
@ -0,0 +1 @@
|
||||
restapi
|
38
dockers/docker-sonic-restapi/restapi.sh
Executable file
38
dockers/docker-sonic-restapi/restapi.sh
Executable file
@ -0,0 +1,38 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
RESTAPI_ARGS=""
|
||||
while true
|
||||
do
|
||||
client_auth=`sonic-cfggen -d -v "RESTAPI['config']['client_auth']"`
|
||||
if [[ $client_auth == 'true' ]]; then
|
||||
certs=`sonic-cfggen -d -v "RESTAPI['certs']"`
|
||||
allow_insecure=`sonic-cfggen -d -v "RESTAPI['config']['allow_insecure']"`
|
||||
if [[ $allow_insecure == 'true' ]]; then
|
||||
RESTAPI_ARGS=" -enablehttp=true"
|
||||
else
|
||||
RESTAPI_ARGS=" -enablehttp=false"
|
||||
fi
|
||||
if [[ -n "$certs" ]]; then
|
||||
SERVER_CRT=`sonic-cfggen -d -v "RESTAPI['certs']['server_crt']"`
|
||||
SERVER_KEY=`sonic-cfggen -d -v "RESTAPI['certs']['server_key']"`
|
||||
CLIENT_CA_CRT=`sonic-cfggen -d -v "RESTAPI['certs']['client_ca_crt']"`
|
||||
CLIENT_CRT_CNAME=`sonic-cfggen -d -v "RESTAPI['certs']['client_crt_cname']"`
|
||||
if [[ -f $SERVER_CRT && -f $SERVER_KEY && -f $CLIENT_CA_CRT ]]; then
|
||||
RESTAPI_ARGS+=" -enablehttps=true -servercert=$SERVER_CRT -serverkey=$SERVER_KEY -clientcert=$CLIENT_CA_CRT -clientcertcommonname=$CLIENT_CRT_CNAME"
|
||||
break
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
logger "Waiting for certificates..."
|
||||
sleep 60
|
||||
done
|
||||
|
||||
LOG_LEVEL=`sonic-cfggen -d -v "RESTAPI['config']['log_level']"`
|
||||
if [ ! -z $LOG_LEVEL ]; then
|
||||
RESTAPI_ARGS+=" -loglevel=$LOG_LEVEL"
|
||||
else
|
||||
RESTAPI_ARGS+=" -loglevel=trace"
|
||||
fi
|
||||
|
||||
logger "RESTAPI_ARGS: $RESTAPI_ARGS"
|
||||
exec /usr/sbin/go-server-server ${RESTAPI_ARGS}
|
@ -6,5 +6,4 @@ echo "# Config files managed by sonic-config-engine" > /var/sonic/config_status
|
||||
rm -f /var/run/rsyslogd.pid
|
||||
|
||||
supervisorctl start rsyslogd
|
||||
|
||||
supervisorctl start restapi
|
||||
|
@ -3,10 +3,32 @@ logfile_maxbytes=1MB
|
||||
logfile_backups=2
|
||||
nodaemon=true
|
||||
|
||||
[program:restapi]
|
||||
command=/usr/sbin/go-server-server -loglevel trace
|
||||
[eventlistener:supervisor-proc-exit-listener]
|
||||
command=/usr/bin/supervisor-proc-exit-listener --container-name restapi
|
||||
events=PROCESS_STATE_EXITED
|
||||
autostart=true
|
||||
autorestart=false
|
||||
|
||||
[program:start.sh]
|
||||
command=/usr/bin/start.sh
|
||||
priority=1
|
||||
autostart=true
|
||||
autorestart=false
|
||||
stdout_logfile=/tmp/rest-api.out.log
|
||||
stderr_logfile=/tmp/rest-api.err.log
|
||||
stdout_logfile=syslog
|
||||
stderr_logfile=syslog
|
||||
|
||||
[program:restapi]
|
||||
command=/usr/bin/restapi.sh
|
||||
priority=1
|
||||
autostart=false
|
||||
autorestart=true
|
||||
stdout_logfile=syslog
|
||||
stderr_logfile=syslog
|
||||
|
||||
[program:rsyslogd]
|
||||
command=/usr/sbin/rsyslogd -n
|
||||
priority=2
|
||||
autostart=false
|
||||
autorestart=true
|
||||
stdout_logfile=syslog
|
||||
stderr_logfile=syslog
|
||||
|
@ -18,5 +18,11 @@ endif
|
||||
|
||||
$(DOCKER_RESTAPI)_CONTAINER_NAME = restapi
|
||||
$(DOCKER_RESTAPI)_RUN_OPT += --cap-add NET_ADMIN --privileged -t
|
||||
$(DOCKER_RESTAPI)_RUN_OPT += --network="host"
|
||||
$(DOCKER_RESTAPI)_RUN_OPT += -v /var/run/redis/redis.sock:/var/run/redis/redis.sock
|
||||
$(DOCKER_RESTAPI)_RUN_OPT += -v /etc/sonic/certificates:/etc/sonic/certificates:ro
|
||||
$(DOCKER_RESTAPI)_RUN_OPT += -p=8081:8081/tcp
|
||||
$(DOCKER_RESTAPI)_RUN_OPT += -p=8090:8090/tcp
|
||||
|
||||
$(DOCKER_RESTAPI)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
|
||||
$(DOCKER_RESTAPI)_BASE_IMAGE_FILES += monit_restapi:/etc/monit/conf.d
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit 163ee272ae992f5885990dcca6552cd86b74391a
|
||||
Subproject commit c219e3da28fb20b63b065ceb1828125593d73f14
|
Loading…
Reference in New Issue
Block a user