[docker-restapi]: Fix authentication in restapi (#4383)
- enabling http/https endpoint and mounting the certificates directory - updating the sonic-restapi submodule
This commit is contained in:
Sumukha Tumkur Vani
Abhishek Dosi
parent
2f66b4c545
commit
23aed5ae6a
@ -20,6 +20,9 @@ RUN apt-get update
|
|||||||
## Clean up
|
## Clean up
|
||||||
RUN apt-get clean -y; apt-get autoclean -y; apt-get autoremove -y
|
RUN apt-get clean -y; apt-get autoclean -y; apt-get autoremove -y
|
||||||
|
|
||||||
|
COPY ["start.sh", "restapi.sh", "/usr/bin/"]
|
||||||
COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
|
COPY ["supervisord.conf", "/etc/supervisor/conf.d/"]
|
||||||
|
COPY ["files/supervisor-proc-exit-listener", "/usr/bin"]
|
||||||
|
COPY ["critical_processes", "/etc/supervisor"]
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/bin/supervisord"]
|
ENTRYPOINT ["/usr/bin/supervisord"]
|
||||||
|
|||||||
@ -0,0 +1,7 @@
|
|||||||
|
###############################################################################
|
||||||
|
## Monit configuration for restapi container
|
||||||
|
## process list:
|
||||||
|
## restapi
|
||||||
|
###############################################################################
|
||||||
|
check process restapi matching "/usr/sbin/go-server-server"
|
||||||
|
if does not exist for 5 times within 5 cycles then alert
|
||||||
1
dockers/docker-sonic-restapi/critical_processes
Normal file
1
dockers/docker-sonic-restapi/critical_processes
Normal file
@ -0,0 +1 @@
|
|||||||
|
restapi
|
||||||
38
dockers/docker-sonic-restapi/restapi.sh
Executable file
38
dockers/docker-sonic-restapi/restapi.sh
Executable file
@ -0,0 +1,38 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
RESTAPI_ARGS=""
|
||||||
|
while true
|
||||||
|
do
|
||||||
|
client_auth=`sonic-cfggen -d -v "RESTAPI['config']['client_auth']"`
|
||||||
|
if [[ $client_auth == 'true' ]]; then
|
||||||
|
certs=`sonic-cfggen -d -v "RESTAPI['certs']"`
|
||||||
|
allow_insecure=`sonic-cfggen -d -v "RESTAPI['config']['allow_insecure']"`
|
||||||
|
if [[ $allow_insecure == 'true' ]]; then
|
||||||
|
RESTAPI_ARGS=" -enablehttp=true"
|
||||||
|
else
|
||||||
|
RESTAPI_ARGS=" -enablehttp=false"
|
||||||
|
fi
|
||||||
|
if [[ -n "$certs" ]]; then
|
||||||
|
SERVER_CRT=`sonic-cfggen -d -v "RESTAPI['certs']['server_crt']"`
|
||||||
|
SERVER_KEY=`sonic-cfggen -d -v "RESTAPI['certs']['server_key']"`
|
||||||
|
CLIENT_CA_CRT=`sonic-cfggen -d -v "RESTAPI['certs']['client_ca_crt']"`
|
||||||
|
CLIENT_CRT_CNAME=`sonic-cfggen -d -v "RESTAPI['certs']['client_crt_cname']"`
|
||||||
|
if [[ -f $SERVER_CRT && -f $SERVER_KEY && -f $CLIENT_CA_CRT ]]; then
|
||||||
|
RESTAPI_ARGS+=" -enablehttps=true -servercert=$SERVER_CRT -serverkey=$SERVER_KEY -clientcert=$CLIENT_CA_CRT -clientcertcommonname=$CLIENT_CRT_CNAME"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
logger "Waiting for certificates..."
|
||||||
|
sleep 60
|
||||||
|
done
|
||||||
|
|
||||||
|
LOG_LEVEL=`sonic-cfggen -d -v "RESTAPI['config']['log_level']"`
|
||||||
|
if [ ! -z $LOG_LEVEL ]; then
|
||||||
|
RESTAPI_ARGS+=" -loglevel=$LOG_LEVEL"
|
||||||
|
else
|
||||||
|
RESTAPI_ARGS+=" -loglevel=trace"
|
||||||
|
fi
|
||||||
|
|
||||||
|
logger "RESTAPI_ARGS: $RESTAPI_ARGS"
|
||||||
|
exec /usr/sbin/go-server-server ${RESTAPI_ARGS}
|
||||||
@ -6,5 +6,4 @@ echo "# Config files managed by sonic-config-engine" > /var/sonic/config_status
|
|||||||
rm -f /var/run/rsyslogd.pid
|
rm -f /var/run/rsyslogd.pid
|
||||||
|
|
||||||
supervisorctl start rsyslogd
|
supervisorctl start rsyslogd
|
||||||
|
|
||||||
supervisorctl start restapi
|
supervisorctl start restapi
|
||||||
|
|||||||
@ -3,10 +3,32 @@ logfile_maxbytes=1MB
|
|||||||
logfile_backups=2
|
logfile_backups=2
|
||||||
nodaemon=true
|
nodaemon=true
|
||||||
|
|
||||||
[program:restapi]
|
[eventlistener:supervisor-proc-exit-listener]
|
||||||
command=/usr/sbin/go-server-server -loglevel trace
|
command=/usr/bin/supervisor-proc-exit-listener --container-name restapi
|
||||||
|
events=PROCESS_STATE_EXITED
|
||||||
|
autostart=true
|
||||||
|
autorestart=false
|
||||||
|
|
||||||
|
[program:start.sh]
|
||||||
|
command=/usr/bin/start.sh
|
||||||
priority=1
|
priority=1
|
||||||
autostart=true
|
autostart=true
|
||||||
autorestart=false
|
autorestart=false
|
||||||
stdout_logfile=/tmp/rest-api.out.log
|
stdout_logfile=syslog
|
||||||
stderr_logfile=/tmp/rest-api.err.log
|
stderr_logfile=syslog
|
||||||
|
|
||||||
|
[program:restapi]
|
||||||
|
command=/usr/bin/restapi.sh
|
||||||
|
priority=1
|
||||||
|
autostart=false
|
||||||
|
autorestart=true
|
||||||
|
stdout_logfile=syslog
|
||||||
|
stderr_logfile=syslog
|
||||||
|
|
||||||
|
[program:rsyslogd]
|
||||||
|
command=/usr/sbin/rsyslogd -n
|
||||||
|
priority=2
|
||||||
|
autostart=false
|
||||||
|
autorestart=true
|
||||||
|
stdout_logfile=syslog
|
||||||
|
stderr_logfile=syslog
|
||||||
|
|||||||
@ -18,5 +18,11 @@ endif
|
|||||||
|
|
||||||
$(DOCKER_RESTAPI)_CONTAINER_NAME = restapi
|
$(DOCKER_RESTAPI)_CONTAINER_NAME = restapi
|
||||||
$(DOCKER_RESTAPI)_RUN_OPT += --cap-add NET_ADMIN --privileged -t
|
$(DOCKER_RESTAPI)_RUN_OPT += --cap-add NET_ADMIN --privileged -t
|
||||||
|
$(DOCKER_RESTAPI)_RUN_OPT += --network="host"
|
||||||
$(DOCKER_RESTAPI)_RUN_OPT += -v /var/run/redis/redis.sock:/var/run/redis/redis.sock
|
$(DOCKER_RESTAPI)_RUN_OPT += -v /var/run/redis/redis.sock:/var/run/redis/redis.sock
|
||||||
|
$(DOCKER_RESTAPI)_RUN_OPT += -v /etc/sonic/certificates:/etc/sonic/certificates:ro
|
||||||
|
$(DOCKER_RESTAPI)_RUN_OPT += -p=8081:8081/tcp
|
||||||
$(DOCKER_RESTAPI)_RUN_OPT += -p=8090:8090/tcp
|
$(DOCKER_RESTAPI)_RUN_OPT += -p=8090:8090/tcp
|
||||||
|
|
||||||
|
$(DOCKER_RESTAPI)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
|
||||||
|
$(DOCKER_RESTAPI)_BASE_IMAGE_FILES += monit_restapi:/etc/monit/conf.d
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
Subproject commit 163ee272ae992f5885990dcca6552cd86b74391a
|
Subproject commit c219e3da28fb20b63b065ceb1828125593d73f14
|
||||||
Loading…
Reference in New Issue
Block a user