forked from d2iq-archive/marathon-lb
-
Notifications
You must be signed in to change notification settings - Fork 0
/
run
executable file
·129 lines (111 loc) · 3.69 KB
/
run
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/bin/bash
set -euo pipefail
SYSLOG_SOCKET=${SYSLOG_SOCKET:-/dev/null}
LB_SERVICE="/marathon-lb/service/lb"
mkdir -p $LB_SERVICE
HAPROXY_SERVICE="/marathon-lb/service/haproxy"
mkdir -p $HAPROXY_SERVICE/env
if [ -n "${PORTS-}" ]; then
echo $PORTS > $HAPROXY_SERVICE/env/PORTS
else
echo 'Define $PORTS with a comma-separated list of ports to which HAProxy binds' >&2
exit 1
fi
# Find the --ssl-certs arg if one was provided,
# get the certs and remove them and the arg from the list
# of positional parameters so we don't duplicate them
# further down when we pass $@ to marathon_lb.py
declare -i ssl_certs_pos=0
for ((i=1; i<=$#; i++)); do
if [ "${!i}" = '--ssl-certs' ]; then
ssl_certs_pos=$(($i+1))
break
fi
done
if [ $ssl_certs_pos -gt 0 ]; then
SSL_CERTS=${!ssl_certs_pos}
set -- "${@:1:$(($ssl_certs_pos-2))}" "${@:$(($ssl_certs_pos+1))}"
[ -n "${HAPROXY_SSL_CERT-}" ] && SSL_CERTS+=",/etc/ssl/cert.pem"
else
SSL_CERTS="/etc/ssl/cert.pem"
fi
if [ -n "${HAPROXY_SSL_CERT-}" ]; then
# if provided via environment variable, use it.
echo -e "$HAPROXY_SSL_CERT" > /etc/ssl/cert.pem
# if additional certs were provided as $HAPROXY_SSL_CERT0 .. 100
for i in {0..100}; do
certenv="HAPROXY_SSL_CERT$i"
if [ -n "${!certenv-}" ]; then
certfile="/etc/ssl/cert$i.pem"
echo -e "${!certenv}" > $certfile
SSL_CERTS+=",$certfile"
fi
done
elif [ $ssl_certs_pos -eq 0 ]; then # if --ssl-certs wasn't passed as arg to this script
# if no environment variable or command line argument is provided,
# create self-signed ssl certificate
openssl genrsa -out /tmp/server-key.pem 2048
openssl req -new -key /tmp/server-key.pem -out /tmp/server-csr.pem -subj /CN=*/
openssl x509 -req -in /tmp/server-csr.pem -out /tmp/server-cert.pem -signkey /tmp/server-key.pem -days 3650
cat /tmp/server-cert.pem /tmp/server-key.pem > /etc/ssl/cert.pem
rm /tmp/server-*.pem
fi
if [ -n "${MESOS_SANDBOX-}" ] && [ -d "$MESOS_SANDBOX/templates" ]; then
mkdir -p templates
cp -v "$MESOS_SANDBOX/templates/"* templates/
fi
if [ -n "${HAPROXY_SYSCTL_PARAMS-}" ]; then
echo "setting sysctl params to: ${HAPROXY_SYSCTL_PARAMS}"
if [ -n "${HAPROXY_SYSCTL_NONSTRICT-}" ]; then
# ignore errors
sysctl -w $HAPROXY_SYSCTL_PARAMS || true
else
sysctl -w $HAPROXY_SYSCTL_PARAMS
fi
fi
MODE=$1; shift
case "$MODE" in
poll)
POLL_INTERVAL="${POLL_INTERVAL:-60}"
ARGS=""
;;
sse)
ARGS="--sse"
;;
*)
echo "Unknown mode $MODE. Synopsis: $0 poll|sse [marathon_lb.py args]" >&2
exit 1
;;
esac
if [ -n "${VAULT_TOKEN-}" ] && [ -n "${VAULT_HOST-}" ] && [ -n "${VAULT_PORT-}" ] && [ -n "${VAULT_PATH-}" ]; then
MARATHON_LB_PASSWORD=$(curl -k -L -H "X-Vault-Token:$VAULT_TOKEN" "$VAULT_URL" -s| python -m json.tool | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["data"]["pass"]')
MARATHON_LB_USER=$(curl -k -L -H "X-Vault-Token:$VAULT_TOKEN" "$VAULT_URL" -s | python -m json.tool | python -c 'import json,sys;obj=json.load(sys.stdin);print obj["data"]["user"]')
CREDENTIALS="$MARATHON_LB_USER:$MARATHON_LB_PASSWORD"
ARGS="$ARGS --auth-credentials $CREDENTIALS"
fi
for arg in "$@"; do
escaped=$(printf %q "$arg")
ARGS="$ARGS $escaped"
done
cat > $LB_SERVICE/run << EOF
#!/bin/sh
exec 2>&1
cd /marathon-lb
exec /marathon-lb/marathon_lb.py \
--syslog-socket $SYSLOG_SOCKET \
--haproxy-config /marathon-lb/haproxy.cfg \
--ssl-certs "${SSL_CERTS}" \
--command "sv reload ${HAPROXY_SERVICE}" \
$ARGS
EOF
chmod 755 $LB_SERVICE/run
if [ "${MODE}" == "poll" ]; then
cat > $LB_SERVICE/finish << EOF
#!/bin/sh
sleep ${POLL_INTERVAL}
EOF
chmod 755 $LB_SERVICE/finish
fi
runsvdir -P /marathon-lb/service &
trap "kill -s 1 $!" TERM INT
wait