-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathentrypoint.sh
More file actions
84 lines (70 loc) · 2.61 KB
/
entrypoint.sh
File metadata and controls
84 lines (70 loc) · 2.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/bash
# CLI Proxy sidecar entrypoint
#
# Connects to an external DIFC proxy (mcpg) started by the gh-aw compiler
# on the host. Uses a TCP tunnel to forward localhost:${DIFC_PORT} to
# ${DIFC_HOST}:${DIFC_PORT}, so the gh CLI can connect via localhost
# (matching the DIFC proxy's TLS cert SAN for localhost/127.0.0.1).
set -e
echo "[cli-proxy] Starting CLI proxy sidecar..."
NODE_PID=""
TUNNEL_PID=""
# External DIFC proxy host and port, set by docker-manager.ts
DIFC_HOST="${AWF_DIFC_PROXY_HOST:-host.docker.internal}"
DIFC_PORT="${AWF_DIFC_PROXY_PORT:-18443}"
echo "[cli-proxy] External DIFC proxy at ${DIFC_HOST}:${DIFC_PORT}"
# Start the TCP tunnel: localhost:${DIFC_PORT} → ${DIFC_HOST}:${DIFC_PORT}
# This allows the gh CLI to connect via localhost, matching the cert's SAN.
echo "[cli-proxy] Starting TCP tunnel: localhost:${DIFC_PORT} → ${DIFC_HOST}:${DIFC_PORT}"
node /app/tcp-tunnel.js "${DIFC_PORT}" "${DIFC_HOST}" "${DIFC_PORT}" &
TUNNEL_PID=$!
# Wait for CA cert to appear (mounted from host by docker-manager.ts)
echo "[cli-proxy] Waiting for DIFC proxy TLS certificate..."
i=0
while [ $i -lt 30 ]; do
if [ -f /tmp/proxy-tls/ca.crt ]; then
echo "[cli-proxy] TLS certificate available"
break
fi
sleep 1
i=$((i + 1))
done
if [ ! -f /tmp/proxy-tls/ca.crt ]; then
echo "[cli-proxy] WARNING: DIFC proxy TLS certificate not found within 30s, continuing without it"
fi
# Configure gh CLI to route through the DIFC proxy via the TCP tunnel
# Uses localhost because the tunnel makes the DIFC proxy appear on localhost,
# matching the self-signed cert's SAN.
export GH_HOST="localhost:${DIFC_PORT}"
export GH_REPO="${GH_REPO:-$GITHUB_REPOSITORY}"
# Only set NODE_EXTRA_CA_CERTS if the CA cert was mounted
if [ -f /tmp/proxy-tls/ca.crt ]; then
export NODE_EXTRA_CA_CERTS="/tmp/proxy-tls/ca.crt"
fi
echo "[cli-proxy] gh CLI configured to route through DIFC proxy at ${GH_HOST}"
# Cleanup handler: stop the Node HTTP server and TCP tunnel on signal
cleanup() {
echo "[cli-proxy] Shutting down..."
if [ -n "$NODE_PID" ]; then
kill "$NODE_PID" 2>/dev/null || true
wait "$NODE_PID" 2>/dev/null || true
fi
if [ -n "$TUNNEL_PID" ]; then
kill "$TUNNEL_PID" 2>/dev/null || true
wait "$TUNNEL_PID" 2>/dev/null || true
fi
}
trap 'cleanup; exit 0' INT TERM
# Start the Node.js HTTP server in the background so the shell keeps running
# and traps remain active for graceful shutdown.
echo "[cli-proxy] Starting HTTP server on port 11000..."
node /app/server.js &
NODE_PID=$!
# Wait for Node to exit and propagate its exit code
if wait "$NODE_PID"; then
NODE_EXIT=0
else
NODE_EXIT=$?
fi
cleanup
exit "$NODE_EXIT"