|
2 | 2 |
|
3 | 3 | set -o pipefail -o errexit -o nounset |
4 | 4 |
|
5 | | -# Phase argument lets the Go wrapper split the script into an identity-free |
6 | | -# stage (certs/CA trust/NSS DB — runs early so chromium boots with the cert |
7 | | -# already trusted) and an identity-bound stage (template render with |
8 | | -# INST_NAME/METRO_NAME/XDS_SERVER/KERNEL_INSTANCE_JWT, then envoy start). |
9 | | -# certs — generate self-signed cert and install it in trust stores |
10 | | -# config — render bootstrap template and start envoy via supervisord |
11 | | -# all — both phases (default; preserves legacy single-call behavior) |
12 | | -PHASE="${1:-all}" |
13 | | - |
14 | | -case "$PHASE" in |
15 | | - certs|config|all) ;; |
16 | | - *) |
17 | | - echo "[envoy-init] Unknown phase: $PHASE (expected certs|config|all)" >&2 |
18 | | - exit 2 |
19 | | - ;; |
20 | | -esac |
21 | | - |
22 | | -run_certs() { |
23 | | - if [[ ! -f /etc/envoy/templates/bootstrap.yaml ]]; then |
24 | | - echo "[envoy-init] Template file /etc/envoy/templates/bootstrap.yaml not found. Skipping cert generation." |
25 | | - return 0 |
26 | | - fi |
27 | | - |
28 | | - echo "[envoy-init] Generating self-signed certificates for TLS forward proxy" |
29 | | - mkdir -p /etc/envoy/certs |
30 | | - |
31 | | - if [[ -f /etc/envoy/certs/proxy.crt && -f /etc/envoy/certs/proxy.key ]]; then |
32 | | - echo "[envoy-init] Certificates already exist, skipping generation" |
33 | | - return 0 |
34 | | - fi |
35 | | - |
36 | | - echo "[envoy-init] Creating new self-signed certificate" |
37 | | - openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \ |
38 | | - -keyout /etc/envoy/certs/proxy.key \ |
39 | | - -out /etc/envoy/certs/proxy.crt \ |
40 | | - -subj "/C=US/ST=CA/O=Kernel/CN=localhost" \ |
41 | | - -addext "subjectAltName = DNS:localhost,IP:127.0.0.1" \ |
42 | | - 2>&1 | sed 's/^/[envoy-init] /' |
43 | | - echo "[envoy-init] Certificate generated successfully" |
44 | | - |
45 | | - echo "[envoy-init] Adding certificate to system trust store" |
46 | | - cp /etc/envoy/certs/proxy.crt /usr/local/share/ca-certificates/kernel-envoy-proxy.crt |
47 | | - cp /etc/envoy/certs/proxy.crt /kernel-envoy-proxy.crt |
48 | | - update-ca-certificates 2>&1 | sed 's/^/[envoy-init] /' |
49 | | - echo "[envoy-init] Certificate added to system trust store" |
50 | | - |
51 | | - if [[ "${RUN_AS_ROOT:-}" == "true" ]]; then |
52 | | - mkdir -p /root/.pki/nssdb |
53 | | - certutil -d /root/.pki/nssdb -N --empty-password 2>/dev/null || true |
54 | | - certutil -d /root/.pki/nssdb -A -t "C,," -n "Kernel Envoy Proxy" -i /etc/envoy/certs/proxy.crt |
55 | | - echo "[envoy-init] Certificate added to nssdb as root" |
56 | | - else |
57 | | - mkdir -p /home/kernel/.pki/nssdb |
58 | | - certutil -d /home/kernel/.pki/nssdb -N --empty-password 2>/dev/null || true |
59 | | - certutil -d /home/kernel/.pki/nssdb -A -t "C,," -n "Kernel Envoy Proxy" -i /etc/envoy/certs/proxy.crt |
60 | | - chown -R kernel:kernel /home/kernel/.pki |
61 | | - echo "[envoy-init] Certificate added to nssdb as kernel" |
62 | | - fi |
63 | | -} |
64 | | - |
65 | | -run_config() { |
66 | | - # Identity envs gate the config phase: without them xDS can't bind, so |
67 | | - # render+start is a no-op on images that don't run with a JWT. |
68 | | - INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-}" |
69 | | - if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${INSTANCE_JWT:-}" ]]; then |
70 | | - echo "[envoy-init] Required environment variables not set. Skipping Envoy config/start." |
71 | | - return 0 |
72 | | - fi |
73 | | - |
74 | | - if [[ ! -f /etc/envoy/templates/bootstrap.yaml ]]; then |
75 | | - echo "[envoy-init] Template file /etc/envoy/templates/bootstrap.yaml not found. Skipping Envoy config/start." |
76 | | - return 0 |
77 | | - fi |
78 | | - |
79 | | - echo "[envoy-init] Preparing Envoy bootstrap configuration" |
80 | | - mkdir -p /etc/envoy |
81 | | - |
82 | | - echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, KERNEL_INSTANCE_JWT=***" |
83 | | - inst_esc=$(printf '%s' "$INST_NAME" | sed -e 's/[\/&]/\\&/g') |
84 | | - metro_esc=$(printf '%s' "$METRO_NAME" | sed -e 's/[\/&]/\\&/g') |
85 | | - xds_esc=$(printf '%s' "$XDS_SERVER" | sed -e 's/[\/&]/\\&/g') |
86 | | - jwt_esc=$(printf '%s' "$INSTANCE_JWT" | sed -e 's/[\/&]/\\&/g') |
87 | | - sed -e "s|{INST_NAME}|$inst_esc|g" \ |
88 | | - -e "s|{METRO_NAME}|$metro_esc|g" \ |
89 | | - -e "s|{XDS_SERVER}|$xds_esc|g" \ |
90 | | - -e "s|{KERNEL_INSTANCE_JWT}|$jwt_esc|g" \ |
91 | | - /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml |
92 | | - |
93 | | - echo "[envoy-init] Starting Envoy via supervisord" |
94 | | - # `restart` is start-or-stop+start: on first boot this just starts envoy, |
95 | | - # on a re-render (e.g. post-fork env refresh) it forces a clean re-read |
96 | | - # of the rendered bootstrap. Either way no callers see stale identity. |
97 | | - supervisorctl -c /etc/supervisor/supervisord.conf restart envoy |
98 | | - |
99 | | - # Readiness (port 3128 reachable) is probed by the Go wrapper's |
100 | | - # waitAllReady alongside CDP/chromedriver, so this script returns as soon |
101 | | - # as the start request has been issued. |
102 | | -} |
103 | | - |
104 | | -case "$PHASE" in |
105 | | - certs) |
106 | | - run_certs |
107 | | - ;; |
108 | | - config) |
109 | | - run_config |
110 | | - ;; |
111 | | - all) |
112 | | - run_certs |
113 | | - run_config |
114 | | - ;; |
115 | | -esac |
| 5 | +# Runtime config for envoy. Cert generation and CA trust install ran at image |
| 6 | +# build time (see shared/envoy/bake-certs.sh) so this script only does the |
| 7 | +# identity-bound work: render the bootstrap template with the per-instance |
| 8 | +# envs and start envoy via supervisord. |
| 9 | + |
| 10 | +# Identity envs gate this script: without them xDS can't bind, so this is a |
| 11 | +# no-op on images that don't run with a JWT. |
| 12 | +INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-}" |
| 13 | +if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${INSTANCE_JWT:-}" ]]; then |
| 14 | + echo "[envoy-init] Required environment variables not set. Skipping Envoy config/start." |
| 15 | + exit 0 |
| 16 | +fi |
| 17 | + |
| 18 | +if [[ ! -f /etc/envoy/templates/bootstrap.yaml ]]; then |
| 19 | + echo "[envoy-init] Template file /etc/envoy/templates/bootstrap.yaml not found. Skipping Envoy config/start." |
| 20 | + exit 0 |
| 21 | +fi |
| 22 | + |
| 23 | +echo "[envoy-init] Preparing Envoy bootstrap configuration" |
| 24 | +mkdir -p /etc/envoy |
| 25 | + |
| 26 | +echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, KERNEL_INSTANCE_JWT=***" |
| 27 | +inst_esc=$(printf '%s' "$INST_NAME" | sed -e 's/[\/&]/\\&/g') |
| 28 | +metro_esc=$(printf '%s' "$METRO_NAME" | sed -e 's/[\/&]/\\&/g') |
| 29 | +xds_esc=$(printf '%s' "$XDS_SERVER" | sed -e 's/[\/&]/\\&/g') |
| 30 | +jwt_esc=$(printf '%s' "$INSTANCE_JWT" | sed -e 's/[\/&]/\\&/g') |
| 31 | +sed -e "s|{INST_NAME}|$inst_esc|g" \ |
| 32 | + -e "s|{METRO_NAME}|$metro_esc|g" \ |
| 33 | + -e "s|{XDS_SERVER}|$xds_esc|g" \ |
| 34 | + -e "s|{KERNEL_INSTANCE_JWT}|$jwt_esc|g" \ |
| 35 | + /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml |
| 36 | + |
| 37 | +echo "[envoy-init] Starting Envoy via supervisord" |
| 38 | +# `restart` is start-or-stop+start: on first boot this just starts envoy, |
| 39 | +# on a re-render (e.g. post-fork env refresh) it forces a clean re-read |
| 40 | +# of the rendered bootstrap. Either way no callers see stale identity. |
| 41 | +supervisorctl -c /etc/supervisor/supervisord.conf restart envoy |
| 42 | + |
| 43 | +# Readiness (port 3128 reachable) is probed by the Go wrapper's |
| 44 | +# waitAllReady alongside CDP/chromedriver, so this script returns as soon |
| 45 | +# as the start request has been issued. |
0 commit comments