Skip to content

Commit

Permalink
Merge pull request #34 from ocadotechnology/850-nginx-refresh-upstrea…
Browse files Browse the repository at this point in the history 
…m-ip

fix: nginx doesn't refresh IP addresses of upstreams
  • Loading branch information
okpoyu authored Jan 8, 2019
2 parents 976f52d + 233a84d commit f5f99f6
Showing 1 changed file with 47 additions and 17 deletions.
64 changes: 47 additions & 17 deletions mirroroperator/registrymirror.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
SHARED_CERT_NAME = "shared-certs"
SHARED_CERT_MOUNT_PATH = "/etc/shared-certs"
CERT_FILE = "ca-certificates.crt"

LOGGER = logging.getLogger(__name__)


Expand Down Expand Up @@ -96,14 +95,17 @@ def __init__(self, event_type, namespace, hostess_docker_registry,
location {healthcheck_path} {{{{
return 200 '';
}}}}
#resolver;
set $upstream_endpoint https://{upstream_fqdn};
location / {{{{
proxy_ssl_trusted_certificate {shared_cert_mount_path}/{cert_file};
limit_except HEAD GET OPTIONS {{{{
deny all;
}}}}
proxy_pass https://{upstream_fqdn};
proxy_pass $upstream_endpoint;
proxy_ssl_verify on;
proxy_ssl_verify_depth 9;
proxy_ssl_session_reuse on;
Expand Down Expand Up @@ -366,16 +368,6 @@ def get_upstream_credentials(self):
return (the_user, the_pass)

def generate_stateful_set(self):
script = '''
TEMPFILE=$(mktemp)
cat /etc/ssl/certs/{cert_file} >> $TEMPFILE
if [ -d {upstream_cert_dir} ]; then
cat {upstream_cert_dir}/{cert_file} >> $TEMPFILE
fi
mv $TEMPFILE {shared_cert_mount_path}/{cert_file}
'''.format(upstream_cert_dir=UPSTREAM_CERT_DIR, cert_file=CERT_FILE,
shared_cert_mount_path=SHARED_CERT_MOUNT_PATH)

stateful_set = client.V1beta1StatefulSet(
metadata=self.metadata,
spec=client.V1beta1StatefulSetSpec(
Expand Down Expand Up @@ -428,7 +420,12 @@ def generate_stateful_set(self):
empty_dir=client.V1EmptyDirVolumeSource()
)
)

volumes.append(
client.V1Volume(
name='nginx-config-edited',
empty_dir=client.V1EmptyDirVolumeSource()
)
)
volumes_to_mount = [
client.V1VolumeMount(
name="image-store",
Expand All @@ -445,7 +442,7 @@ def generate_stateful_set(self):
read_only=True,
),
client.V1VolumeMount(
name="nginx-config",
name="nginx-config-edited",
mount_path="/etc/nginx/conf.d",
read_only=True
)
Expand Down Expand Up @@ -473,7 +470,22 @@ def generate_stateful_set(self):
limits={"cpu": "0.5",
"memory": "500Mi"}
)

script = '''
TEMPFILE=$(mktemp)
cat /etc/ssl/certs/{cert_file} >> $TEMPFILE
if [ -d {upstream_cert_dir} ]; then
cat {upstream_cert_dir}/{cert_file} >> $TEMPFILE
fi
mv $TEMPFILE {shared_cert_mount_path}/{cert_file}
'''.format(upstream_cert_dir=UPSTREAM_CERT_DIR, cert_file=CERT_FILE,
shared_cert_mount_path=SHARED_CERT_MOUNT_PATH)
script_munge_nameservers = '''
cp /etc/nginx/conf.d/default.conf /tmp/nginx/default.conf
NAMESERVERS=$(cat /etc/resolv.conf | grep "nameserver" | awk '{{print $2}}' | tr '\n' ' ')
if [ ! "$NAMESERVERS" == "" ]; then
sed -E -i "s/(#)(resolver)(;)/\\2 ${NAMESERVERS}\\3/" /tmp/nginx/default.conf
fi
'''
stateful_set.spec.template = client.V1PodTemplateSpec(
metadata=client.V1ObjectMeta(
labels=pod_labels
Expand All @@ -487,6 +499,24 @@ def generate_stateful_set(self):
args=["-c", script],
volume_mounts=generate_ca_certs_volume_mounts,
resources=resources,
),
client.V1Container(
name="get-nameservers",
image="busybox",
command=["/bin/sh"],
args=["-c", script_munge_nameservers],
volume_mounts=[
client.V1VolumeMount(
name="nginx-config",
mount_path="/etc/nginx/conf.d"
),
client.V1VolumeMount(
name="nginx-config-edited",
mount_path="/tmp/nginx"
)

],
resources=resources,
)
],
containers=[
Expand Down

0 comments on commit f5f99f6

Please sign in to comment.