@@ -4,27 +4,28 @@ HELP_STRING=$(cat <<"EOF"
44Usage: run-proxy --listen $MY_POD_IP:9090 --proxy-pass http://127.0.0.1
55
66Arguments:
7- --listen [ADDRESS:]PORT sets the address and port on which the server will accept requests
8- --proxy-pass URL sets the url to proxy to
9- --user USER sets the name of the authorized user
10- --nginx-user USER sets the user to run nginx
11- --location URI sets the uri for the location (default: /metrics)
12- --proxy-ssl-ca-file PATH specify path to CA file in PEM format used to verify peer certificate,
13- implies "proxy_ssl_verify on;"
14- --probe-proxy-pass URL sets the probe url to proxy to
15- --probe-listen [ADDRESS:]PORT sets the address and port on which the server will accept request for probe
16- --proxy-ssl-cert-file PATH specify path to cert file in PEM format used to authenticate to peer
17- --proxy-ssl-key-file PATH specify path to key file in PEM format used to authenticate to peer
18- --proxy-ssl-name NAME specify custom CN to use, when verifiying remote certificate,
19- this option should only be used CN in the remote certificate
20- differs from the host in "--proxy-pass" URL
21- --debug enable nginx debug log output
22- -h, --help output this message
7+ --listen [ADDRESS:]PORT sets the address and port on which the server will accept requests
8+ --proxy-pass URL sets the url to proxy to
9+ --user USER sets the name of the authorized user
10+ --nginx-user USER sets the user to run nginx
11+ --location URI sets the uri for the location (default: /metrics)
12+ --proxy-ssl-ca-file PATH specify path to CA file in PEM format used to verify peer certificate,
13+ implies "proxy_ssl_verify on;"
14+ --probe-proxy-pass URL sets the probe url to proxy to
15+ --probe-listen [ADDRESS:]PORT sets the address and port on which the server will accept request for probe
16+ --proxy-ssl-cert-file PATH specify path to cert file in PEM format used to authenticate to peer
17+ --proxy-ssl-key-file PATH specify path to key file in PEM format used to authenticate to peer
18+ --proxy-ssl-name NAME specify custom CN to use, when verifiying remote certificate,
19+ this option should only be used CN in the remote certificate
20+ differs from the host in "--proxy-pass" URL
21+ --proxy-bearer-token-from-service-account add header 'Authorization: Bearer ...' with token from pod ServiceAccount
22+ --debug enable nginx debug log output
23+ -h, --help output this message
2324EOF
2425)
2526
2627if ! temp=$( getopt -o h --long " listen:,proxy-pass:,user:,nginx-user:,location:,help,proxy-ssl-ca-file:,
27- proxy-ssl-cert-file:,proxy-ssl-key-file:,proxy-ssl-name:,probe-proxy-pass:,probe-listen:,debug" -n ' run-proxy' " $@ " ) ; then
28+ proxy-ssl-cert-file:,proxy-ssl-key-file:,proxy-ssl-name:,probe-proxy-pass:,probe-listen:,proxy-bearer-token-from-service-account, debug" -n ' run-proxy' " $@ " ) ; then
2829 >&2 echo
2930 >&2 echo " $HELP_STRING "
3031 exit 1
@@ -57,6 +58,8 @@ while true; do
5758 PROXY_SSL_KEY=$2 ; shift 2;;
5859 --proxy-ssl-name )
5960 PROXY_SSL_NAME=$2 ; shift 2;;
61+ --proxy-bearer-token-from-service-account )
62+ PROXY_BEARER_TOKEN_FROM_SA=yes; shift 1;;
6063 --probe-proxy-pass )
6164 PROBE_PROXY_PASS=$2 ; shift 2;;
6265 --probe-listen )
158161) "
159162fi
160163
164+ if [[ x" $PROXY_BEARER_TOKEN_FROM_SA " = x" yes" ; then
165+ token=" $( cat /run/secrets/kubernetes.io/serviceaccount/token) "
166+ PROXY_BEARER_CONFIG="
167+ proxy_set_header Authorization \" Bearer $token \" ;
168+ "
169+ fi
170+
161171if [[ x" $DEBUG " = x" yes" ; then
162172 NGINX_BINARY_NAME=nginx-debug
163173 ERROR_LOG_LEVEL=debug
@@ -208,6 +218,7 @@ http {
208218${PROXY_SSL_CONFIG}
209219${PROXY_SSL_VERIFY}
210220${PROXY_SSL_NAME}
221+ ${PROXY_BEARER_CONFIG}
211222 }
212223 }
213224 ${PROBE_CONFIG}
0 commit comments