-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathentrypoint.sh
483 lines (393 loc) · 15.5 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
#!/bin/bash
set -e
# Function for logging
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
}
log "Starting entrypoint script"
# Start the logging script
log "Starting log exports"
# Redirect all output to the logging script via VSOCK
exec > >(socat - VSOCK-CONNECT:3:8011) 2>&1
# Read and set APP_MODE from file
log "Reading /app/APP_MODE"
if [ -f /app/APP_MODE ]; then
APP_MODE=""
APP_MODE="$(cat /app/APP_MODE)" || { log "Failed to read /app/APP_MODE"; exit 1; }
export APP_MODE
log "Set APP_MODE=$APP_MODE from /app/APP_MODE"
else
log "ERROR: /app/APP_MODE is missing. Please ensure the file exists and contains a valid mode (dev/preview/prod/custom)"
exit 1
fi
log "Starting entrypoint script"
log "APP_MODE=$APP_MODE"
# Configure loopback interface
log "Configuring loopback interface"
ip addr add 127.0.0.1/8 dev lo
ip link set dev lo up
# Function to send request and receive response via VSOCK
vsock_request() {
local cid=$1
local port=$2
local request=$3
response=$(python3 /app/vsock_helper.py "$cid" "$port" "$request")
# Check if the response contains an error
if echo "$response" | jq -e 'has("error")' > /dev/null; then
error_message=$(echo "$response" | jq -r '.error')
log "VSOCK request failed: $error_message"
return 1
fi
echo "$response"
}
# Function to get AWS credentials
get_aws_credentials() {
local cid=3
local port=8003
local request='{"request_type":"credentials","key_name":null}'
vsock_request $cid $port "$request"
}
# Function to get secret from Secrets Manager
get_database_url_secret() {
local cid=3
local port=8003
# Determine the correct secret name based on APP_MODE
local secret_name
if [ "$APP_MODE" = "prod" ]; then
secret_name="opensecret_prod_database_url"
elif [ "$APP_MODE" = "preview" ]; then
secret_name="opensecret_preview1_database_url"
elif [ "$APP_MODE" = "custom" ]; then
if [ -z "$ENV_NAME" ]; then
log "Error: ENV_NAME must be set when using custom mode"
exit 1
fi
secret_name="opensecret_${ENV_NAME}_database_url"
else
secret_name="opensecret_dev_database_url"
fi
local request="{\"request_type\":\"SecretsManager\",\"key_name\":\"$secret_name\"}"
vsock_request $cid $port "$request"
}
# Function to get secret from Secrets Manager
get_continuum_proxy_api_key_secret() {
local cid=3
local port=8003
# Determine the correct secret name based on APP_MODE
local secret_name
if [ "$APP_MODE" = "prod" ]; then
secret_name="continuum_proxy_prod_api_key"
elif [ "$APP_MODE" = "preview" ]; then
secret_name="continuum_proxy_preview1_api_key"
elif [ "$APP_MODE" = "custom" ]; then
if [ -z "$ENV_NAME" ]; then
log "Error: ENV_NAME must be set when using custom mode"
exit 1
fi
secret_name="continuum_proxy_${ENV_NAME}_api_key"
else
secret_name="continuum_proxy_dev_api_key"
fi
local request="{\"request_type\":\"SecretsManager\",\"key_name\":\"$secret_name\"}"
vsock_request $cid $port "$request"
}
# Get AWS credentials
log "Fetching AWS credentials"
aws_creds=$(get_aws_credentials)
if [ -z "$aws_creds" ]; then
log "Error: Failed to get AWS credentials"
exit 1
fi
# Add error checking for jq parsing
if ! access_key_id=$(echo "$aws_creds" | jq -r '.response_value.AccessKeyId'); then
log "Error: Failed to parse AccessKeyId from AWS credentials"
log "AWS credentials response: $aws_creds"
exit 1
fi
if ! secret_access_key=$(echo "$aws_creds" | jq -r '.response_value.SecretAccessKey'); then
log "Error: Failed to parse SecretAccessKey from AWS credentials"
exit 1
fi
if ! session_token=$(echo "$aws_creds" | jq -r '.response_value.Token'); then
log "Error: Failed to parse Token from AWS credentials"
exit 1
fi
if ! region=$(echo "$aws_creds" | jq -r '.response_value.Region'); then
log "Error: Failed to parse Region from AWS credentials"
exit 1
fi
log "AWS credentials retrieved and parsed successfully"
# Get encrypted database URL from Secrets Manager
log "Fetching encrypted database URL"
secret_response=$(get_database_url_secret)
log "Retrieved raw secret response"
# Extract the database_url value from the JSON structure
encrypted_db_url=$(echo "$secret_response" | jq -r '.response_value | fromjson | .database_url')
if [ -z "$encrypted_db_url" ]; then
log "Error: Failed to get encrypted database URL"
log "Secret response: $secret_response"
exit 1
fi
log "Encrypted database URL retrieved successfully"
# Decrypt the database URL using kmstool_enclave_cli
log "Decrypting database URL"
decryption_output=$(kmstool_enclave_cli decrypt \
--region "$region" \
--proxy-port 8000 \
--aws-access-key-id "$access_key_id" \
--aws-secret-access-key "$secret_access_key" \
--aws-session-token "$session_token" \
--ciphertext "$encrypted_db_url" 2>&1)
log "Got decryption output, parsing URL"
decrypted_db_url=$(echo "$decryption_output" | sed -n 's/PLAINTEXT: //p')
if [ -z "$decrypted_db_url" ]; then
log "Error: Failed to decrypt database URL"
log "Decryption output: $decryption_output"
exit 1
fi
log "Database URL decrypted successfully"
# Decode the base64 decrypted URL
decoded_db_url=$(echo "$decrypted_db_url" | base64 -d)
if [ -z "$decoded_db_url" ]; then
log "Error: Failed to decode base64 database URL"
exit 1
fi
# Extract the hostname from the decoded DATABASE_URL and add it to /etc/hosts
DB_HOSTNAME=$(echo "$decoded_db_url" | sed -n 's/.*@\(.*\)\/.*/\1/p')
if [ -z "$DB_HOSTNAME" ]; then
log "Error: Failed to extract DB_HOSTNAME from decoded URL"
exit 1
fi
echo "127.0.0.1 $DB_HOSTNAME" >> /etc/hosts
log "Added $DB_HOSTNAME to /etc/hosts"
# Add OpenAI API hostname to /etc/hosts
echo "127.0.0.1 api.openai.com" >> /etc/hosts
log "Added api.openai.com to /etc/hosts"
# Add Resend API hostname to /etc/hosts
echo "127.0.0.8 api.resend.com" >> /etc/hosts
log "Added api.resend.com to /etc/hosts"
# Add continuum hostnames to /etc/hosts
echo "127.0.0.2 api.privatemode.ai" >> /etc/hosts
echo "127.0.0.3 cdn.confidential.cloud" >> /etc/hosts
echo "127.0.0.4 secret.privatemode.ai" >> /etc/hosts
echo "127.0.0.5 coordinator.privatemode.ai" >> /etc/hosts
echo "127.0.0.6 kdsintf.amd.com" >> /etc/hosts
log "Added privatemode.ai, confidential.cloud, and AMD domains to /etc/hosts"
# Add GitHub OAuth hostnames to /etc/hosts
echo "127.0.0.9 github.com" >> /etc/hosts
echo "127.0.0.10 api.github.com" >> /etc/hosts
log "Added GitHub OAuth domains to /etc/hosts"
# Add Google OAuth hostnames to /etc/hosts
echo "127.0.0.11 oauth2.googleapis.com" >> /etc/hosts
echo "127.0.0.12 www.googleapis.com" >> /etc/hosts
log "Added Google OAuth domains to /etc/hosts"
# Add AWS SQS hostname to /etc/hosts
echo "127.0.0.13 sqs.us-east-2.amazonaws.com" >> /etc/hosts
log "Added AWS SQS domain to /etc/hosts"
# Add billing hostname to /etc/hosts based on APP_MODE
if [ "$APP_MODE" = "prod" ]; then
echo "127.0.0.14 billing.opensecret.cloud" >> /etc/hosts
log "Added production billing domain to /etc/hosts"
else
echo "127.0.0.14 billing-dev.opensecret.cloud" >> /etc/hosts
log "Added development billing domain to /etc/hosts"
fi
touch /app/libnsm.so
log "Created /app/libnsm.so"
# Print network information for debugging
log "Network configuration:"
ip addr show
ip route
cat /etc/hosts
# Start the traffic forwarder for the database in the background
log "Starting database traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.1 5432 3 8001 &
# Start the traffic forwarder for OpenAI API in the background
log "Starting OpenAI API traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.1 443 3 8002 &
# Start the traffic forwarder for Resend API in the background
log "Starting Resend API traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.8 443 3 8010 &
# Start the traffic forwarder for Continuum API in the background
log "Starting Continuum API traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.2 443 3 8004 &
# Start the traffic forwarder for Continuum CDN in the background
log "Starting Continuum CDN traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.3 443 3 8005 &
# Start the traffic forwarder for Continuum Secret Service in the background
log "Starting Continuum Secret Service traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.4 443 3 8006 &
# Start the traffic forwarder for Continuum Coordinator in the background
log "Starting Continuum Coordinator traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.5 443 3 8007 &
# Start the traffic forwarder for AMD KDS Interface in the background
log "Starting AMD KDS Interface traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.6 443 3 8008 &
# Start the traffic forwarder for GitHub in the background
log "Starting GitHub traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.9 443 3 8012 &
# Start the traffic forwarder for GitHub API in the background
log "Starting GitHub API traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.10 443 3 8013 &
# Start the traffic forwarder for Google OAuth in the background
log "Starting Google OAuth traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.11 443 3 8014 &
# Start the traffic forwarder for Google APIs in the background
log "Starting Google APIs traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.12 443 3 8015 &
# Start the traffic forwarder for AWS SQS in the background
log "Starting AWS SQS traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.13 443 3 8016 &
# Start the traffic forwarder for billing service in the background
log "Starting billing service traffic forwarder"
python3 /app/traffic_forwarder.py 127.0.0.14 443 3 8017 &
# Wait for the forwarders to start
log "Waiting for forwarders to start"
sleep 5
# Test the connection to PostgreSQL
log "Testing connection to PostgreSQL:"
if timeout 5 bash -c '</dev/tcp/127.0.0.1/5432'; then
log "PostgreSQL connection successful"
else
log "PostgreSQL connection failed"
fi
# Test the connection to OpenAI API (Note: This will only test if the port is open)
log "Testing connection to OpenAI API:"
if timeout 5 bash -c '</dev/tcp/127.0.0.1/443'; then
log "OpenAI API connection successful"
else
log "OpenAI API connection failed"
fi
# Test the connection to Continuum API
log "Testing connection to Continuum API:"
if timeout 5 bash -c '</dev/tcp/127.0.0.2/443'; then
log "Continuum API connection successful"
else
log "Continuum API connection failed"
fi
log "Testing connection to Continuum CDN:"
if timeout 5 bash -c '</dev/tcp/127.0.0.3/443'; then
log "Continuum CDN connection successful"
else
log "Continuum CDN connection failed"
fi
log "Testing connection to Continuum Secret Service:"
if timeout 5 bash -c '</dev/tcp/127.0.0.4/443'; then
log "Continuum Secret Service connection successful"
else
log "Continuum Secret Service connection failed"
fi
log "Testing connection to Continuum Coordinator:"
if timeout 5 bash -c '</dev/tcp/127.0.0.5/443'; then
log "Continuum Coordinator connection successful"
else
log "Continuum Coordinator connection failed"
fi
log "Testing connection to AMD KDS Interface:"
if timeout 5 bash -c '</dev/tcp/127.0.0.6/443'; then
log "AMD KDS Interface connection successful"
else
log "AMD KDS Interface connection failed"
fi
# Test the connection to GitHub
log "Testing connection to GitHub:"
if timeout 5 bash -c '</dev/tcp/127.0.0.9/443'; then
log "GitHub connection successful"
else
log "GitHub connection failed"
fi
# Test the connection to GitHub API
log "Testing connection to GitHub API:"
if timeout 5 bash -c '</dev/tcp/127.0.0.10/443'; then
log "GitHub API connection successful"
else
log "GitHub API connection failed"
fi
# Test the connection to Google OAuth
log "Testing connection to Google OAuth:"
if timeout 5 bash -c '</dev/tcp/127.0.0.11/443'; then
log "Google OAuth connection successful"
else
log "Google OAuth connection failed"
fi
# Test the connection to Google APIs
log "Testing connection to Google APIs:"
if timeout 5 bash -c '</dev/tcp/127.0.0.12/443'; then
log "Google APIs connection successful"
else
log "Google APIs connection failed"
fi
# Test the connection to AWS SQS
log "Testing connection to AWS SQS:"
if timeout 5 bash -c '</dev/tcp/127.0.0.13/443'; then
log "AWS SQS connection successful"
else
log "AWS SQS connection failed"
fi
# Test the connection to billing service
log "Testing connection to billing service:"
if timeout 5 bash -c '</dev/tcp/127.0.0.14/443'; then
log "Billing service connection successful"
else
log "Billing service connection failed"
fi
# Start the continuum-proxy if we're in AWS Nitro mode
if [ "$APP_MODE" != "local" ]; then
# Get Continuum Proxy API key from Secrets Manager
log "Fetching Continuum Proxy API key"
continuum_proxy_api_key_response=$(get_continuum_proxy_api_key_secret)
log "Retrieved raw Continuum Proxy API key response"
# Check if the response is an error
if echo "$continuum_proxy_api_key_response" | jq -e '.response_type == "error"' > /dev/null; then
error_message=$(echo "$continuum_proxy_api_key_response" | jq -r '.response_value')
log "Error: Failed to get Continuum Proxy API key. Error message: $error_message"
exit 1
fi
# Extract the encrypted API key value from the JSON structure
continuum_proxy_api_key_encrypted=$(echo "$continuum_proxy_api_key_response" | jq -r '.response_value | fromjson | .api_key')
if [ -z "$continuum_proxy_api_key_encrypted" ]; then
log "Error: Failed to extract Continuum Proxy API key from the response"
log "Secret response: $continuum_proxy_api_key_response"
exit 1
fi
# Decrypt the API key using kmstool_enclave_cli
log "Decrypting Continuum Proxy API key"
decryption_output=$(kmstool_enclave_cli decrypt \
--region "$region" \
--proxy-port 8000 \
--aws-access-key-id "$access_key_id" \
--aws-secret-access-key "$secret_access_key" \
--aws-session-token "$session_token" \
--ciphertext "$continuum_proxy_api_key_encrypted" 2>&1)
decrypted_api_key=$(echo "$decryption_output" | sed -n 's/PLAINTEXT: //p')
if [ -z "$decrypted_api_key" ]; then
log "Error: Failed to decrypt Continuum Proxy API key"
log "Decryption output: $decryption_output"
exit 1
fi
# Base64 decode the decrypted API key
continuum_proxy_api_key=$(echo "$decrypted_api_key" | base64 -d)
if [ -z "$continuum_proxy_api_key" ]; then
log "Error: Failed to base64 decode Continuum Proxy API key"
exit 1
fi
log "Continuum Proxy API key retrieved, decrypted, and decoded successfully"
log "Starting continuum-proxy on port 8092"
/app/continuum-proxy --port 8092 --apiKey "$continuum_proxy_api_key" &
# Wait for the proxy to start
sleep 5
# Set OPENAI_API_BASE to point to the local proxy
export OPENAI_API_BASE="http://127.0.0.1:8092"
else
# For local mode, use the default OpenAI API base or the one set in the environment
export OPENAI_API_BASE=${OPENAI_API_BASE:-"https://api.openai.com"}
fi
# Start the opensecret
log "Starting opensecret..."
RUST_LOG_STYLE=never RUST_LOG=debug APP_MODE="$APP_MODE" OPENAI_API_BASE="$OPENAI_API_BASE" /app/opensecret &
# Wait for the opensecret to start
log "Waiting for opensecret to start"
sleep 5
# Start socat to forward from vsock to the opensecret
log "Starting socat..."
socat VSOCK-LISTEN:5000,reuseaddr,fork TCP:0.0.0.0:3000