From c0d3c0ce32a77a418cd02a8dd8e44ecaca0e53c4 Mon Sep 17 00:00:00 2001 From: Joao Morais Date: Tue, 28 Dec 2021 08:41:44 -0300 Subject: [PATCH] add local deployment configuration Add Makefile command and controller option that allows to run the controller outside of a container. These options are specially useful to develop and test locally. --- .gitignore | 1 + Makefile | 49 +++++++++++---- README.md | 60 ++++++++++++++++--- .../en/docs/configuration/command-line.md | 12 ++++ pkg/common/ingress/controller/controller.go | 1 + pkg/common/ingress/controller/launch.go | 24 +++++--- pkg/common/ingress/types.go | 3 + pkg/controller/controller.go | 17 ++++-- pkg/converters/ingress/annotations/global.go | 2 +- pkg/converters/ingress/annotations/updater.go | 1 + pkg/converters/types/options.go | 2 + pkg/haproxy/config.go | 2 +- pkg/haproxy/instance.go | 51 +++++++++++++--- pkg/haproxy/types/types.go | 1 + rootfs/etc/templates/haproxy/haproxy.tmpl | 10 ++-- rootfs/haproxy-reload.sh | 6 +- rootfs/haproxy-shutdown.sh | 20 +++++++ 17 files changed, 214 insertions(+), 48 deletions(-) create mode 100755 rootfs/haproxy-shutdown.sh diff --git a/.gitignore b/.gitignore index 60e2f1a59..594ad9d4f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .vscode +bin rootfs/haproxy-ingress-controller # IntelliJ diff --git a/Makefile b/Makefile index f2396e061..a7626ccc9 100644 --- a/Makefile +++ b/Makefile @@ -6,28 +6,53 @@ GOARCH?=amd64 GIT_REPO=$(shell git config --get remote.origin.url) GIT_COMMIT=git-$(shell git rev-parse --short HEAD) VERSION_PKG=github.com/jcmoraisjr/haproxy-ingress/pkg/version +CONTROLLER_FLAGS=-X $(VERSION_PKG).RELEASE=local -X $(VERSION_PKG).COMMIT=$(GIT_COMMIT) -X $(VERSION_PKG).REPO=$(GIT_REPO) +CONTROLLER_TAG?=localhost/haproxy-ingress:latest +LOCAL_FS_PREFIX?=/tmp/haproxy-ingress +KUBECONFIG?=$(HOME)/.kube/config +CONTROLLER_CONFIGMAP?= +CONTROLLER_ARGS?= .PHONY: build build: - CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build \ - -installsuffix cgo \ - -ldflags "-s -w -X $(VERSION_PKG).RELEASE=local -X $(VERSION_PKG).COMMIT=$(GIT_COMMIT) -X $(VERSION_PKG).REPO=$(GIT_REPO)" \ - -o rootfs/haproxy-ingress-controller pkg/main.go + CGO_ENABLED=0 go build \ + -v -installsuffix cgo \ + -ldflags "-s -w $(CONTROLLER_FLAGS)" \ + -o bin/controller pkg/main.go + +.PHONY: run +run: build + @rm -rf $(LOCAL_FS_PREFIX)/var/run/haproxy/ + @mkdir -p $(LOCAL_FS_PREFIX)/etc/haproxy/lua/ + @cp rootfs/etc/lua/* $(LOCAL_FS_PREFIX)/etc/haproxy/lua/ + ./bin/controller \ + --kubeconfig=$(KUBECONFIG)\ + --local-filesystem-prefix=$(LOCAL_FS_PREFIX)\ + --update-status=false\ + --configmap=$(CONTROLLER_CONFIGMAP)\ + $(CONTROLLER_ARGS) + +.PHONY: lint +lint: + golangci-lint run .PHONY: test -test: +test: lint ## fix race and add -race param go test -tags cgo ./... -.PHONY: install -install: - CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go install \ - -v -installsuffix cgo pkg/main.go +.PHONY: linux-build +linux-build: + CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go build \ + -v -installsuffix cgo \ + -ldflags "-s -w $(CONTROLLER_FLAGS)" \ + -o rootfs/haproxy-ingress-controller pkg/main.go .PHONY: image -image: - docker build -t localhost/haproxy-ingress:latest rootfs +image: linux-build + docker build -t $(CONTROLLER_TAG) rootfs .PHONY: docker-builder docker-builder: - docker build -t localhost/haproxy-ingress:latest . -f builder/Dockerfile + @rm -f rootfs/haproxy-ingress-controller + docker build -t $(CONTROLLER_TAG) . -f builder/Dockerfile diff --git a/README.md b/README.md index dfb81b9c3..480eb9a0a 100644 --- a/README.md +++ b/README.md @@ -38,19 +38,65 @@ Updates made to the cluster are applied on the fly to the HAProxy instance. ## Develop HAProxy Ingress -Building: +**Building and running locally:** ``` mkdir -p $GOPATH/src/github.com/jcmoraisjr cd $GOPATH/src/github.com/jcmoraisjr git clone https://github.com/jcmoraisjr/haproxy-ingress.git cd haproxy-ingress -make +make run ``` -The following `make` targets are currently supported: +Dependencies to run locally: -* `install`: run `go install` which saves some building time. -* `build` (default): compiles HAProxy Ingress and generates an ELF (Linux) executable at `rootfs/haproxy-ingress-controller` despite the source platform. -* `test`: run unit tests -* `image`: generates a Docker image tagged `localhost/haproxy-ingress:latest` +* Golang +* HAProxy compiled with `USE_OPENSSL=1` and `USE_LUA=1` +* [golangci-lint](https://golangci-lint.run/) is used when running `make lint` or `make test` targets +* Lua with `lua-json` (`luarocks install lua-json`) if using Auth External or OAuth +* Kubernetes network should be reachable from the local machine for a proper e2e test + +**Building container image:** + +Fast build - cross compile for linux/amd64 (locally) and generate `localhost/haproxy-ingress:latest`: + +``` +make image +``` + +Official image - build in a multi-stage Dockerfile and generate `localhost/haproxy-ingress:latest`: + +``` +make docker-build +``` + +Deploy local image using Helm: + +``` +helm repo add haproxy-ingress https://haproxy-ingress.github.io/charts +helm install haproxy-ingress haproxy-ingress/haproxy-ingress\ + --create-namespace --namespace=ingress-controller\ + --set controller.image.repository=localhost/haproxy-ingress\ + --set controller.image.tag=latest\ + --set controller.image.pullPolicy=Never +``` + +**make options:** + +The following `make` variables are supported: + +* `CONTROLLER_TAG` (defaults to `localhost/haproxy-ingress:latest`): tag name for `make image` and `make docker-build`. +* `LOCAL_FS_PREFIX` (defaults to `/tmp/haproxy-ingress`): temporary directory for `make run`. +* `KUBECONFIG` (defaults to `$KUBECONFIG`, or `$(HOME)/.kube/config` if the former is empty): Kubernetes from where to read Ingress configurations. +* `CONTROLLER_CONFIGMAP`: `/` of the ConfigMap with global configurations. +* `CONTROLLER_ARGS`: space separated list of additional command-line arguments. + +The following `make` targets are supported: + +* `build` (default): Compiles HAProxy Ingress using the default OS and arch, and generates an executable at `bin/controller`. +* `run`: Runs HAProxy Ingress locally. +* `lint`: Runs [`golangci-lint`](https://golangci-lint.run/). +* `test`: Runs unit tests. +* `linux-build`: Compiles HAProxy Ingress and generates an ELF (Linux) executable despite the source platform at `rootfs/haproxy-ingress-controller`. Used by `image` step. +* `image`: Compiles HAProxy Ingress locally and generates a Docker image. +* `docker-build`: Compiles HAProxy Ingress and generates a Docker image using a multi-stage Dockerfile. diff --git a/docs/content/en/docs/configuration/command-line.md b/docs/content/en/docs/configuration/command-line.md index 939919d20..82c14d16c 100644 --- a/docs/content/en/docs/configuration/command-line.md +++ b/docs/content/en/docs/configuration/command-line.md @@ -38,6 +38,7 @@ The following command-line options are supported: | [`--ingress-class`](#ingress-class) | name | `haproxy` | | | [`--ingress-class-precedence`](#ingress-class) | [true\|false] | `false` | v0.13.5 | | [`--kubeconfig`](#kubeconfig) | /path/to/kubeconfig | in cluster config | | +| [`--local-filesystem-prefix`](#local-filesystem-prefix) | temporary base directory | | v0.14 | | [`--master-socket`](#master-socket) | socket path | use embedded haproxy | v0.12 | | [`--max-old-config-files`](#max-old-config-files) | num of files | `0` | | | [`--profiling`](#stats) | [true\|false] | `true` | | @@ -271,6 +272,17 @@ is deployed outside of the Kubernetes cluster. --- +## --local-filesystem-prefix + +Since v0.14 + +Enables HAProxy Ingress to run in local mode. Define `--local-filesystem-prefix` with a temporary +directory HAProxy Ingress should create and maintain all the configuration files. Useful for local +deployment. Start HAProxy Ingress in the root directory of the repository when using +`--local-filesystem-prefix`, or simply use via `make run`. + +--- + ## --master-socket Since v0.12 diff --git a/pkg/common/ingress/controller/controller.go b/pkg/common/ingress/controller/controller.go index 436af1b49..ed95d9eb4 100644 --- a/pkg/common/ingress/controller/controller.go +++ b/pkg/common/ingress/controller/controller.go @@ -74,6 +74,7 @@ type Configuration struct { ReloadStrategy string MaxOldConfigFiles int ValidateConfig bool + LocalFSPrefix string ForceNamespaceIsolation bool WaitBeforeShutdown int diff --git a/pkg/common/ingress/controller/launch.go b/pkg/common/ingress/controller/launch.go index 68242c139..acb72476c 100644 --- a/pkg/common/ingress/controller/launch.go +++ b/pkg/common/ingress/controller/launch.go @@ -43,6 +43,10 @@ discovery is attempted.`) kubeConfigFile = flags.String("kubeconfig", "", `Path to kubeconfig file with authorization and master location information.`) + localFSPrefix = flags.String("local-filesystem-prefix", "", + `Defines the prefix of a temporary directory HAProxy Ingress should create and +maintain all the configuration files. Useful for local deployment.`) + disableAPIWarnings = flags.Bool("disable-api-warnings", false, `Disable warnings from the API server.`) @@ -403,15 +407,18 @@ tracked.`) glog.Fatalf("resync period (%vs) is too low", resyncPeriod.Seconds()) } - for _, dir := range []string{ - ingress.DefaultCrtDirectory, - ingress.DefaultDHParamDirectory, - ingress.DefaultCACertsDirectory, - ingress.DefaultCrlDirectory, - ingress.DefaultMapsDirectory, + for _, dir := range []*string{ + &ingress.DefaultCrtDirectory, + &ingress.DefaultDHParamDirectory, + &ingress.DefaultCACertsDirectory, + &ingress.DefaultCrlDirectory, + &ingress.DefaultVarRunDirectory, + &ingress.DefaultMapsDirectory, } { - if err := os.MkdirAll(dir, 0755); err != nil { - glog.Fatalf("Failed to mkdir %s: %v", dir, err) + // TODO evolve this ugly trick to a proper struct that allows custom configuration + *dir = *localFSPrefix + *dir + if err := os.MkdirAll(*dir, 0755); err != nil { + glog.Fatalf("Failed to mkdir %s: %v", *dir, err) } } @@ -477,6 +484,7 @@ tracked.`) ReloadStrategy: *reloadStrategy, MaxOldConfigFiles: *maxOldConfigFiles, ValidateConfig: *validateConfig, + LocalFSPrefix: *localFSPrefix, TCPConfigMapName: *tcpConfigMapName, AnnPrefix: annPrefixList, DefaultSSLCertificate: *defSSLCertificate, diff --git a/pkg/common/ingress/types.go b/pkg/common/ingress/types.go index 1f50f1353..ee36c95ba 100644 --- a/pkg/common/ingress/types.go +++ b/pkg/common/ingress/types.go @@ -27,11 +27,14 @@ import ( // DefaultDirectory defines the location where HAProxy Ingress' generated // files should be created. +// +// These vars are dynamically changed, see launch.go var ( DefaultCrtDirectory = "/var/lib/haproxy/crt" DefaultDHParamDirectory = "/var/lib/haproxy/dhparam" DefaultCACertsDirectory = "/var/lib/haproxy/cacerts" DefaultCrlDirectory = "/var/lib/haproxy/crl" + DefaultVarRunDirectory = "/var/run/haproxy" DefaultMapsDirectory = "/etc/haproxy/maps" ) diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index a8e02a035..5131f17ee 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -119,11 +119,18 @@ func (hc *HAProxyController) configController() { if hc.cfg.ReloadInterval.Seconds() > 0 { hc.reloadQueue = utils.NewRateLimitingQueue(float32(1/hc.cfg.ReloadInterval.Seconds()), hc.reloadHAProxy) } + var rootFSPrefix string + if hc.cfg.LocalFSPrefix != "" { + rootFSPrefix = "rootfs" + } instanceOptions := haproxy.InstanceOptions{ - HAProxyCfgDir: "/etc/haproxy", + RootFSPrefix: rootFSPrefix, + LocalFSPrefix: hc.cfg.LocalFSPrefix, + HAProxyCfgDir: hc.cfg.LocalFSPrefix + "/etc/haproxy", HAProxyMapsDir: ingress.DefaultMapsDirectory, MasterSocket: hc.cfg.MasterSocket, - AdminSocket: "/var/run/haproxy/admin.sock", + AdminSocket: ingress.DefaultVarRunDirectory + "/admin.sock", + AcmeSocket: ingress.DefaultVarRunDirectory + "/acme.sock", BackendShards: hc.cfg.BackendShards, AcmeSigner: acmeSigner, AcmeQueue: hc.acmeQueue, @@ -146,8 +153,10 @@ func (hc *HAProxyController) configController() { Cache: hc.cache, Tracker: hc.tracker, DynamicConfig: hc.dynamicConfig, + LocalFSPrefix: hc.cfg.LocalFSPrefix, MasterSocket: instanceOptions.MasterSocket, AdminSocket: instanceOptions.AdminSocket, + AcmeSocket: instanceOptions.AcmeSocket, AnnotationPrefix: hc.cfg.AnnPrefix, DefaultBackend: hc.cfg.DefaultService, DefaultCrtSecret: hc.cfg.DefaultSSLCertificate, @@ -175,8 +184,7 @@ func (hc *HAProxyController) startServices() { go hc.leaderelector.Run(hc.stopCh) } if hc.cfg.AcmeServer { - // TODO deduplicate acme socket - server := acme.NewServer(hc.logger, "/var/run/haproxy/acme.sock", hc.cache) + server := acme.NewServer(hc.logger, hc.converterOptions.AcmeSocket, hc.cache) // TODO move goroutine from the server to the controller if err := server.Listen(hc.stopCh); err != nil { hc.logger.Fatal("error creating the acme server listener: %v", err) @@ -190,6 +198,7 @@ func (hc *HAProxyController) startServices() { } func (hc *HAProxyController) stopServices() { + hc.instance.Shutdown() hc.ingressQueue.ShutDown() if hc.reloadQueue != nil { hc.reloadQueue.ShutDown() diff --git a/pkg/converters/ingress/annotations/global.go b/pkg/converters/ingress/annotations/global.go index c090e197c..def7a94dc 100644 --- a/pkg/converters/ingress/annotations/global.go +++ b/pkg/converters/ingress/annotations/global.go @@ -48,7 +48,7 @@ func (c *updater) buildGlobalAcme(d *globalData) { d.acmeData.Expiring = time.Duration(d.mapper.Get(ingtypes.GlobalAcmeExpiring).Int()) * 24 * time.Hour d.acmeData.TermsAgreed = termsAgreed d.global.Acme.Prefix = "/.well-known/acme-challenge/" - d.global.Acme.Socket = "/var/run/haproxy/acme.sock" + d.global.Acme.Socket = c.options.AcmeSocket d.global.Acme.Enabled = true d.global.Acme.Shared = d.mapper.Get(ingtypes.GlobalAcmeShared).Bool() } diff --git a/pkg/converters/ingress/annotations/updater.go b/pkg/converters/ingress/annotations/updater.go index 69f38fea5..a8c444798 100644 --- a/pkg/converters/ingress/annotations/updater.go +++ b/pkg/converters/ingress/annotations/updater.go @@ -143,6 +143,7 @@ func (c *updater) UpdateGlobalConfig(haproxyConfig haproxy.Config, mapper *Mappe mapper: mapper, } d.global.AdminSocket = c.options.AdminSocket + d.global.LocalFSPrefix = c.options.LocalFSPrefix d.global.MaxConn = mapper.Get(ingtypes.GlobalMaxConnections).Int() d.global.DefaultBackendRedir = mapper.Get(ingtypes.GlobalDefaultBackendRedirect).String() d.global.DefaultBackendRedirCode = mapper.Get(ingtypes.GlobalDefaultBackendRedirectCode).Int() diff --git a/pkg/converters/types/options.go b/pkg/converters/types/options.go index 11cffe6ca..2fd5d7957 100644 --- a/pkg/converters/types/options.go +++ b/pkg/converters/types/options.go @@ -26,8 +26,10 @@ type ConverterOptions struct { Cache Cache Tracker Tracker DynamicConfig *DynamicConfig + LocalFSPrefix string MasterSocket string AdminSocket string + AcmeSocket string DefaultConfig func() map[string]string DefaultBackend string DefaultCrtSecret string diff --git a/pkg/haproxy/config.go b/pkg/haproxy/config.go index f2f62f580..0cf061103 100644 --- a/pkg/haproxy/config.go +++ b/pkg/haproxy/config.go @@ -98,7 +98,7 @@ func (c *config) SyncConfig() { // frontend with `inspect-delay` and `req.ssl_sni` bindName := "_https_socket" c.frontend.BindName = bindName - c.frontend.BindSocket = fmt.Sprintf("unix@/var/run/haproxy/%s.sock", bindName) + c.frontend.BindSocket = fmt.Sprintf("unix@%s/var/run/haproxy/%s.sock", c.global.LocalFSPrefix, bindName) c.frontend.AcceptProxy = true } else { // One single HAProxy's frontend and bind diff --git a/pkg/haproxy/instance.go b/pkg/haproxy/instance.go index b4e0d1963..d74045437 100644 --- a/pkg/haproxy/instance.go +++ b/pkg/haproxy/instance.go @@ -18,6 +18,7 @@ package haproxy import ( "fmt" + "os" "os/exec" "path/filepath" "regexp" @@ -38,12 +39,15 @@ import ( type InstanceOptions struct { AcmeSigner acme.Signer AcmeQueue utils.Queue + RootFSPrefix string + LocalFSPrefix string BackendShards int HAProxyCfgDir string HAProxyMapsDir string LeaderElector types.LeaderElector MasterSocket string AdminSocket string + AcmeSocket string MaxOldConfigFiles int Metrics types.Metrics ReloadQueue utils.Queue @@ -64,6 +68,7 @@ type Instance interface { CalcIdleMetric() Update(timer *utils.Timer) Reload(timer *utils.Timer) + Shutdown() } // CreateInstance ... @@ -150,10 +155,11 @@ func (i *instance) ParseTemplates() error { i.haproxyTmpl.ClearTemplates() i.mapsTmpl.ClearTemplates() i.modsecTmpl.ClearTemplates() + templatesDir := i.options.RootFSPrefix + "/etc/templates" if err := i.modsecTmpl.NewTemplate( "modsecurity.tmpl", - "/etc/templates/modsecurity/modsecurity.tmpl", - "/etc/haproxy/spoe-modsecurity.conf", + templatesDir+"/modsecurity/modsecurity.tmpl", + i.options.HAProxyCfgDir+"/spoe-modsecurity.conf", 0, 1024, ); err != nil { @@ -161,8 +167,8 @@ func (i *instance) ParseTemplates() error { } if err := i.haproxyTmpl.NewTemplate( "haproxy.tmpl", - "/etc/templates/haproxy/haproxy.tmpl", - "/etc/haproxy/haproxy.cfg", + templatesDir+"/haproxy/haproxy.tmpl", + i.options.HAProxyCfgDir+"/haproxy.cfg", i.options.MaxOldConfigFiles, 16384, ); err != nil { @@ -170,7 +176,7 @@ func (i *instance) ParseTemplates() error { } err := i.mapsTmpl.NewTemplate( "map.tmpl", - "/etc/templates/map/map.tmpl", + templatesDir+"/map/map.tmpl", "", 0, 2048, @@ -359,6 +365,20 @@ func (i *instance) Reload(timer *utils.Timer) { i.logger.Info(message) } +func (i *instance) Shutdown() { + if !i.up || i.config.Global().External.IsExternal() { + return + } + i.logger.Info("shutting down embedded haproxy") + outstr, err := i.execCommandSync(i.options.RootFSPrefix + "/haproxy-shutdown.sh") + if outstr != "" { + i.logger.Warn("output from the shutdown process:\n%v", outstr) + } + if err != nil { + i.logger.Error("error shutting down haproxy: %v", err) + } +} + func (i *instance) logChanged() { hostsAdd := i.config.Hosts().ItemsAdd() if len(hostsAdd) < 100 { @@ -499,6 +519,19 @@ func (i *instance) check() error { return nil } +func (i *instance) execCommandSync(cmd string, args ...string) (string, error) { + command := exec.Command(cmd, args...) + if i.options.LocalFSPrefix != "" { + command.Env = []string{ + "PATH=" + os.Getenv("PATH"), + "CONTROLLER_LOCAL_FS_PREFIX=" + i.options.LocalFSPrefix, + } + } + out, err := command.CombinedOutput() + outstr := string(out) + return outstr, err +} + func (i *instance) reloadHAProxy() error { if i.options.fake { i.logger.Info("(test) reload was skipped") @@ -516,8 +549,12 @@ func (i *instance) reloadEmbedded() error { state = "1" } // TODO Move all magic strings to a single place - out, err := exec.Command("/haproxy-reload.sh", i.options.ReloadStrategy, i.options.HAProxyCfgDir, state).CombinedOutput() - outstr := string(out) + outstr, err := i.execCommandSync( + i.options.RootFSPrefix+"/haproxy-reload.sh", + i.options.ReloadStrategy, + i.options.HAProxyCfgDir, + state, + ) if len(outstr) > 0 { i.logger.Warn("output from haproxy:\n%v", outstr) } diff --git a/pkg/haproxy/types/types.go b/pkg/haproxy/types/types.go index 8cfb226f6..973cb6adc 100644 --- a/pkg/haproxy/types/types.go +++ b/pkg/haproxy/types/types.go @@ -66,6 +66,7 @@ type Global struct { ForwardFor string LoadServerState bool AdminSocket string + LocalFSPrefix string External ExternalConfig Healthz HealthzConfig Master MasterConfig diff --git a/rootfs/etc/templates/haproxy/haproxy.tmpl b/rootfs/etc/templates/haproxy/haproxy.tmpl index e5e740322..64524e751 100644 --- a/rootfs/etc/templates/haproxy/haproxy.tmpl +++ b/rootfs/etc/templates/haproxy/haproxy.tmpl @@ -91,7 +91,7 @@ global {{- end }} {{- if $global.LoadServerState }} server-state-file state-global - server-state-base /var/lib/haproxy/ + server-state-base {{ $global.LocalFSPrefix }}/var/lib/haproxy/ {{- end }} maxconn {{ $global.MaxConn }} {{- if $global.Timeout.Stop }} @@ -105,10 +105,10 @@ global log-tag {{ $global.Syslog.Tag }} {{- end }} {{- if or (not $global.External.IsExternal) $global.External.HasLua }} - lua-prepend-path /etc/haproxy/lua/?.lua - lua-load /etc/haproxy/lua/auth-request.lua + lua-prepend-path {{ $global.LocalFSPrefix }}/etc/haproxy/lua/?.lua + lua-load {{ $global.LocalFSPrefix }}/etc/haproxy/lua/auth-request.lua {{- end }} - lua-load /etc/haproxy/lua/services.lua + lua-load {{ $global.LocalFSPrefix }}/etc/haproxy/lua/services.lua {{- if $global.SSL.DHParam.Filename }} ssl-dh-param-file {{ $global.SSL.DHParam.Filename }} {{- else }} @@ -573,7 +573,7 @@ backend {{ $backend.ID }} {{- /*------------------------------------*/}} {{- if and $global.ModSecurity.Endpoints $backend.HasModsec }} - filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf + filter spoe engine modsecurity config {{ $global.LocalFSPrefix }}/etc/haproxy/spoe-modsecurity.conf {{- $wafCfg := $backend.PathConfig "WAF" }} {{- range $i, $waf := $wafCfg.Items }} {{- if eq $waf.Mode "deny" }} diff --git a/rootfs/haproxy-reload.sh b/rootfs/haproxy-reload.sh index e193fba99..5958220be 100755 --- a/rootfs/haproxy-reload.sh +++ b/rootfs/haproxy-reload.sh @@ -45,9 +45,9 @@ PARAM_STRATEGY="$1" PARAM_CFG="$2" PARAM_STATE="${3:-0}" -HAPROXY_SOCKET=/var/run/haproxy/admin.sock -HAPROXY_STATE=/var/lib/haproxy/state-global -HAPROXY_PID=/var/run/haproxy/haproxy.pid +HAPROXY_SOCKET="${CONTROLLER_LOCAL_FS_PREFIX}/var/run/haproxy/admin.sock" +HAPROXY_STATE="${CONTROLLER_LOCAL_FS_PREFIX}/var/lib/haproxy/state-global" +HAPROXY_PID="${CONTROLLER_LOCAL_FS_PREFIX}/var/run/haproxy/haproxy.pid" OLD_PID=$(cat "$HAPROXY_PID" 2>/dev/null || :) # Only create the state file if the configuration need it diff --git a/rootfs/haproxy-shutdown.sh b/rootfs/haproxy-shutdown.sh new file mode 100755 index 000000000..a8fee8317 --- /dev/null +++ b/rootfs/haproxy-shutdown.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# Copyright 2021 The HAProxy Ingress Controller Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e -o pipefail + +HAPROXY_PID="${CONTROLLER_LOCAL_FS_PREFIX}/var/run/haproxy/haproxy.pid" +kill $(cat "$HAPROXY_PID")