From 1efae75f14f14e0c94691744ecdb5fb949fedbfd Mon Sep 17 00:00:00 2001 From: Alexander Piskun <13381981+bigcat88@users.noreply.github.com> Date: Tue, 11 Jun 2024 16:11:28 +0300 Subject: [PATCH] Support for `NC_HAPROXY_PASSWORD_FILE` env variable (#26) * add support for `NC_HAPROXY_PASSWORD_FILE` env variable Signed-off-by: Alexander Piskun * not create the "haproxy.cfg" each time. replaced the "insecure password" with "password" Signed-off-by: Alexander Piskun --------- Signed-off-by: Alexander Piskun --- Dockerfile | 7 +-- README.md | 6 +++ haproxy.cfg => haproxy.cfg.template | 8 ++-- ...x_apps.cfg => haproxy_ex_apps.cfg.template | 0 start.sh | 47 ++++++++++++++----- 5 files changed, 49 insertions(+), 19 deletions(-) rename haproxy.cfg => haproxy.cfg.template (95%) rename haproxy_ex_apps.cfg => haproxy_ex_apps.cfg.template (100%) diff --git a/Dockerfile b/Dockerfile index 8b98472..181c438 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,12 +19,13 @@ RUN set -ex; \ openssl \ bind-tools \ nano \ - vim; \ + vim \ + envsubst; \ chmod -R 777 /tmp COPY --chmod=775 *.sh / -COPY --chmod=664 haproxy.cfg /haproxy.cfg -COPY --chmod=664 haproxy_ex_apps.cfg /haproxy_ex_apps.cfg +COPY --chmod=664 haproxy.cfg.template /haproxy.cfg.template +COPY --chmod=664 haproxy_ex_apps.cfg.template /haproxy_ex_apps.cfg.template WORKDIR / ENTRYPOINT ["/bin/bash", "start.sh"] diff --git a/README.md b/README.md index 8f2dc51..f9e3553 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,12 @@ You should set `BIND_ADDRESS` to the IP on which server with ExApps can accept r `TIMEOUT_SERVER`: timeout for ExApp to start responding to NC request, default: **30s** +`NC_HAPROXY_PASSWORD_FILE`: Specifies path to a file containing the password for HAProxy. + +> [!NOTE] +> This file should be mounted into the container, and the password will be read from this file. +> If both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified, the container will exit with an error. + #### Only for ExApp installs with TLS: * `EX_APPS_NET`: determines destination of requests to ExApps for HaProxy. Default:`localhost` diff --git a/haproxy.cfg b/haproxy.cfg.template similarity index 95% rename from haproxy.cfg rename to haproxy.cfg.template index e2e296f..8d51ab8 100644 --- a/haproxy.cfg +++ b/haproxy.cfg.template @@ -9,12 +9,12 @@ defaults log global option httplog option dontlognull - timeout connect TIMEOUT_CONNECT - timeout client TIMEOUT_CLIENT - timeout server TIMEOUT_SERVER + timeout connect ${TIMEOUT_CONNECT} + timeout client ${TIMEOUT_CLIENT} + timeout server ${TIMEOUT_SERVER} userlist app_api_credentials - user app_api_haproxy_user insecure-password "NC_PASSWORD_PLACEHOLDER" + user app_api_haproxy_user password ${NC_HAPROXY_PASSWORD} frontend docker_engine mode http diff --git a/haproxy_ex_apps.cfg b/haproxy_ex_apps.cfg.template similarity index 100% rename from haproxy_ex_apps.cfg rename to haproxy_ex_apps.cfg.template diff --git a/start.sh b/start.sh index f61898f..54e0611 100644 --- a/start.sh +++ b/start.sh @@ -1,19 +1,42 @@ #!/bin/sh -sed -i "s|NC_PASSWORD_PLACEHOLDER|$NC_HAPROXY_PASSWORD|" /haproxy.cfg -sed -i "s|TIMEOUT_CONNECT|$TIMEOUT_CONNECT|" /haproxy.cfg -sed -i "s|TIMEOUT_CLIENT|$TIMEOUT_CLIENT|" /haproxy.cfg -sed -i "s|TIMEOUT_SERVER|$TIMEOUT_SERVER|" /haproxy.cfg +if [ ! -f "/haproxy.cfg" ]; then -if [ -f "/certs/cert.pem" ]; then - EX_APPS_COUNT_PADDED=$(printf "%03d" "$EX_APPS_COUNT") - sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6 ssl crt /certs/cert.pem|" /haproxy.cfg - sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:23000-23$EX_APPS_COUNT_PADDED v4v6 ssl crt /certs/cert.pem|" /haproxy_ex_apps.cfg - sed -i "s|EX_APPS_NET_PLACEHOLDER|$EX_APPS_NET|" /haproxy_ex_apps.cfg - # Chmod certs to be accessible by haproxy - chmod 644 /certs/cert.pem + echo "Creating HaProxy config.." + + if [ -n "$NC_HAPROXY_PASSWORD_FILE" ] && [ ! -f "$NC_HAPROXY_PASSWORD_FILE" ]; then + echo "Error: NC_HAPROXY_PASSWORD_FILE is specified but the file does not exist." + exit 1 + fi + + if [ -n "$NC_HAPROXY_PASSWORD" ] && [ -n "$NC_HAPROXY_PASSWORD_FILE" ]; then + echo "Error: Only one of NC_HAPROXY_PASSWORD or NC_HAPROXY_PASSWORD_FILE should be specified." + exit 1 + fi + + if [ -n "$NC_HAPROXY_PASSWORD_FILE" ]; then + NC_HAPROXY_PASSWORD=$(mkpasswd -m sha-256 < "$NC_HAPROXY_PASSWORD_FILE") + else + NC_HAPROXY_PASSWORD=$(echo "$NC_HAPROXY_PASSWORD" | mkpasswd -m sha-256) + fi + + export NC_HAPROXY_PASSWORD + + envsubst < /haproxy.cfg.template > /haproxy.cfg + envsubst < /haproxy_ex_apps.cfg.template > /haproxy_ex_apps.cfg + + if [ -f "/certs/cert.pem" ]; then + EX_APPS_COUNT_PADDED=$(printf "%03d" "$EX_APPS_COUNT") + sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6 ssl crt /certs/cert.pem|" /haproxy.cfg + sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:23000-23$EX_APPS_COUNT_PADDED v4v6 ssl crt /certs/cert.pem|" /haproxy_ex_apps.cfg + sed -i "s|EX_APPS_NET_PLACEHOLDER|$EX_APPS_NET|" /haproxy_ex_apps.cfg + # Chmod certs to be accessible by haproxy + chmod 644 /certs/cert.pem + else + sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6|" /haproxy.cfg + fi else - sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6|" /haproxy.cfg + echo "HaProxy config already present." fi echo "HaProxy config:"