Set the dataplaneapi password from the k8s Secret.

Feedback on haproxy issue 590 showed a working method after all -- haproxy has a listener for dataplane as a backend, and the listener executes basic auth. This way, the userlist insecure-password config can be set from the env variable, passed to the container with the downward API. See: https://github.com/haproxy/haproxy/issues/590

Set the dataplaneapi password from the k8s Secret.
Feedback on haproxy issue 590 showed a working method after all -- haproxy has a listener for dataplane as a backend, and the listener executes basic auth. This way, the userlist insecure-password config can be set from the env variable, passed to the container with the downward API. See: https://github.com/haproxy/haproxy/issues/590
02ac78bc · Geoff Simmons · ff78768b · 02ac78bc
Commit 02ac78bc authored Apr 20, 2020 by Geoff Simmons
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

haproxy.cfg container/haproxy.cfg +9 -2

No files found.
--- a/container/haproxy.cfg
+++ b/container/haproxy.cfg
@@ -27,10 +27,17 @@ defaults
        timeout server  50000

 userlist controller
-    user dataplaneapi insecure-password e24bb312-cb21-46d6-aaec-8ae676f06fea
+    user dataplaneapi insecure-password "${SECRET_DATAPLANEAPI}"
+
+listen dataplane
+       bind :5555
+       mode http
+       acl auth http_auth(controller)
+       http-request auth realm dataplane unless auth
+       server dplane unix@/dplane.sock

 program api
-        command /usr/bin/dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --reload-cmd "/bin/kill -SIGUSR2 1" -i --log-to=stdout --log-level=info
+        command /usr/bin/dataplaneapi --socket-path=/run/offload/dplane.sock --haproxy-bin /usr/sbin/haproxy --reload-cmd "/bin/kill -SIGUSR2 1" -i --log-to=stdout --log-level=info
        no option start-on-reload

 program faccess