Fix startup of the dataplane API.

The entrypoint of the haproxy container is an exec
script that sets the password from a template for
haproxy.cfg. Setting the password from an env
variable has proven to be too unreliable.

Also, listening at a UDS does not appear to be
working at all. So the dataplane API listens directly
at the container port (no intervening haproxy
frontend).

This change makes the container more friendly to
read-only filesystems, since haproxy.cfg is now no
longer modified in /etc, but rather in the ephemeral
file system at /run (== /var/run).

container/Dockerfile.haproxy

@@ -38,6 +38,9 @@ RUN /bin/mkdir /run/haproxy/ && \
     /usr/sbin/groupadd -g 998 varnish && \
     /usr/sbin/usermod -G varnish haproxy
 
+COPY haproxy_exec.sh /
+RUN /bin/chmod 755 /haproxy_exec.sh
+
 ENV VARNISH_READY_PORT=8080
 
-ENTRYPOINT ["/usr/sbin/haproxy", "-f", "/etc/haproxy/haproxy.cfg"]
+ENTRYPOINT ["/haproxy_exec.sh"]

container/haproxy.cfg

@@ -27,17 +27,10 @@ defaults
         timeout server  50000
 
 userlist controller
-    user dataplaneapi insecure-password "${SECRET_DATAPLANEAPI}"
-
-listen dataplane
-       bind :5555
-       mode http
-       acl auth http_auth(controller)
-       http-request auth realm dataplane unless auth
-       server dplane unix@/dplane.sock
+    user dataplaneapi insecure-password %%SECRET_DATAPLANEAPI%%
 
 program api
-        command /usr/bin/dataplaneapi --socket-path=/run/offload/dplane.sock --haproxy-bin /usr/sbin/haproxy --reload-cmd "/bin/kill -SIGUSR2 1" -i --log-to=stdout --log-level=info
+        command /usr/bin/dataplaneapi --host=0.0.0.0 --port=5555 --haproxy-bin /usr/sbin/haproxy --reload-cmd "/bin/kill -SIGUSR2 1" -i --log-to=stdout --log-level=info
         no option start-on-reload
 
 program faccess

container/haproxy_exec.sh

+#!/bin/bash
+
+set -e
+set -u
+
+/bin/sed "s/%%SECRET_DATAPLANEAPI%%/${SECRET_DATAPLANEAPI}/g" /etc/haproxy/haproxy.cfg > /run/haproxy/haproxy.cfg
+
+exec /usr/sbin/haproxy -f /run/haproxy/haproxy.cfg "$@"