Support for NC_HAPROXY_PASSWORD_FILE env variable (#26)

bigcat88 · web-flow · commit 1efae75f14f1 · 2024-06-11T16:11:28.000+03:00
* add support for `NC_HAPROXY_PASSWORD_FILE` env variable

Signed-off-by: Alexander Piskun &lt;bigcat88@icloud.com&gt;

* not create the "haproxy.cfg" each time. replaced the "insecure password" with "password"

Signed-off-by: Alexander Piskun &lt;bigcat88@icloud.com&gt;

---------

Signed-off-by: Alexander Piskun &lt;bigcat88@icloud.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -19,12 +19,13 @@ RUN set -ex; \
         openssl \
         bind-tools \
         nano \
-        vim; \
+        vim \
+        envsubst; \
     chmod -R 777 /tmp
 
 COPY --chmod=775 *.sh /
-COPY --chmod=664 haproxy.cfg /haproxy.cfg
-COPY --chmod=664 haproxy_ex_apps.cfg /haproxy_ex_apps.cfg
+COPY --chmod=664 haproxy.cfg.template /haproxy.cfg.template
+COPY --chmod=664 haproxy_ex_apps.cfg.template /haproxy_ex_apps.cfg.template
 
 WORKDIR /
 ENTRYPOINT ["/bin/bash", "start.sh"]
diff --git a/README.md b/README.md
@@ -69,6 +69,12 @@ You should set `BIND_ADDRESS` to the IP on which server with ExApps can accept r
 
 `TIMEOUT_SERVER`: timeout for ExApp to start responding to NC request, default: **30s**
 
+`NC_HAPROXY_PASSWORD_FILE`: Specifies path to a file containing the password for HAProxy. 
+
+> [!NOTE]
+> This file should be mounted into the container, and the password will be read from this file.
+> If both NC_HAPROXY_PASSWORD and NC_HAPROXY_PASSWORD_FILE are specified, the container will exit with an error.
+
 #### Only for ExApp installs with TLS:
 
 * `EX_APPS_NET`: determines destination of requests to ExApps for HaProxy. Default:`localhost`
diff --git a/haproxy.cfg.template b/haproxy.cfg.template
@@ -9,12 +9,12 @@ defaults
     log global
     option httplog
     option dontlognull
-    timeout connect TIMEOUT_CONNECT
-    timeout client TIMEOUT_CLIENT
-    timeout server TIMEOUT_SERVER
+    timeout connect ${TIMEOUT_CONNECT}
+    timeout client ${TIMEOUT_CLIENT}
+    timeout server ${TIMEOUT_SERVER}
 
 userlist app_api_credentials
-    user app_api_haproxy_user insecure-password "NC_PASSWORD_PLACEHOLDER"
+    user app_api_haproxy_user password ${NC_HAPROXY_PASSWORD}
 
 frontend docker_engine
     mode http
diff --git a/haproxy_ex_apps.cfg.template b/haproxy_ex_apps.cfg.template
diff --git a/start.sh b/start.sh
@@ -1,19 +1,42 @@
 #!/bin/sh
 
-sed -i "s|NC_PASSWORD_PLACEHOLDER|$NC_HAPROXY_PASSWORD|" /haproxy.cfg
-sed -i "s|TIMEOUT_CONNECT|$TIMEOUT_CONNECT|" /haproxy.cfg
-sed -i "s|TIMEOUT_CLIENT|$TIMEOUT_CLIENT|" /haproxy.cfg
-sed -i "s|TIMEOUT_SERVER|$TIMEOUT_SERVER|" /haproxy.cfg
+if [ ! -f "/haproxy.cfg" ]; then
 
-if [ -f "/certs/cert.pem" ]; then
-    EX_APPS_COUNT_PADDED=$(printf "%03d" "$EX_APPS_COUNT")
-    sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6 ssl crt /certs/cert.pem|" /haproxy.cfg
-    sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:23000-23$EX_APPS_COUNT_PADDED v4v6 ssl crt /certs/cert.pem|" /haproxy_ex_apps.cfg
-    sed -i "s|EX_APPS_NET_PLACEHOLDER|$EX_APPS_NET|" /haproxy_ex_apps.cfg
-    # Chmod certs to be accessible by haproxy
-    chmod 644 /certs/cert.pem
+  echo "Creating HaProxy config.."
+
+  if [ -n "$NC_HAPROXY_PASSWORD_FILE" ] && [ ! -f "$NC_HAPROXY_PASSWORD_FILE" ]; then
+    echo "Error: NC_HAPROXY_PASSWORD_FILE is specified but the file does not exist."
+    exit 1
+  fi
+
+  if [ -n "$NC_HAPROXY_PASSWORD" ] && [ -n "$NC_HAPROXY_PASSWORD_FILE" ]; then
+    echo "Error: Only one of NC_HAPROXY_PASSWORD or NC_HAPROXY_PASSWORD_FILE should be specified."
+    exit 1
+  fi
+
+  if [ -n "$NC_HAPROXY_PASSWORD_FILE" ]; then
+    NC_HAPROXY_PASSWORD=$(mkpasswd -m sha-256 < "$NC_HAPROXY_PASSWORD_FILE")
+  else
+    NC_HAPROXY_PASSWORD=$(echo "$NC_HAPROXY_PASSWORD" | mkpasswd -m sha-256)
+  fi
+
+  export NC_HAPROXY_PASSWORD
+
+  envsubst < /haproxy.cfg.template > /haproxy.cfg
+  envsubst < /haproxy_ex_apps.cfg.template > /haproxy_ex_apps.cfg
+
+  if [ -f "/certs/cert.pem" ]; then
+      EX_APPS_COUNT_PADDED=$(printf "%03d" "$EX_APPS_COUNT")
+      sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6 ssl crt /certs/cert.pem|" /haproxy.cfg
+      sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:23000-23$EX_APPS_COUNT_PADDED v4v6 ssl crt /certs/cert.pem|" /haproxy_ex_apps.cfg
+      sed -i "s|EX_APPS_NET_PLACEHOLDER|$EX_APPS_NET|" /haproxy_ex_apps.cfg
+      # Chmod certs to be accessible by haproxy
+      chmod 644 /certs/cert.pem
+  else
+      sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6|" /haproxy.cfg
+  fi
 else
-    sed -i "s|BIND_ADDRESS_PLACEHOLDER|bind $BIND_ADDRESS:$HAPROXY_PORT v4v6|" /haproxy.cfg
+  echo "HaProxy config already present."
 fi
 
 echo "HaProxy config:"
