ci: create random user name and password for haproxy (#903)

Signed-off-by: Jeffrey Tang <[email protected]>

charts/fullstack-deployment/config-files/haproxy.cfg

@@ -26,11 +26,11 @@ defaults
     timeout http-keep-alive 30s
     option http-keep-alive
 
-userlist haproxy-dataplaneapi
-  user admin insecure-password adminpwd
+userlist {{ .haproxy_user }}
+  user admin insecure-password {{ .haproxy_password }}
 
 program api
-  command /usr/bin/dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --config-file /usr/local/etc/haproxy/haproxy.cfg --reload-cmd "kill -SIGUSR2 1" --reload-delay 5 --restart-cmd "kill -SIGUSR2 1" --userlist haproxy-dataplaneapi
+  command /usr/bin/dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/sbin/haproxy --config-file /usr/local/etc/haproxy/haproxy.cfg --reload-cmd "kill -SIGUSR2 1" --reload-delay 5 --restart-cmd "kill -SIGUSR2 1" --userlist {{ .haproxy_user }}
   no option start-on-reload
 
 resolvers k8s_resolver

charts/fullstack-deployment/templates/_helpers.tpl

@@ -74,3 +74,23 @@ export MINIO_ROOT_PASSWORD={{ include "minio.secretKey" . }}
   emptyDir: {}
   {{- end }}
 {{- end -}}
+
+{{- define "generateHaproxyPassword" -}}
+{{- $password := randAlpha 10 -}}
+{{- $previous := lookup "v1" "Secret" .Release.Namespace "haproxy-secrets" }}
+{{- if and $previous (index $previous.data "haproxy_password") -}}
+{{- $password := $previous.data.haproxy_password -}}
+{{- end -}}
+{{- $_ := set .Values.global "haproxy_password" ($password) -}}
+{{- $password -}}
+{{- end -}}
+
+{{- define "generateHaproxyUser" -}}
+{{- $username := randAlpha 10 -}}
+{{- $previous := lookup "v1" "Secret" .Release.Namespace "haproxy-secrets" }}
+{{- if and $previous (index $previous.data "haproxy_user") -}}
+{{- $username := $previous.data.haproxy_user -}}
+{{- end -}}
+{{- $_ := set .Values.global "haproxy_user" ($username) -}}
+{{- $username -}}
+{{- end -}}

charts/fullstack-deployment/templates/configmaps/haproxy-cm.yaml

@@ -1,5 +1,7 @@
 # Create a haproxy configmap for each network node
 # This will change in the future, we plan create a haproxy for a given network node only if specified in the config
+{{- $haproxy_password := .Values.global.haproxy_password  -}}
+{{- $haproxy_user := .Values.global.haproxy_user  -}}
 {{- range $index, $node := ($.Values.hedera.nodes) }}
 apiVersion: v1
 kind: ConfigMap
@@ -10,7 +12,7 @@ metadata:
     {{- include "fullstack.testLabels" $ | nindent 4 }}
 data:
   haproxy.cfg: |
-    {{- tpl ($.Files.Get "config-files/haproxy.cfg") (dict "nodeConfig" $node "namespace" $.Release.Namespace "Template" $.Template) | nindent 4 }}
+    {{- tpl ($.Files.Get "config-files/haproxy.cfg") (dict "nodeConfig" $node "namespace" $.Release.Namespace "haproxy_user" $haproxy_user "haproxy_password" $haproxy_password "Template" $.Template) | nindent 4 }}
 ---
 {{ end }}
 apiVersion: v1

charts/fullstack-deployment/templates/proxy/haproxy-deployment.yaml

@@ -49,6 +49,14 @@ spec:
       - name: {{ default $defaults.nameOverride $haproxy.nameOverride }}
         image: {{ include "fullstack.container.image" (dict "image" $haproxy.image "Chart" $.Chart "defaults" $defaults ) }}
         imagePullPolicy: {{ include "fullstack.images.pullPolicy" (dict "image" $haproxy.image "defaults" $defaults )  }}
+        livenessProbe:
+          httpGet:
+            path: /v2/services/haproxy/stats/native?type=backend
+            port: 5555
+        readinessProbe:
+          httpGet:
+            path: /v2/services/haproxy/stats/native?type=backend
+            port: 5555
         startupProbe:
           exec:
             command:
@@ -62,7 +70,7 @@ spec:
               }
               probe() {
                 jq_check || return 1
-                wget -q -O response.json --header "Authorization: Basic $(echo -n "admin:adminpwd" | base64)" http://localhost:5555/v2/services/haproxy/stats/native?type=backend || return 1
+                wget -q -O response.json --header "Authorization: Basic $(echo -n "admin:{{ $.Values.global.haproxy_password }}")" http://localhost:5555/v2/services/haproxy/stats/native?type=backend || return 1
                 BACKEND_STATUS=$(jq -r '.[] | .stats[] | select(.name == "http_backend") | .stats.status' < response.json)
                 echo "http_backend status: $BACKEND_STATUS"
                 if [ "$BACKEND_STATUS" = "UP" ]; then

charts/fullstack-deployment/templates/secrets/haproxy-secrets.yaml

@@ -0,0 +1,11 @@
+{{- $password := include "generateHaproxyPassword" . -}}
+{{- $username := include "generateHaproxyUser" . -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: haproxy-secrets
+type: Opaque
+stringData:
+  haproxy_user: {{ $username }}
+  haproxy_password: {{ $password }}
+---