ENH: Adds CRT_LIST_PATH (#40)

Author: thomasjpfan

docs/config.md

@@ -20,6 +20,7 @@ The following environment variables can be used to configure the *Docker Flow Pr
 |COMPRESSION_ALGO   |Enable HTTP compression. The currently supported algorithms are:<br>**identity**: this is mostly for debugging.<br>**gzip**: applies gzip compression. This setting is only available when support for zlib or libslz was built in.<br>**deflate**: same as *gzip*, but with deflate algorithm and zlib format. Note that this algorithm has ambiguous support on many browsers and no support at all from recent ones. It is strongly recommended not to use it for anything else than experimentation. This setting is only available when support for zlib or libslz was built in.<br>**raw-deflate**: same as *deflate* without the zlib wrapper, and used as an alternative when the browser wants "deflate". All major browsers understand it and despite violating the standards, it is known to work better than *deflate*, at least on MSIE and some versions of Safari. This setting is only available when support for zlib or libslz was built in.<br>Compression will be activated depending on the Accept-Encoding request header. With identity, it does not take care of that header. If backend servers support HTTP compression, these directives will be no-op: haproxy will see the compressed response and will not compress again. If backend servers do not support HTTP compression and there is Accept-Encoding header in request, haproxy will compress the matching response.<br>Compression is disabled when:<br>* the request does not advertise a supported compression algorithm in the "Accept-Encoding" header<br>* the response message is not HTTP/1.1<br>* HTTP status code is not 200<br>* response header "Transfer-Encoding" contains "chunked" (Temporary Workaround)<br>* response contain neither a "Content-Length" header nor a "Transfer-Encoding" whose last value is "chunked"<br>* response contains a "Content-Type" header whose first value starts with "multipart"<br>* the response contains the "no-transform" value in the "Cache-control" header<br>* User-Agent matches "Mozilla/4" unless it is MSIE 6 with XP SP2, or MSIE 7 and later<br>* The response contains a "Content-Encoding" header, indicating that the response is already compressed (see compression offload)<br>**Example:** gzip|
 |COMPRESSION_TYPE   |The type of files that will be compressed.<br>**Example:** text/css text/html text/javascript application/javascript text/plain text/xml application/json|
 |CONNECTION_MODE    |HAProxy supports 5 connection modes.<br><br>`http-keep-alive`: all requests and responses are processed.<br>`http-tunnel`: only the first request and response are processed, everything else is forwarded with no analysis.<br>`httpclose`: tunnel with "Connection: close" added in both directions.<br>`http-server-close`: the server-facing connection is closed after the response.<br>`forceclose`: the connection is actively closed after end of response.<br><br>In general, it is preferred to use `http-server-close` with application servers, and some static servers might benefit from `http-keep-alive`.<br>**Example:** `http-server-close`<br>**Default value:** `http-keep-alive`|
+|CRT_LIST_PATH      |When defined, DFP will not generated `crt-list.txt` file to be used by ssl. `CRT_LIST_PATH` will be used in HAProxy's `ssl crt-list` configuration.|
 |DEBUG              |Enables logging of each request sent through the proxy. Please consult [Debug Format](#debug-format) for info about the log entries. This feature should be used with caution. **Do not enable debugging in production unless necessary.**<br>**Example:** true<br>**Default value:** `false`|
 |DEBUG_ERRORS_ONLY  |If set to `true`, only requests that resulted in an error, timeout, retry, and redispatch will be logged. If a request is HTTP, responses with a status 5xx will be logged too. This variable will take effect only if `DEBUG` is set to `true`.<br>**Example:** `true`<br>**Default value:** `false`|
 |DEBUG_HTTP_FORMAT  |Logging format that will be used with HTTP requests. Please consult [Custom log format](https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#8.2.4) for more info about the available options.|

proxy/ha_proxy.go

@@ -338,15 +338,23 @@ func (m HaProxy) getConfigData() configData {
 func (m *HaProxy) getCertsConfigSnippet() string {
 	certPaths := m.GetCertPaths()
 	certs := ""
+	crtListPathEnv := os.Getenv("CRT_LIST_PATH")
 	if len(certPaths) > 0 {
 		h2 := ""
+		crtListPathDefault := "/cfg/crt-list.txt"
+		if len(crtListPathEnv) > 0 {
+			crtListPathDefault = crtListPathEnv
+		}
 		if strings.EqualFold(os.Getenv("ENABLE_H2"), "true") {
 			h2 = "h2,"
 		}
-		certs = fmt.Sprintf(" ssl crt-list /cfg/crt-list.txt alpn %shttp/1.1", h2)
-		certMu.Lock()
-		defer certMu.Unlock()
-		writeFile("/cfg/crt-list.txt", []byte(strings.Join(certPaths, "\n")), 0664)
+		certs = fmt.Sprintf(" ssl crt-list %s alpn %shttp/1.1", crtListPathDefault, h2)
+
+		if len(crtListPathEnv) == 0 {
+			certMu.Lock()
+			defer certMu.Unlock()
+			writeFile(crtListPathDefault, []byte(strings.Join(certPaths, "\n")), 0664)
+		}
 	}
 	if len(os.Getenv("CA_FILE")) > 0 {
 		if len(certs) == 0 {

proxy/ha_proxy_test.go

@@ -2385,6 +2385,54 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_DoesNotAddH2_WhenEnable
 	s.Equal(expectedData, actualData)
 }
 
+func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_CustomCrtListPath() {
+	readDirOrig := readDir
+	crtListPathOrig := os.Getenv("CRT_LIST_PATH")
+	defer func() {
+		readDir = readDirOrig
+		os.Setenv("CRT_LIST_PATH", crtListPathOrig)
+	}()
+	os.Setenv("CRT_LIST_PATH", "/cfg/custom-crt-list.txt")
+	mockedFiles := []os.FileInfo{}
+	file := FileInfoMock{
+		NameMock: func() string {
+			return "my-cert"
+		},
+		IsDirMock: func() bool {
+			return false
+		},
+	}
+	mockedFiles = append(mockedFiles, file)
+	readDir = func(dir string) ([]os.FileInfo, error) {
+		if dir == "/certs" {
+			return mockedFiles, nil
+		}
+		return []os.FileInfo{}, nil
+	}
+	var actualData string
+	writeFileCnt := 0
+	tmpl := strings.Replace(
+		s.TemplateContent,
+		"\n    bind *:80\n    bind *:443",
+		"\n    bind *:80\n    bind *:443 ssl crt-list /cfg/custom-crt-list.txt alpn http/1.1",
+		-1)
+	expectedData := fmt.Sprintf(
+		`%s%s`,
+		tmpl,
+		s.ServicesContent,
+	)
+	writeFile = func(filename string, data []byte, perm os.FileMode) error {
+		writeFileCnt += 1
+		actualData = string(data)
+		return nil
+	}
+
+	NewHaProxy(s.TemplatesPath, s.ConfigsPath).CreateConfigFromTemplates()
+
+	s.Equal(expectedData, actualData)
+	s.Equal(1, writeFileCnt)
+}
+
 func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsCaFile_WhenEnvVarIsSet() {
 	caFile := "my-ca-file"
 	caFileOrig := os.Getenv("CA_FILE")