From feb406463542430a08ee732b5876db668ae9c749 Mon Sep 17 00:00:00 2001 From: kinjelom Date: Mon, 29 Apr 2024 10:01:50 +0200 Subject: [PATCH 01/11] pre_start_script - a script appended to the pre-start script of HAProxy job --- jobs/haproxy/spec | 17 +++++++++++ jobs/haproxy/templates/pre-start.erb | 6 ++++ spec/haproxy/templates/pre-start_spec.rb | 36 ++++++++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 spec/haproxy/templates/pre-start_spec.rb diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index 0df72fe7..a35bc84c 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -39,6 +39,23 @@ consumes: optional: true properties: + ha_proxy.pre_start_script: + description: | + This script will be appended to the pre-start script and run before the job starts. + The pre-start script allows the job to prepare the machine before starting HAProxy, + for example, by setting the MTU to a custom value. + default: ~ + example: | + # customize MTU + CUST_MTU=((custom_mtu)) + INTERFACE=$(ip -4 route get 8.8.8.8 | grep -Po '(?<=dev )\S+') #' + CURR_MTU=$(ip link show $INTERFACE | grep -Po 'mtu \K\d+') + if [[ $CURR_MTU -ne $CUST_MTU ]]; then + sudo ip link set dev $INTERFACE mtu $CUST_MTU + echo "MTU changed from $CURR_MTU to $CUST_MTU, interface: $INTERFACE." + fi + CURR_MTU=$(ip link show $INTERFACE | grep -Po 'mtu \K\d+') + echo "MTU: $CURR_MTU, interface: $INTERFACE" ha_proxy.nbthread: description: "Optional number of threads per VM" default: 1 diff --git a/jobs/haproxy/templates/pre-start.erb b/jobs/haproxy/templates/pre-start.erb index 565e837f..b511c8c8 100644 --- a/jobs/haproxy/templates/pre-start.erb +++ b/jobs/haproxy/templates/pre-start.erb @@ -20,3 +20,9 @@ fi if [ ! -e /usr/local/bin/socat ]; then sudo ln -s /var/vcap/packages/haproxy/bin/socat /usr/local/bin/socat fi + +<%- if_p("ha_proxy.pre_start_script") do |script| -%> +# ha_proxy.pre_start_script {{{ +<%= script %> +# }}} +<%- end -%> diff --git a/spec/haproxy/templates/pre-start_spec.rb b/spec/haproxy/templates/pre-start_spec.rb new file mode 100644 index 00000000..7c0a9540 --- /dev/null +++ b/spec/haproxy/templates/pre-start_spec.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +require 'rspec' + +describe 'bin/pre-start' do + let(:template) { haproxy_job.template('bin/pre-start') } + + describe 'ha_proxy.pre_start_script' do + context 'when not provided by default' do + it 'does not include script lines' do + pre_start = template.render( + { + 'ha_proxy' => {} + } + ) + expect(pre_start).not_to include('# ha_proxy.pre_start_script {{{') + expect(pre_start).not_to include('pre-start-script-line') + end + end + + context 'when provided' do + it 'includes script lines' do + pre_start = template.render( + { + 'ha_proxy' => { + 'pre_start_script' => "pre-start-script-line1\npre-start-script-line2" + } + } + ) + expect(pre_start).to include('# ha_proxy.pre_start_script {{{') + expect(pre_start).to include('pre-start-script-line1') + expect(pre_start).to include('pre-start-script-line2') + end + end + end +end From d831ec6da7ee56f526e1be439db9d267370343a6 Mon Sep 17 00:00:00 2001 From: kinjelom Date: Mon, 29 Apr 2024 10:11:04 +0200 Subject: [PATCH 02/11] ssl_min/max_ver - enforce minimum and maximum SSL versions for connections --- jobs/haproxy/spec | 21 ++++++-- jobs/haproxy/templates/haproxy.config.erb | 42 ++++++++++------ .../global_and_default_options_spec.rb | 50 +++++++++++++++++++ 3 files changed, 92 insertions(+), 21 deletions(-) diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index a35bc84c..62367449 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -254,21 +254,32 @@ properties: ha_proxy.default_dh_param: default: 2048 description: "Maximum size of DH params when generating epmehmeral keys during key exchange" + ha_proxy.ssl_min_ver: + example: "TLSv1.2" + description: | + This option enforces the use of 'version' or higher for SSL connections initiated from this listener. + The recommended value is 'TLSv1.2'. It is not the default due to backward compatibility concerns with + the 'disable_tls_*' options. If this option is set, the 'disable_tls_*' options will be ignored. + ha_proxy.ssl_max_ver: + example: "TLSv1.3" + description: | + This option enforces the use of 'version' or lower for SSL connections initiated from this listener. + It will only be set if 'ssl_min_ver' is specified, as the default HAProxy ssl-min-ver may change in future. ha_proxy.disable_tls_tickets: default: true - description: "Improve (Perfect) Forward Secrecy by disabling TLS tickets" + description: "Improve (Perfect) Forward Secrecy by disabling TLS tickets. Use 'ssl_min_ver' and 'ssl_max_ver' instead." ha_proxy.disable_tls_10: default: false - description: "Disable TLS 1.0 in HA Proxy" + description: "Disable TLS 1.0 in HA Proxy. Use 'ssl_min_ver' and 'ssl_max_ver' instead." ha_proxy.disable_tls_11: default: false - description: "Disable TLS 1.1 in HA Proxy" + description: "Disable TLS 1.1 in HA Proxy. Use 'ssl_min_ver' and 'ssl_max_ver' instead." ha_proxy.disable_tls_12: default: false - description: "Disable TLS 1.2 in HA Proxy" + description: "Disable TLS 1.2 in HA Proxy. Use 'ssl_min_ver' and 'ssl_max_ver' instead." ha_proxy.disable_tls_13: default: false - description: "Disable TLS 1.3 in HA Proxy" + description: "Disable TLS 1.3 in HA Proxy. Use 'ssl_min_ver' and 'ssl_max_ver' instead." ha_proxy.backend_match_http_protocol: default: false description: Uses the same version of HTTP for backend connections that was used for frontend connections (ie HTTP 1.1 or HTTP 2). Ignores the value of enable_http2. HTTP2 backend connections require that `ha_proxy.backend_ssl` is not `off`. diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb index 9018b04e..dcfef375 100644 --- a/jobs/haproxy/templates/haproxy.config.erb +++ b/jobs/haproxy/templates/haproxy.config.erb @@ -40,23 +40,33 @@ if p("ha_proxy.disable_tcp_accept_proxy") end # }}} # Global SSL Flags {{{ -ssl_flags = "no-sslv3" -if p("ha_proxy.disable_tls_10") - ssl_flags = "#{ssl_flags} no-tlsv10" -end -if p("ha_proxy.disable_tls_11") - ssl_flags = "#{ssl_flags} no-tlsv11" -end -if p("ha_proxy.disable_tls_12") - ssl_flags = "#{ssl_flags} no-tlsv12" -end -if p("ha_proxy.disable_tls_13") - ssl_flags = "#{ssl_flags} no-tlsv13" -end -if p("ha_proxy.disable_tls_tickets") - ssl_flags = "#{ssl_flags} no-tls-tickets" +ssl_flags = "" +use_disable_ssl = true +if_p("ha_proxy.ssl_min_ver") do |ssl_min_ver| + use_disable_ssl = false + ssl_flags = "ssl-min-ver #{ssl_min_ver}" + if_p("ha_proxy.ssl_max_ver") do |ssl_max_ver| + ssl_flags = "#{ssl_flags} ssl-max-ver #{ssl_max_ver}" + end end -# }}} +if use_disable_ssl + ssl_flags = "no-sslv3" + if p("ha_proxy.disable_tls_10") + ssl_flags = "#{ssl_flags} no-tlsv10" + end + if p("ha_proxy.disable_tls_11") + ssl_flags = "#{ssl_flags} no-tlsv11" + end + if p("ha_proxy.disable_tls_12") + ssl_flags = "#{ssl_flags} no-tlsv12" + end + if p("ha_proxy.disable_tls_13") + ssl_flags = "#{ssl_flags} no-tlsv13" + end + if p("ha_proxy.disable_tls_tickets") + ssl_flags = "#{ssl_flags} no-tls-tickets" + end +end# }}} # TLS Bind Options {{{ mutual_tls_enabled = p("ha_proxy.client_cert") ssl_enabled = false diff --git a/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb b/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb index d13eb3ce..8dba2eef 100644 --- a/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb +++ b/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb @@ -120,6 +120,56 @@ end end + context 'when ha_proxy.ssl_min_ver is provided' do + let(:properties) do + { + 'ssl_min_ver' => 'TLSv1.2', + 'disable_tls_10' => true, + 'disable_tls_11' => true, + 'disable_tls_12' => true, + 'disable_tls_13' => true, + 'disable_tls_tickets' => true + } + end + + it 'enables ssl-min-ver and ignores tls_disable_ properties' do + expect(global).to include('ssl-default-server-options ssl-min-ver TLSv1.2') + expect(global).to include('ssl-default-bind-options ssl-min-ver TLSv1.2') + end + end + + context 'when ha_proxy.ssl_min_ver is not provided and ha_proxy.ssl_max_ver is provided' do + let(:properties) do + { + 'ssl_max_ver' => 'TLSv1.3', + 'disable_tls_10' => false, + 'disable_tls_11' => false, + 'disable_tls_12' => false, + 'disable_tls_13' => false, + 'disable_tls_tickets' => false + } + end + + it 'ignores ssl-min/max-ver properties, tls_disable_ properties are used' do + expect(global).to include('ssl-default-server-options no-sslv3') + expect(global).to include('ssl-default-bind-options no-sslv3') + end + end + + context 'when ha_proxy.ssl_min_ver and ha_proxy.ssl_max_ver are provided' do + let(:properties) do + { + 'ssl_min_ver' => 'TLSv1.2', + 'ssl_max_ver' => 'TLSv1.3' + } + end + + it 'enables ssl-min/max-ver and ignores tls_disable_ properties' do + expect(global).to include('ssl-default-server-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3') + expect(global).to include('ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3') + end + end + context 'when ha_proxy.disable_tls_10 is provided' do let(:properties) do { From 49ad7fad255e1e4a33eeaf8aa2632d045e60a7ea Mon Sep 17 00:00:00 2001 From: kinjelom Date: Mon, 29 Apr 2024 10:20:58 +0200 Subject: [PATCH 03/11] support for `raw_blocks` with or without names, `config_mode` auto/raw_blocks_only --- jobs/haproxy/spec | 25 ++++------ jobs/haproxy/templates/haproxy.config.erb | 21 ++++++-- .../haproxy_config/raw_blocks_spec.rb | 48 ++++++++++++++++--- 3 files changed, 67 insertions(+), 27 deletions(-) diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index 62367449..3f719d5b 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -56,6 +56,11 @@ properties: fi CURR_MTU=$(ip link show $INTERFACE | grep -Po 'mtu \K\d+') echo "MTU: $CURR_MTU, interface: $INTERFACE" + ha_proxy.config_mode: + description: | + 'auto' - utilizes raw_config if defined; otherwise, it uses traditional configuration mixed with raw_blocks, + 'raw_blocks_only' - uses only raw_blocks, ignoring other configurations. + default: auto ha_proxy.nbthread: description: "Optional number of threads per VM" default: 1 @@ -701,11 +706,15 @@ properties: you want. Use at your own risk. ha_proxy.raw_blocks: description: | - A hash of block types, where each type contains a hash of specific block names with their respective configurations. + A hash of block types, where each type contains either a configuration + or a hash of specific block names with their respective configurations. The configurations are provided as either multiline text blobs or arrays of lines. This structure will be appended to the end of the HAProxy configuration file. Use at your own risk. example: + defaults: | + log global + timeout http-request 10s listen: my-listen-x: | bind :81 @@ -715,20 +724,6 @@ properties: - bind :82 - mode http - server-template srv 1-3 q-s0.web.default.deployment-y.bosh:8080 check inter 1000 - frontend: - my-frontend-x: | - bind :83 - use_backend my-backend-x if { hdr(host) -i x.example.com } - my-frontend-y: - - bind :84 - - use_backend my-backend-y if { hdr(host) -i y.example.com } - backend: - my-backend-x: | - mode http - server-template srv-x 1-3 q-s0.web.default.deployment-x.bosh:8080 check inter 1000 - my-backend-y: - - mode http - - server-template srv-y 1-3 q-s0.web.default.deployment-y.bosh:8080 check inter 1000 ha_proxy.max_open_files: description: The number of file descriptors HAProxy can have open at one time diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb index dcfef375..f4f83a8c 100644 --- a/jobs/haproxy/templates/haproxy.config.erb +++ b/jobs/haproxy/templates/haproxy.config.erb @@ -17,7 +17,8 @@ end end - if properties.ha_proxy.raw_config -%> + if properties.ha_proxy.config_mode == "auto" + if properties.ha_proxy.raw_config -%> <%= p("ha_proxy.raw_config") %> <%- else -%> <%- @@ -26,8 +27,8 @@ require "digest" # Stats Binding Variables {{{ stat = p("ha_proxy.stats_bind").split(':') -stat_prefix = stat[0] + ":"; -stat_port = stat[1].to_i; +stat_prefix = stat[0] + ":" +stat_port = stat[1].to_i # }}} # Accept Proxy {{{ accept_proxy = "" @@ -66,7 +67,8 @@ if use_disable_ssl if p("ha_proxy.disable_tls_tickets") ssl_flags = "#{ssl_flags} no-tls-tickets" end -end# }}} +end +# }}} # TLS Bind Options {{{ mutual_tls_enabled = p("ha_proxy.client_cert") ssl_enabled = false @@ -985,6 +987,7 @@ listen health_check_http_tcp-<%= tcp_proxy["name"] %> # }}} <% end -%> +<%- end -%> <%- if properties.ha_proxy.raw_blocks && !properties.ha_proxy.raw_blocks.empty? -%> # raw blocks {{{ <%- @@ -994,10 +997,18 @@ listen health_check_http_tcp-<%= tcp_proxy["name"] %> additional_types = raw_blocks.keys - correct_types_order all_found_types = ordered_blocks + additional_types all_found_types.each do |block_type| - raw_blocks[block_type].each do |block_id, block_raw_config| + raw_block = raw_blocks[block_type] + if raw_block.is_a?(Hash) + raw_block.each do |block_id, block_raw_config| %> <%= block_type %> <%= block_id %> <%= format_indented_multiline_config(block_raw_config) %> +<%- + end + else +%> +<%= block_type %> + <%= format_indented_multiline_config(raw_block) %> <%- end end diff --git a/spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb b/spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb index 09b318d7..b927cedd 100644 --- a/spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb +++ b/spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb @@ -7,10 +7,13 @@ parse_haproxy_config(template.render({ 'ha_proxy' => properties })) end - context 'when multiline configurations are provided for some raw blocks' do + context 'when multiline configurations are provided for global, defaults and some raw blocks with ids' do let(:properties) do { + 'config_mode' => 'raw_blocks_only', 'raw_blocks' => { + 'global' => "line 1\nline 2\nline 3", + 'defaults' => ['line 1', 'line 2', 'line 3'], 'some' => { 'raw-block-1' => "line 1\nline 2\nline 3", 'raw-block-2' => "\n\nline 1\nline 2\nline 3\n\n", @@ -22,15 +25,18 @@ it 'formats the configuration as expected' do expected_block_content = ['line 1', 'line 2', 'line 3'] + expect(haproxy_conf['global']).to eq(expected_block_content) + expect(haproxy_conf['defaults']).to eq(expected_block_content) expect(haproxy_conf['some raw-block-1']).to eq(expected_block_content) expect(haproxy_conf['some raw-block-2']).to eq(expected_block_content) expect(haproxy_conf['some raw-block-3']).to eq(expected_block_content) end end - context 'when there are many types of raw blocks' do + context 'when there are many types of raw blocks, ha_proxy.config_mode=raw_blocks_only' do let(:properties) do { + 'config_mode' => 'raw_blocks_only', 'raw_blocks' => { 'unknown' => { 'raw-test-1' => 'test', @@ -42,18 +48,46 @@ 'backend' => { 'raw-test' => 'test' }, 'frontend' => { 'raw-test' => 'test' }, 'listen' => { 'raw-test' => 'test' }, - 'defaults' => { '# raw-test' => 'test' }, - 'global' => { '# raw-test' => 'test' } + 'defaults' => 'test', + 'global' => 'test' } } end - it 'arranges them all in the correct order' do - raw_keys = haproxy_conf.keys.select { |key| key.include?('raw-test') } - expect(raw_keys).to eq(['global # raw-test', 'defaults # raw-test', + it 'return only raw blocks and arranges them in the correct order' do + raw_keys = haproxy_conf.keys + expect(raw_keys).to eq(['global', 'defaults', 'listen raw-test', 'frontend raw-test', 'backend raw-test', 'resolvers raw-test', 'peers raw-test', 'mailers raw-test', 'unknown raw-test-1', 'unknown raw-test-2']) end end + + context 'when there are many types of raw blocks, classic config mode' do + let(:properties) do + { + 'raw_blocks' => { + 'unknown' => { + 'raw-test-1' => 'test', + 'raw-test-2' => 'test' + }, + 'mailers' => { 'raw-test' => 'test' }, + 'peers' => { 'raw-test' => 'test' }, + 'resolvers' => { 'raw-test' => 'test' }, + 'backend' => { 'raw-test' => 'test' }, + 'frontend' => { 'raw-test' => 'test' }, + 'listen' => { 'raw-test' => 'test' } + } + } + end + + it 'return static block and then raw blocks arranged in the correct order' do + raw_keys = haproxy_conf.keys + expect(raw_keys).to eq(['global', 'defaults', 'frontend http-in', 'backend http-routers-http1', + 'listen raw-test', 'frontend raw-test', 'backend raw-test', + 'resolvers raw-test', 'peers raw-test', 'mailers raw-test', + 'unknown raw-test-1', 'unknown raw-test-2']) + end + end + end From 7077010ad12bec77480f10bf0c89b7f12ef7e962 Mon Sep 17 00:00:00 2001 From: kinjelom Date: Mon, 29 Apr 2024 11:14:49 +0200 Subject: [PATCH 04/11] ability to expose ha_proxy.stats without authentication --- jobs/haproxy/spec | 4 ++-- jobs/haproxy/templates/haproxy.config.erb | 6 ++++- .../haproxy_config/stats_listener_spec.rb | 23 +++++++++++++++++++ 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index 3f719d5b..fdd5c65c 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -327,9 +327,9 @@ properties: description: "Define listening address and port for the stats frontend. If multithreading is enabled (`ha_proxy.threads > 1`) multiple stat pages are available - one for each thread. You can see the stat page for each thread on a separate port - starting at the defined port number." default: "*:9000" ha_proxy.stats_user: - description: "User name to authenticate haproxy stats" + description: "User name to authenticate haproxy stats, leave empty if you want the statistics to be available without authentication" ha_proxy.stats_password: - description: "Password to authenticate haproxy stats" + description: "Password to authenticate haproxy stats, ignored when 'stats_user' is empty" ha_proxy.stats_uri: description: "URI used to access the stats UI." default: "haproxy_stats" diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb index f4f83a8c..9383bcaf 100644 --- a/jobs/haproxy/templates/haproxy.config.erb +++ b/jobs/haproxy/templates/haproxy.config.erb @@ -346,7 +346,11 @@ listen stats stats hide-version stats realm "Haproxy Statistics" stats uri /<%= p("ha_proxy.stats_uri") %> - stats auth <%= p("ha_proxy.stats_user") %>:<%= p("ha_proxy.stats_password") %> + <%- if_p("ha_proxy.stats_user") do |stats_user| -%> + <%- if stats_user != "" -%> + stats auth <%= stats_user %>:<%= p("ha_proxy.stats_password") %> + <%- end -%> + <%end -%> <% end -%> <% if p("ha_proxy.enable_health_check_http") %> diff --git a/spec/haproxy/templates/haproxy_config/stats_listener_spec.rb b/spec/haproxy/templates/haproxy_config/stats_listener_spec.rb index 5b67ec36..17cb8859 100644 --- a/spec/haproxy/templates/haproxy_config/stats_listener_spec.rb +++ b/spec/haproxy/templates/haproxy_config/stats_listener_spec.rb @@ -63,5 +63,28 @@ expect(stats_listener).to include('bind 1.2.3.4:5000') end end + + context 'when ha_proxy.stats_user is empty' do + let(:properties) do + default_properties.merge({ 'stats_user' => '' }) + end + + it 'removes stats auth' do + expect(stats_listener).to include('stats enable') + expect(stats_listener).not_to include(a_string_starting_with('stats auth')) + end + end + + context 'when there is no ha_proxy.stats_user key' do + let(:properties) do + default_properties.reject { |key| key == 'stats_user' } + end + + it 'removes stats auth' do + expect(stats_listener).to include('stats enable') + expect(stats_listener).not_to include(a_string_starting_with('stats auth')) + end + end + end end From ef1bd6e891f35b31de371dc7544d60022fd7cadc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Apr 2024 04:19:31 +0000 Subject: [PATCH 05/11] build(deps): bump github.com/onsi/gomega in /acceptance-tests Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.33.0 to 1.33.1. - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.33.0...v1.33.1) --- updated-dependencies: - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- acceptance-tests/go.mod | 2 +- acceptance-tests/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/acceptance-tests/go.mod b/acceptance-tests/go.mod index 995811e3..82f79a85 100644 --- a/acceptance-tests/go.mod +++ b/acceptance-tests/go.mod @@ -6,7 +6,7 @@ require ( github.com/bramvdbogaerde/go-scp v1.4.0 github.com/gorilla/websocket v1.5.1 github.com/onsi/ginkgo/v2 v2.17.2 - github.com/onsi/gomega v1.33.0 + github.com/onsi/gomega v1.33.1 golang.org/x/crypto v0.22.0 golang.org/x/net v0.24.0 gopkg.in/yaml.v2 v2.4.0 diff --git a/acceptance-tests/go.sum b/acceptance-tests/go.sum index b2959e78..e6047d97 100644 --- a/acceptance-tests/go.sum +++ b/acceptance-tests/go.sum @@ -13,8 +13,8 @@ github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/ github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= -github.com/onsi/gomega v1.33.0 h1:snPCflnZrpMsy94p4lXVEkHo12lmPnc3vY5XBbreexE= -github.com/onsi/gomega v1.33.0/go.mod h1:+925n5YtiFsLzzafLUHzVMBpvvRAzrydIBiSIxjX3wY= +github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= From c7dcbf1311feab3b742e579d0ba31ff7bc583bd4 Mon Sep 17 00:00:00 2001 From: Dominik Froehlich Date: Thu, 2 May 2024 15:08:13 +0200 Subject: [PATCH 06/11] fix: typo --- jobs/haproxy/spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index fdd5c65c..b40e0d18 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -258,7 +258,7 @@ properties: description: "This enables the preload flag for HSTS" ha_proxy.default_dh_param: default: 2048 - description: "Maximum size of DH params when generating epmehmeral keys during key exchange" + description: "Maximum size of DH params when generating ephemeral keys during key exchange" ha_proxy.ssl_min_ver: example: "TLSv1.2" description: | From e70dbee0e6471ff134fb0aed034c9666395c5279 Mon Sep 17 00:00:00 2001 From: kinjelom Date: Mon, 6 May 2024 08:44:01 +0200 Subject: [PATCH 07/11] jobs/haproxy/spec ha_proxy.pre_start_script.example fix Co-authored-by: Patrick Lowin --- jobs/haproxy/spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index b40e0d18..36de8542 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -49,12 +49,12 @@ properties: # customize MTU CUST_MTU=((custom_mtu)) INTERFACE=$(ip -4 route get 8.8.8.8 | grep -Po '(?<=dev )\S+') #' - CURR_MTU=$(ip link show $INTERFACE | grep -Po 'mtu \K\d+') + CURR_MTU=$(ip link show "$INTERFACE" | grep -Po 'mtu \K\d+') if [[ $CURR_MTU -ne $CUST_MTU ]]; then - sudo ip link set dev $INTERFACE mtu $CUST_MTU + sudo ip link set dev "$INTERFACE" mtu "$CUST_MTU" echo "MTU changed from $CURR_MTU to $CUST_MTU, interface: $INTERFACE." fi - CURR_MTU=$(ip link show $INTERFACE | grep -Po 'mtu \K\d+') + CURR_MTU=$(ip link show "$INTERFACE" | grep -Po 'mtu \K\d+') echo "MTU: $CURR_MTU, interface: $INTERFACE" ha_proxy.config_mode: description: | From 06ffd07241299190ec14bd61be9893677898afe6 Mon Sep 17 00:00:00 2001 From: kinjelom Date: Mon, 6 May 2024 09:38:37 +0200 Subject: [PATCH 08/11] restoring the ability to use disable_tls_tickets with ssl_min/max_ver --- jobs/haproxy/spec | 8 ++--- jobs/haproxy/templates/haproxy.config.erb | 6 ++-- .../global_and_default_options_spec.rb | 31 ++++++++++++++----- 3 files changed, 30 insertions(+), 15 deletions(-) diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index 36de8542..4113f266 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -259,20 +259,20 @@ properties: ha_proxy.default_dh_param: default: 2048 description: "Maximum size of DH params when generating ephemeral keys during key exchange" + ha_proxy.disable_tls_tickets: + default: true + description: "Improve (Perfect) Forward Secrecy by disabling TLS tickets." ha_proxy.ssl_min_ver: example: "TLSv1.2" description: | This option enforces the use of 'version' or higher for SSL connections initiated from this listener. The recommended value is 'TLSv1.2'. It is not the default due to backward compatibility concerns with - the 'disable_tls_*' options. If this option is set, the 'disable_tls_*' options will be ignored. + the 'disable_tls_*' options. If this option is set, the 'disable_tls_1*' options will be ignored. ha_proxy.ssl_max_ver: example: "TLSv1.3" description: | This option enforces the use of 'version' or lower for SSL connections initiated from this listener. It will only be set if 'ssl_min_ver' is specified, as the default HAProxy ssl-min-ver may change in future. - ha_proxy.disable_tls_tickets: - default: true - description: "Improve (Perfect) Forward Secrecy by disabling TLS tickets. Use 'ssl_min_ver' and 'ssl_max_ver' instead." ha_proxy.disable_tls_10: default: false description: "Disable TLS 1.0 in HA Proxy. Use 'ssl_min_ver' and 'ssl_max_ver' instead." diff --git a/jobs/haproxy/templates/haproxy.config.erb b/jobs/haproxy/templates/haproxy.config.erb index 9383bcaf..c81901c7 100644 --- a/jobs/haproxy/templates/haproxy.config.erb +++ b/jobs/haproxy/templates/haproxy.config.erb @@ -64,9 +64,9 @@ if use_disable_ssl if p("ha_proxy.disable_tls_13") ssl_flags = "#{ssl_flags} no-tlsv13" end - if p("ha_proxy.disable_tls_tickets") - ssl_flags = "#{ssl_flags} no-tls-tickets" - end +end +if p("ha_proxy.disable_tls_tickets") + ssl_flags = "#{ssl_flags} no-tls-tickets" end # }}} # TLS Bind Options {{{ diff --git a/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb b/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb index 8dba2eef..a638ee33 100644 --- a/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb +++ b/spec/haproxy/templates/haproxy_config/global_and_default_options_spec.rb @@ -132,9 +132,9 @@ } end - it 'enables ssl-min-ver and ignores tls_disable_ properties' do - expect(global).to include('ssl-default-server-options ssl-min-ver TLSv1.2') - expect(global).to include('ssl-default-bind-options ssl-min-ver TLSv1.2') + it 'enables ssl-min-ver and ignores tls_disable_1* properties' do + expect(global).to include('ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets') + expect(global).to include('ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets') end end @@ -150,13 +150,13 @@ } end - it 'ignores ssl-min/max-ver properties, tls_disable_ properties are used' do + it 'ignores ssl-min/max-ver properties, tls_disable_1* properties are used' do expect(global).to include('ssl-default-server-options no-sslv3') expect(global).to include('ssl-default-bind-options no-sslv3') end end - context 'when ha_proxy.ssl_min_ver and ha_proxy.ssl_max_ver are provided' do + context 'when ha_proxy.ssl_min_ver and ha_proxy.ssl_max_ver are provided, disable_tls_tickets=true by default' do let(:properties) do { 'ssl_min_ver' => 'TLSv1.2', @@ -164,9 +164,24 @@ } end - it 'enables ssl-min/max-ver and ignores tls_disable_ properties' do - expect(global).to include('ssl-default-server-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3') - expect(global).to include('ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3') + it 'enables ssl-min/max-ver and ignores tls_disable_1* properties' do + expect(global).to include('ssl-default-server-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 no-tls-tickets') + expect(global).to include('ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 no-tls-tickets') + end + end + + context 'when ha_proxy.ssl_min_ver and ha_proxy.ssl_max_ver are provided, disable_tls_tickets=false' do + let(:properties) do + { + 'ssl_min_ver' => 'TLSv1.1', + 'ssl_max_ver' => 'TLSv1.2', + 'disable_tls_tickets' => false + } + end + + it 'enables ssl-min/max-ver and ignores tls_disable_1* properties' do + expect(global).to include('ssl-default-server-options ssl-min-ver TLSv1.1 ssl-max-ver TLSv1.2') + expect(global).to include('ssl-default-bind-options ssl-min-ver TLSv1.1 ssl-max-ver TLSv1.2') end end From f64d206928749edbd8c08b1aee0766d5cd8deecb Mon Sep 17 00:00:00 2001 From: kinjelom Date: Mon, 6 May 2024 12:53:55 +0200 Subject: [PATCH 09/11] fix findings from the linter --- spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb | 1 - spec/haproxy/templates/haproxy_config/stats_listener_spec.rb | 1 - 2 files changed, 2 deletions(-) diff --git a/spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb b/spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb index b927cedd..0d6e97da 100644 --- a/spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb +++ b/spec/haproxy/templates/haproxy_config/raw_blocks_spec.rb @@ -89,5 +89,4 @@ 'unknown raw-test-1', 'unknown raw-test-2']) end end - end diff --git a/spec/haproxy/templates/haproxy_config/stats_listener_spec.rb b/spec/haproxy/templates/haproxy_config/stats_listener_spec.rb index 17cb8859..18caa5fa 100644 --- a/spec/haproxy/templates/haproxy_config/stats_listener_spec.rb +++ b/spec/haproxy/templates/haproxy_config/stats_listener_spec.rb @@ -85,6 +85,5 @@ expect(stats_listener).not_to include(a_string_starting_with('stats auth')) end end - end end From 5581812d266a567eabe92cf2bd356e573332237a Mon Sep 17 00:00:00 2001 From: kinjelom Date: Mon, 6 May 2024 12:54:23 +0200 Subject: [PATCH 10/11] config_mode better description --- jobs/haproxy/spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index 4113f266..b4291c80 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -58,7 +58,7 @@ properties: echo "MTU: $CURR_MTU, interface: $INTERFACE" ha_proxy.config_mode: description: | - 'auto' - utilizes raw_config if defined; otherwise, it uses traditional configuration mixed with raw_blocks, + 'auto' - utilizes raw_config if defined and mixes it with raw_blocks; otherwise, it uses traditional configuration mixed with raw_blocks 'raw_blocks_only' - uses only raw_blocks, ignoring other configurations. default: auto ha_proxy.nbthread: From 1f980e48bbd307850e059508e0cd3ba78fd3a71f Mon Sep 17 00:00:00 2001 From: kinjelom Date: Thu, 6 Jun 2024 17:06:57 +0200 Subject: [PATCH 11/11] Support for Customizing the HAProxy Feature Version --- add-blobs.sh | 40 ++++++++ jobs/haproxy/spec | 14 ++- jobs/haproxy/templates/haproxy_wrapper.erb | 8 +- jobs/haproxy/templates/pre-start.erb | 36 ++++--- packages/haproxy-1.8/packaging | 15 +++ packages/{haproxy => haproxy-1.8}/spec | 4 +- packages/haproxy-1.9/packaging | 15 +++ packages/haproxy-1.9/spec | 11 +++ packages/haproxy-2.8/packaging | 15 +++ packages/haproxy-2.8/spec | 11 +++ packages/haproxy-2.9/packaging | 15 +++ packages/haproxy-2.9/spec | 11 +++ packages/haproxy-3.0/packaging | 15 +++ packages/haproxy-3.0/spec | 11 +++ packages/haproxy/packaging | 72 -------------- packages/keepalived/packaging | 7 +- packages/keepalived/spec | 1 + src/meta-info/blobs-versions.env | 42 +++++++++ src/packaging-tools/installation.sh | 105 +++++++++++++++++++++ 19 files changed, 355 insertions(+), 93 deletions(-) create mode 100755 add-blobs.sh create mode 100644 packages/haproxy-1.8/packaging rename packages/{haproxy => haproxy-1.8}/spec (63%) create mode 100644 packages/haproxy-1.9/packaging create mode 100644 packages/haproxy-1.9/spec create mode 100644 packages/haproxy-2.8/packaging create mode 100644 packages/haproxy-2.8/spec create mode 100644 packages/haproxy-2.9/packaging create mode 100644 packages/haproxy-2.9/spec create mode 100644 packages/haproxy-3.0/packaging create mode 100644 packages/haproxy-3.0/spec delete mode 100644 packages/haproxy/packaging create mode 100644 src/meta-info/blobs-versions.env create mode 100644 src/packaging-tools/installation.sh diff --git a/add-blobs.sh b/add-blobs.sh new file mode 100755 index 00000000..9dc78b05 --- /dev/null +++ b/add-blobs.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +set -eux + +source ./src/meta-info/blobs-versions.env +BLOBS_TMP_DIR=".blobs" + +mkdir -p "$BLOBS_TMP_DIR" + +function down_add_blob { + BLOBS_GROUP=$1 + FILE=$2 + URL=$3 + if [ ! -f "blobs/${BLOBS_GROUP}/${FILE}" ];then + echo "Downloads resource from the Internet ($URL -> $BLOBS_TMP_DIR/$FILE)" + curl -L "$URL" --output "$BLOBS_TMP_DIR/$FILE" + echo "Adds blob ($BLOBS_TMP_DIR/$FILE -> $BLOBS_GROUP/$FILE), starts tracking blob in config/blobs.yml for inclusion in packages" + bosh add-blob "$BLOBS_TMP_DIR/$FILE" "$BLOBS_GROUP/$FILE" + fi +} + +# down_add_blob "haproxy" "haproxy-${HAPROXY_1_8_VERSION}.tar.gz" "$HAPROXY_1_8_URL" +# down_add_blob "haproxy" "haproxy-${HAPROXY_1_9_VERSION}.tar.gz" "$HAPROXY_1_9_URL" + +down_add_blob "haproxy" "haproxy-${HAPROXY_2_8_VERSION}.tar.gz" "$HAPROXY_2_8_URL" +down_add_blob "haproxy" "haproxy-${HAPROXY_2_9_VERSION}.tar.gz" "$HAPROXY_2_9_URL" + +down_add_blob "haproxy" "haproxy-${HAPROXY_3_0_VERSION}.tar.gz" "$HAPROXY_3_0_URL" + +down_add_blob "haproxy" "hatop-${HATOP_VERSION}" "$HATOP_URL" +down_add_blob "haproxy" "lua-${LUA_VERSION}.tar.gz" "$LUA_URL" +down_add_blob "haproxy" "pcre2-${PCRE2_VERSION}.tar.gz" "$PCRE2_URL" +down_add_blob "haproxy" "socat-${SOCAT_VERSION}.tar.gz" "$SOCAT_URL" +down_add_blob "keepalived" "keepalived-${KEEPALIVED_VERSION}.tar.gz" "$KEEPALIVED_URL" + +echo "Download blobs into blobs/ based on config/blobs.yml" +bosh sync-blobs + +echo "Upload previously added blobs that were not yet uploaded to the blobstore. Updates config/blobs.yml with returned blobstore IDs." +bosh upload-blobs diff --git a/jobs/haproxy/spec b/jobs/haproxy/spec index aa42f004..9cda63e8 100644 --- a/jobs/haproxy/spec +++ b/jobs/haproxy/spec @@ -3,8 +3,14 @@ name: haproxy description: "The HAProxy server can be used to terminate SSL in front of the Routers. Each HAProxy instance should point to multiple Routers." +# LTS - Long Term Support +# STS - Short Term Support packages: -- haproxy +# - haproxy-1.8 # LTS +# - haproxy-1.9 # STS +- haproxy-2.8 # LTS +- haproxy-2.9 # STS +- haproxy-3.0 # LTS - ttar templates: @@ -39,6 +45,12 @@ consumes: optional: true properties: + ha_proxy.haproxy_feature_version: + description: | + You can select an HAProxy feature version by specifying the 'major.minor' version number, one of several HAProxy packages included in this release. + This release has been tested only with the default HAProxy feature version. + Use other version lines with raw configurations at your own risk. + default: '2.8' # LTS ha_proxy.pre_start_script: description: | This script will be appended to the pre-start script and run before the job starts. diff --git a/jobs/haproxy/templates/haproxy_wrapper.erb b/jobs/haproxy/templates/haproxy_wrapper.erb index bb928f1d..12ab8d8f 100755 --- a/jobs/haproxy/templates/haproxy_wrapper.erb +++ b/jobs/haproxy/templates/haproxy_wrapper.erb @@ -1,9 +1,7 @@ -#!/bin/bash -# +#!/bin/bash -e -set -e - -export PATH=$PATH:/var/vcap/packages/haproxy/bin:/var/vcap/packages/ttar/bin +export HAPROXY_FEATURE_VERSION='<%= p("ha_proxy.haproxy_feature_version") -%>' +export PATH="$PATH:/var/vcap/packages/haproxy-$HAPROXY_FEATURE_VERSION/bin:/var/vcap/packages/ttar/bin" CONFIG=/var/vcap/jobs/haproxy/config/haproxy.config PID_FILE=/var/vcap/sys/run/haproxy/haproxy.pid DRAIN_LOCK=/var/vcap/sys/run/haproxy/drain.lock diff --git a/jobs/haproxy/templates/pre-start.erb b/jobs/haproxy/templates/pre-start.erb index b511c8c8..c167909a 100644 --- a/jobs/haproxy/templates/pre-start.erb +++ b/jobs/haproxy/templates/pre-start.erb @@ -1,7 +1,29 @@ #!/bin/bash -e +export HAPROXY_FEATURE_VERSION='<%= p("ha_proxy.haproxy_feature_version") -%>' mkdir -p /var/vcap/jobs/haproxy/errorfiles +create_or_update_link() { + local target="$1" + local link="$2" + + if [ -L "$link" ]; then + if [ "$(readlink "$link")" != "$target" ]; then + echo "Updating symbolic link..." + sudo ln -sf "$target" "$link" + fi + else + if [ -e "$link" ]; then + echo "Removing existing file and creating a new symbolic link..." + sudo rm "$link" + else + echo "Creating new symbolic link..." + sudo ln -s "$target" "$link" + fi + fi +} + + <% p('ha_proxy.custom_http_error_files', {}).each do |status_code, http_content| -%> cat > <%= "/var/vcap/jobs/haproxy/errorfiles/custom#{status_code}.http" %> << EOF @@ -9,17 +31,9 @@ cat > <%= "/var/vcap/jobs/haproxy/errorfiles/custom#{status_code}.http" %> << EO EOF <% end -%> -if [ ! -e /usr/bin/python ] && [ -e /usr/bin/python3 ]; then - sudo ln -s /usr/bin/python3 /usr/bin/python -fi - -if [ ! -e /usr/local/bin/hatop ]; then - sudo ln -s /var/vcap/packages/haproxy/hatop-wrapper /usr/local/bin/hatop -fi - -if [ ! -e /usr/local/bin/socat ]; then - sudo ln -s /var/vcap/packages/haproxy/bin/socat /usr/local/bin/socat -fi +create_or_update_link /usr/bin/python3 /usr/bin/python +create_or_update_link "/var/vcap/packages/haproxy-$HAPROXY_FEATURE_VERSION/hatop-wrapper" /usr/local/bin/hatop +create_or_update_link "/var/vcap/packages/haproxy-$HAPROXY_FEATURE_VERSION/bin/socat" /usr/local/bin/socat <%- if_p("ha_proxy.pre_start_script") do |script| -%> # ha_proxy.pre_start_script {{{ diff --git a/packages/haproxy-1.8/packaging b/packages/haproxy-1.8/packaging new file mode 100644 index 00000000..51a7e68f --- /dev/null +++ b/packages/haproxy-1.8/packaging @@ -0,0 +1,15 @@ +#!/bin/bash +# abort script on failures +set -euxo pipefail + +source meta-info/blobs-versions.env +mkdir "${BOSH_INSTALL_TARGET}/bin" + +source packaging-tools/installation.sh + +install_hatop "$BOSH_INSTALL_TARGET" "$HATOP_VERSION" +install_lua "$BOSH_INSTALL_TARGET" "$LUA_VERSION" +install_pcre2 "$BOSH_INSTALL_TARGET" "$PCRE2_VERSION" +install_socat "$BOSH_INSTALL_TARGET" "$SOCAT_VERSION" + +install_haproxy "$BOSH_INSTALL_TARGET" "$HAPROXY_1_8_VERSION" \ No newline at end of file diff --git a/packages/haproxy/spec b/packages/haproxy-1.8/spec similarity index 63% rename from packages/haproxy/spec rename to packages/haproxy-1.8/spec index 65c27799..c6121cc4 100644 --- a/packages/haproxy/spec +++ b/packages/haproxy-1.8/spec @@ -1,6 +1,8 @@ --- -name: haproxy +name: haproxy-1.8 files: +- meta-info/blobs-versions.env +- packaging-tools/installation.sh - haproxy/haproxy-*.tar.gz - haproxy/pcre2-*.tar.gz - haproxy/socat-*.tar.gz diff --git a/packages/haproxy-1.9/packaging b/packages/haproxy-1.9/packaging new file mode 100644 index 00000000..788728f8 --- /dev/null +++ b/packages/haproxy-1.9/packaging @@ -0,0 +1,15 @@ +#!/bin/bash +# abort script on failures +set -euxo pipefail + +source meta-info/blobs-versions.env +mkdir "${BOSH_INSTALL_TARGET}/bin" + +source packaging-tools/installation.sh + +install_hatop "$BOSH_INSTALL_TARGET" "$HATOP_VERSION" +install_lua "$BOSH_INSTALL_TARGET" "$LUA_VERSION" +install_pcre2 "$BOSH_INSTALL_TARGET" "$PCRE2_VERSION" +install_socat "$BOSH_INSTALL_TARGET" "$SOCAT_VERSION" + +install_haproxy "$BOSH_INSTALL_TARGET" "$HAPROXY_1_9_VERSION" \ No newline at end of file diff --git a/packages/haproxy-1.9/spec b/packages/haproxy-1.9/spec new file mode 100644 index 00000000..ffa0e099 --- /dev/null +++ b/packages/haproxy-1.9/spec @@ -0,0 +1,11 @@ +--- +name: haproxy-1.9 +files: +- meta-info/blobs-versions.env +- packaging-tools/installation.sh +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- hatop-wrapper diff --git a/packages/haproxy-2.8/packaging b/packages/haproxy-2.8/packaging new file mode 100644 index 00000000..8641ae52 --- /dev/null +++ b/packages/haproxy-2.8/packaging @@ -0,0 +1,15 @@ +#!/bin/bash +# abort script on failures +set -euxo pipefail + +source meta-info/blobs-versions.env +mkdir "${BOSH_INSTALL_TARGET}/bin" + +source packaging-tools/installation.sh + +install_hatop "$BOSH_INSTALL_TARGET" "$HATOP_VERSION" +install_lua "$BOSH_INSTALL_TARGET" "$LUA_VERSION" +install_pcre2 "$BOSH_INSTALL_TARGET" "$PCRE2_VERSION" +install_socat "$BOSH_INSTALL_TARGET" "$SOCAT_VERSION" + +install_haproxy "$BOSH_INSTALL_TARGET" "$HAPROXY_2_8_VERSION" \ No newline at end of file diff --git a/packages/haproxy-2.8/spec b/packages/haproxy-2.8/spec new file mode 100644 index 00000000..cbbd87b7 --- /dev/null +++ b/packages/haproxy-2.8/spec @@ -0,0 +1,11 @@ +--- +name: haproxy-2.8 +files: +- meta-info/blobs-versions.env +- packaging-tools/installation.sh +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- hatop-wrapper diff --git a/packages/haproxy-2.9/packaging b/packages/haproxy-2.9/packaging new file mode 100644 index 00000000..4922639f --- /dev/null +++ b/packages/haproxy-2.9/packaging @@ -0,0 +1,15 @@ +#!/bin/bash +# abort script on failures +set -euxo pipefail + +source meta-info/blobs-versions.env +mkdir "${BOSH_INSTALL_TARGET}/bin" + +source packaging-tools/installation.sh + +install_hatop "$BOSH_INSTALL_TARGET" "$HATOP_VERSION" +install_lua "$BOSH_INSTALL_TARGET" "$LUA_VERSION" +install_pcre2 "$BOSH_INSTALL_TARGET" "$PCRE2_VERSION" +install_socat "$BOSH_INSTALL_TARGET" "$SOCAT_VERSION" + +install_haproxy "$BOSH_INSTALL_TARGET" "$HAPROXY_2_9_VERSION" \ No newline at end of file diff --git a/packages/haproxy-2.9/spec b/packages/haproxy-2.9/spec new file mode 100644 index 00000000..9a319d69 --- /dev/null +++ b/packages/haproxy-2.9/spec @@ -0,0 +1,11 @@ +--- +name: haproxy-2.9 +files: +- meta-info/blobs-versions.env +- packaging-tools/installation.sh +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- hatop-wrapper diff --git a/packages/haproxy-3.0/packaging b/packages/haproxy-3.0/packaging new file mode 100644 index 00000000..6dcdc106 --- /dev/null +++ b/packages/haproxy-3.0/packaging @@ -0,0 +1,15 @@ +#!/bin/bash +# abort script on failures +set -euxo pipefail + +source meta-info/blobs-versions.env +mkdir "${BOSH_INSTALL_TARGET}/bin" + +source packaging-tools/installation.sh + +install_hatop "$BOSH_INSTALL_TARGET" "$HATOP_VERSION" +install_lua "$BOSH_INSTALL_TARGET" "$LUA_VERSION" +install_pcre2 "$BOSH_INSTALL_TARGET" "$PCRE2_VERSION" +install_socat "$BOSH_INSTALL_TARGET" "$SOCAT_VERSION" + +install_haproxy "$BOSH_INSTALL_TARGET" "$HAPROXY_3_0_VERSION" \ No newline at end of file diff --git a/packages/haproxy-3.0/spec b/packages/haproxy-3.0/spec new file mode 100644 index 00000000..3124c951 --- /dev/null +++ b/packages/haproxy-3.0/spec @@ -0,0 +1,11 @@ +--- +name: haproxy-3.0 +files: +- meta-info/blobs-versions.env +- packaging-tools/installation.sh +- haproxy/haproxy-*.tar.gz +- haproxy/pcre2-*.tar.gz +- haproxy/socat-*.tar.gz +- haproxy/lua-*.tar.gz +- haproxy/hatop-* +- hatop-wrapper diff --git a/packages/haproxy/packaging b/packages/haproxy/packaging deleted file mode 100644 index d12037cd..00000000 --- a/packages/haproxy/packaging +++ /dev/null @@ -1,72 +0,0 @@ -# abort script on failures -set -euxo pipefail - - -LUA_VERSION=5.4.6 # https://www.lua.org/ftp/lua-5.4.6.tar.gz - -PCRE_VERSION=10.43 # https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.43/pcre2-10.43.tar.gz - -SOCAT_VERSION=1.7.4.4 # http://www.dest-unreach.org/socat/download/socat-1.7.4.4.tar.gz - -HAPROXY_VERSION=2.8.9 # https://www.haproxy.org/download/2.8/src/haproxy-2.8.9.tar.gz - -HATOP_VERSION=0.8.2 # https://github.com/jhunt/hatop/releases/download/v0.8.2/hatop - -mkdir ${BOSH_INSTALL_TARGET}/bin - -echo "Extracting lua..." -tar xzf haproxy/lua-${LUA_VERSION}.tar.gz -pushd lua-${LUA_VERSION} - make linux install INSTALL_TOP=${BOSH_INSTALL_TARGET} -popd - -echo "Extracting pcre..." -tar xzf haproxy/pcre2-${PCRE_VERSION}.tar.gz -pushd pcre2-${PCRE_VERSION} - ./configure \ - --enable-jit \ - --prefix ${BOSH_INSTALL_TARGET} - make - make install -popd - -echo "Installing socat..." -tar xzf haproxy/socat-${SOCAT_VERSION}.tar.gz -pushd socat-${SOCAT_VERSION} - ./configure - make - cp socat ${BOSH_INSTALL_TARGET}/bin - chmod 755 ${BOSH_INSTALL_TARGET}/bin/socat -popd - -echo "Unpacking HAproxy..." -tar xf haproxy/haproxy-${HAPROXY_VERSION}.tar.gz -pushd haproxy-${HAPROXY_VERSION} - if [ -f ../haproxy/patches.tar.gz ]; then - mkdir -p ${BOSH_INSTALL_TARGET}/applied-patches - tar xf ../haproxy/patches.tar.gz - - for patchfile in haproxy-patches/*.patch; do - echo "Applying patch file ${patchfile}" - - # Conservatively limit patch fuzz factor to 0 to reduce chance of faulty patch - patch -F 0 -p0 < ${patchfile} - - # Save patches in install target for inspection later - cp ${patchfile} ${BOSH_INSTALL_TARGET}/applied-patches - done - - rm -r haproxy-patches - fi - - echo "Installing HAproxy..." - make TARGET=linux-glibc USE_PROMEX=1 USE_OPENSSL=1 USE_PCRE2=1 USE_PCRE2_JIT=yes USE_STATIC_PCRE2=1 USE_ZLIB=1 PCRE2DIR=${BOSH_INSTALL_TARGET} USE_LUA=1 LUA_LIB=${BOSH_INSTALL_TARGET}/lib LUA_INC=${BOSH_INSTALL_TARGET}/include - cp haproxy ${BOSH_INSTALL_TARGET}/bin/ - chmod 755 ${BOSH_INSTALL_TARGET}/bin/haproxy -popd - -echo "Installing hatop..." -cp haproxy/hatop-${HATOP_VERSION} ${BOSH_INSTALL_TARGET}/bin/hatop -chmod 755 ${BOSH_INSTALL_TARGET}/bin/hatop -cp hatop-wrapper ${BOSH_INSTALL_TARGET}/ -chmod 755 ${BOSH_INSTALL_TARGET}/hatop-wrapper diff --git a/packages/keepalived/packaging b/packages/keepalived/packaging index 53d71b64..9cedd577 100644 --- a/packages/keepalived/packaging +++ b/packages/keepalived/packaging @@ -1,13 +1,14 @@ # abort script on any command that exits with a non zero value set -e -x +source meta-info/blobs-versions.env + # Copy common utils mkdir -p ${BOSH_INSTALL_TARGET}/common cp -a ${BOSH_COMPILE_TARGET}/common/* ${BOSH_INSTALL_TARGET}/common -KEEPALIVED_VERSION=2.2.8 # https://keepalived.org/software/keepalived-2.2.8.tar.gz -tar xzvf keepalived/keepalived-${KEEPALIVED_VERSION}.tar.gz -cd keepalived-${KEEPALIVED_VERSION}/ +tar xzvf keepalived/keepalived-${KEEPALIVED_VER}.tar.gz +cd keepalived-${KEEPALIVED_VER}/ #compile keepalive ./configure --prefix=${BOSH_INSTALL_TARGET} diff --git a/packages/keepalived/spec b/packages/keepalived/spec index 7552ca44..87b3c4ab 100644 --- a/packages/keepalived/spec +++ b/packages/keepalived/spec @@ -4,5 +4,6 @@ name: keepalived dependencies: [] files: +- meta-info/blobs-versions.env - common/utils.sh - keepalived/keepalived-*.tar.gz diff --git a/src/meta-info/blobs-versions.env b/src/meta-info/blobs-versions.env new file mode 100644 index 00000000..7b4f851a --- /dev/null +++ b/src/meta-info/blobs-versions.env @@ -0,0 +1,42 @@ +# http://www.haproxy.org/download/ + +# haproxy-1.8.31.tar.gz 09-Dec-2022 15:44 +HAPROXY_1_8_VERSION="1.8.31" +HAPROXY_1_8_URL="http://www.haproxy.org/download/1.8/src/haproxy-${HAPROXY_1_8_VERSION}.tar.gz" + +# haproxy-1.9.16.tar.gz 31-Jul-2020 12:07 +HAPROXY_1_9_VERSION="1.9.16" +HAPROXY_1_9_URL="http://www.haproxy.org/download/1.9/src/haproxy-${HAPROXY_1_9_VERSION}.tar.gz" + +# haproxy-2.8.9.tar.gz 05-Apr-2024 18:54 +HAPROXY_2_8_VERSION="2.8.9" +HAPROXY_2_8_URL="http://www.haproxy.org/download/2.8/src/haproxy-${HAPROXY_2_8_VERSION}.tar.gz" + +# haproxy-2.9.7.tar.gz 05-Apr-2024 18:23 +HAPROXY_2_9_VERSION="2.9.7" +HAPROXY_2_9_URL="http://www.haproxy.org/download/2.9/src/haproxy-${HAPROXY_2_9_VERSION}.tar.gz" + +# haproxy-3.0.0.tar.gz 29-May-2024 13:11 +HAPROXY_3_0_VERSION="3.0.0" +HAPROXY_3_0_URL="http://www.haproxy.org/download/3.0/src/haproxy-${HAPROXY_3_0_VERSION}.tar.gz" + + +# https://github.com/jhunt/hatop/releases +HATOP_VERSION="0.8.2" +HATOP_URL="https://github.com/jhunt/hatop/releases/download/v${HATOP_VERSION}/hatop" + +# https://www.lua.org/ftp/ +LUA_VERSION="5.4.6" +LUA_URL="https://www.lua.org/ftp/lua-${LUA_VERSION}.tar.gz" + +# https://github.com/PCRE2Project/pcre2/releases +PCRE2_VERSION="10.43" +PCRE2_URL="https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VERSION}/pcre2-${PCRE2_VERSION}.tar.gz" + +# http://www.dest-unreach.org/socat/download/ +SOCAT_VERSION="1.8.0.0" +SOCAT_URL="http://www.dest-unreach.org/socat/download/socat-${SOCAT_VERSION}.tar.gz" + +# https://keepalived.org/download.html +KEEPALIVED_VERSION="2.3.1" +KEEPALIVED_URL="https://keepalived.org/software/keepalived-${KEEPALIVED_VERSION}.tar.gz" \ No newline at end of file diff --git a/src/packaging-tools/installation.sh b/src/packaging-tools/installation.sh new file mode 100644 index 00000000..1dc934ef --- /dev/null +++ b/src/packaging-tools/installation.sh @@ -0,0 +1,105 @@ +# Usage of the functions +# install_ "${VERSION}" "$BOSH_INSTALL_TARGET" + +function install_hatop { + local INSTALL_TARGET=$1 + local PACKAGE_VERSION=$2 + + echo "Installing hatop ${PACKAGE_VERSION}..." + cp "haproxy/hatop-${PACKAGE_VERSION}" "${INSTALL_TARGET}/bin/hatop" + chmod 755 "${INSTALL_TARGET}/bin/hatop" + cp hatop-wrapper "${INSTALL_TARGET}/" + chmod 755 "${INSTALL_TARGET}/hatop-wrapper" +} + +function install_lua { + local INSTALL_TARGET=$1 + local PACKAGE_VERSION=$2 + + echo "Extracting lua ${PACKAGE_VERSION}..." + tar xzf "haproxy/lua-${PACKAGE_VERSION}.tar.gz" + local PACKAGE_DIR="lua-${PACKAGE_VERSION}" + echo "Building ${PACKAGE_VERSION}..." + pushd "${PACKAGE_DIR}" || { echo "Error: can't pushd to '${PACKAGE_DIR}'."; return 1; } + make linux install INSTALL_TOP="${INSTALL_TARGET}" + popd || { echo "Error: can't popd from '${PACKAGE_DIR}'."; return 1; } +} + +function install_pcre2 { + local INSTALL_TARGET=$1 + local PACKAGE_VERSION=$2 + + echo "Extracting pcre2 ${PACKAGE_VERSION}..." + tar xzf "haproxy/pcre2-${PACKAGE_VERSION}.tar.gz" + local PACKAGE_DIR="pcre2-${PACKAGE_VERSION}" + echo "Building ${PACKAGE_VERSION}..." + pushd "${PACKAGE_DIR}" || { echo "Error: can't pushd to '${PACKAGE_DIR}'."; return 1; } + ./configure \ + --enable-jit \ + --prefix "${INSTALL_TARGET}" + make + make install + popd || { echo "Error: can't popd from '${PACKAGE_DIR}'."; return 1; } +} + +function install_socat { + local INSTALL_TARGET=$1 + local PACKAGE_VERSION=$2 + + echo "Extracting socat ${PACKAGE_VERSION}..." + tar xzf "haproxy/socat-${PACKAGE_VERSION}.tar.gz" + local PACKAGE_DIR="socat-${PACKAGE_VERSION}" + echo "Building ${PACKAGE_VERSION}..." + pushd "${PACKAGE_DIR}" || { echo "Error: can't pushd to '${PACKAGE_DIR}'."; return 1; } + ./configure + make + cp socat "${INSTALL_TARGET}/bin" + chmod 755 "${INSTALL_TARGET}/bin/socat" + popd || { echo "Error: can't popd from '${PACKAGE_DIR}'."; return 1; } +} + +function install_haproxy { + local INSTALL_TARGET=$1 + local PACKAGE_VERSION=$2 + + echo "Extracting HAproxy (version ${PACKAGE_VERSION})..." + tar xf "haproxy/haproxy-${PACKAGE_VERSION}.tar.gz" + local PACKAGE_DIR="haproxy-${PACKAGE_VERSION}" + pushd "${PACKAGE_DIR}" || { echo "Error: can't pushd to '${PACKAGE_DIR}'."; return 1; } + if [ -f ../haproxy/patches.tar.gz ]; then + echo "Patching ${PACKAGE_VERSION}..." + mkdir -p "${INSTALL_TARGET}/applied-patches" + tar xf "../haproxy/patches.tar.gz" + for patchfile in haproxy-patches/*.patch; do + echo "Applying patch file ${patchfile}" + # Conservatively limit patch fuzz factor to 0 to reduce chance of faulty patch + patch -F 0 -p0 < "${patchfile}" + # Save patches in install target for inspection later + cp "${patchfile}" "${INSTALL_TARGET}/applied-patches" + done + rm -r haproxy-patches + fi + echo "Building ${PACKAGE_VERSION}..." + local makeArgs=( + TARGET=linux-glibc + USE_OPENSSL=1 + USE_PCRE2=1 + USE_PCRE2_JIT=yes + USE_STATIC_PCRE2=1 + USE_ZLIB=1 + PCRE2DIR="${INSTALL_TARGET}" + USE_LUA=1 + LUA_LIB="${INSTALL_TARGET}/lib" + LUA_INC="${INSTALL_TARGET}/include" + ) + local COMPILATION_FLAGS="" + if [[ "$PACKAGE_VERSION" == 1.* ]]; then + COMPILATION_FLAGS="-Wno-deprecated-declarations" + else + makeArgs+=( USE_PROMEX=1 ) + fi + CFLAGS="$COMPILATION_FLAGS" make "${makeArgs[@]}" + cp haproxy "${INSTALL_TARGET}/bin/" + chmod 755 "${INSTALL_TARGET}/bin/haproxy" + popd || { echo "Error: can't popd from '${PACKAGE_DIR}'."; return 1; } +}