FEATURE/MINOR: cluster: allow defining path to store certificates

cli argument for passing directory to
store certificates is 'cluster-tls-dir'

Author: oktalz

cmd/dataplaneapi/main.go

@@ -18,6 +18,7 @@ package main
 import (
 	"fmt"
 	"os"
+	"path"
 
 	log "github.com/sirupsen/logrus"
 
@@ -125,10 +126,10 @@ func startServer(cfg *configuration.Configuration) (reload configuration.AtomicB
 	log.Infof("Build date: %s", BuildTime)
 
 	if cfg.Mode.Load() == "cluster" {
-		if cfg.Cluster.CertFetched.Load() {
+		if cfg.Cluster.Certificate.Fetched.Load() {
 			log.Info("HAProxy Data Plane API in cluster mode")
-			server.TLSCertificate = flags.Filename(cfg.Cluster.CertificatePath.Load())
-			server.TLSCertificateKey = flags.Filename(cfg.Cluster.CertificateKeyPath.Load())
+			server.TLSCertificate = flags.Filename(path.Join(cfg.GetClusterCertDir(), fmt.Sprintf("dataplane-%s.crt", cfg.Name.Load())))
+			server.TLSCertificateKey = flags.Filename(path.Join(cfg.GetClusterCertDir(), fmt.Sprintf("dataplane-%s.key", cfg.Name.Load())))
 			server.EnabledListeners = []string{"https"}
 			if server.TLSPort == 0 {
 				server.TLSPort = server.Port

configuration/cluster_sync.go

@@ -28,9 +28,11 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"path"
 	"strings"
 	"time"
 
+	"github.com/google/renameio"
 	client_native "github.com/haproxytech/client-native/v2"
 	"github.com/haproxytech/config-parser/v2/types"
 	"github.com/haproxytech/dataplaneapi/haproxy"
@@ -75,7 +77,7 @@ func (c *ClusterSync) Monitor(cfg *Configuration, cli *client_native.HAProxyClie
 	go c.fetchCert()
 
 	key := c.cfg.BootstrapKey.Load()
-	certFetched := cfg.Cluster.CertFetched.Load()
+	certFetched := cfg.Cluster.Certificate.Fetched.Load()
 
 	if key != "" && !certFetched {
 		c.cfg.Notify.BootstrapKeyChanged.Notify()
@@ -99,7 +101,7 @@ func (c *ClusterSync) monitorCertificateRefresh() {
 			log.Warning(err)
 			continue
 		}
-		err = ioutil.WriteFile(c.cfg.Cluster.CertificateCSR.Load(), []byte(csr), 0644)
+		err = renameio.WriteFile(path.Join(c.cfg.GetClusterCertDir(), fmt.Sprintf("dataplane-%s-csr.crt", c.cfg.Name.Load())), []byte(csr), 0644)
 		if err != nil {
 			log.Warning(err)
 			continue
@@ -154,12 +156,12 @@ func (c *ClusterSync) issueRefreshRequest(url, port, basePath string, nodesPath
 		return err
 	}
 	log.Infof("Cluster re joined, status: %s", responseData.Status)
-	err = ioutil.WriteFile(c.cfg.Cluster.CertificatePath.Load(), []byte(responseData.Certificate), 0644)
+	err = renameio.WriteFile(path.Join(c.cfg.GetClusterCertDir(), fmt.Sprintf("dataplane-%s.crt", c.cfg.Name.Load())), []byte(csr), 0644)
 	if err != nil {
 		log.Warning(err)
 		return err
 	}
-	err = ioutil.WriteFile(c.cfg.Cluster.CertificateKeyPath.Load(), []byte(key), 0644)
+	err = renameio.WriteFile(path.Join(c.cfg.GetClusterCertDir(), fmt.Sprintf("dataplane-%s.key", c.cfg.Name.Load())), []byte(key), 0644)
 	if err != nil {
 		log.Warning(err)
 		return err
@@ -177,7 +179,7 @@ func (c *ClusterSync) issueRefreshRequest(url, port, basePath string, nodesPath
 func (c *ClusterSync) monitorBootstrapKey() {
 	for range c.cfg.Notify.BootstrapKeyChanged.Subscribe("monitorBootstrapKey") {
 		key := c.cfg.BootstrapKey.Load()
-		c.cfg.Cluster.CertFetched.Store(false)
+		c.cfg.Cluster.Certificate.Fetched.Store(false)
 		if key == "" {
 			//do we need to delete cert here maybe?
 			c.cfg.Cluster.ActiveBootstrapKey.Store("")
@@ -188,7 +190,7 @@ func (c *ClusterSync) monitorBootstrapKey() {
 			continue
 		}
 		if key == c.cfg.Cluster.ActiveBootstrapKey.Load() {
-			fetched := c.cfg.Cluster.CertFetched.Load()
+			fetched := c.cfg.Cluster.Certificate.Fetched.Load()
 			if !fetched {
 				c.certFetch <- struct{}{}
 			}
@@ -215,12 +217,12 @@ func (c *ClusterSync) monitorBootstrapKey() {
 			log.Warning(err)
 			continue
 		}
-		err = ioutil.WriteFile(c.cfg.Cluster.CertificateKeyPath.Load(), []byte(key), 0644)
+		err = renameio.WriteFile(path.Join(c.cfg.GetClusterCertDir(), fmt.Sprintf("dataplane-%s.key", c.cfg.Name.Load())), []byte(key), 0644)
 		if err != nil {
 			log.Warning(err)
 			continue
 		}
-		err = ioutil.WriteFile(c.cfg.Cluster.CertificateCSR.Load(), []byte(csr), 0644)
+		err = renameio.WriteFile(path.Join(c.cfg.GetClusterCertDir(), fmt.Sprintf("dataplane-%s-csr.crt", c.cfg.Name.Load())), []byte(csr), 0644)
 		if err != nil {
 			log.Warning(err)
 			continue
@@ -388,12 +390,12 @@ func (c *ClusterSync) checkCertificate(node Node) (fetched bool, err error) {
 		c.cfg.Status.Store("unconfigured")
 		return false, nil
 	}
-	err = ioutil.WriteFile(c.cfg.Cluster.CertificatePath.Load(), []byte(node.Certificate), 0644)
+	err = renameio.WriteFile(path.Join(c.cfg.GetClusterCertDir(), fmt.Sprintf("dataplane-%s.crt", c.cfg.Name.Load())), []byte(node.Certificate), 0644)
 	if err != nil {
 		c.cfg.Status.Store("unconfigured")
 		return false, err
 	}
-	c.cfg.Cluster.CertFetched.Store(true)
+	c.cfg.Cluster.Certificate.Fetched.Store(true)
 	c.cfg.Notify.Reload.Notify()
 	c.cfg.Status.Store("active")
 	return true, nil
@@ -414,7 +416,7 @@ func (c *ClusterSync) fetchCert() {
 			continue
 		}
 		//if not, sleep and start all over again
-		certFetched := c.cfg.Cluster.CertFetched.Load()
+		certFetched := c.cfg.Cluster.Certificate.Fetched.Load()
 		if !certFetched {
 			url := c.cfg.Cluster.URL.Load()
 			port := c.cfg.Cluster.Port.Load()

configuration/configuration.go

@@ -18,10 +18,12 @@ package configuration
 import (
 	"encoding/json"
 	"io/ioutil"
+	"path/filepath"
 
 	"math/rand"
 	"time"
 
+	"github.com/google/renameio"
 	log "github.com/sirupsen/logrus"
 
 	petname "github.com/dustinkirkland/golang-petname"
@@ -48,6 +50,7 @@ type HAProxyConfiguration struct {
 	MapsDir              string `short:"p" long:"maps-dir" description:"Path to maps directory. If set, it reads from specified dir, otherwise it reads from config file"`
 	UpdateMapFiles       bool   `long:"update-map-files" description:"Flag used for syncing map files with runtime maps values"`
 	UpdateMapFilesPeriod int64  `long:"update-map-files-period" description:"Elapsed time in seconds between two maps syncing operations" default:"10"`
+	ClusterTLSCertDir    string `long:"cluster-tls-dir" description:"Path where cluster tls certificates will be stored. Defaults to same directory as dataplane configuration file"`
 }
 
 type APIConfiguration struct {
@@ -70,13 +73,14 @@ type ClusterConfiguration struct {
 	Port               AtomicString `yaml:"port"`
 	APIBasePath        AtomicString `yaml:"api_base_path"`
 	APINodesPath       AtomicString `yaml:"api_nodes_path"`
-	CertificatePath    AtomicString `yaml:"tls_certificate"`
-	CertificateKeyPath AtomicString `yaml:"tls_key"`
-	CertificateCSR     AtomicString `yaml:"tls_csr"`
-	CertFetched        AtomicBool   `yaml:"cert_fetched"`
+	Certificate        ClusterTLS   `yaml:"certificates"`
 	Name               AtomicString `yaml:"name"`
 	Description        AtomicString `yaml:"description"`
 }
+type ClusterTLS struct {
+	Dir     AtomicString `yaml:"path"`
+	Fetched AtomicBool   `yaml:"fetched"`
+}
 
 func (c *ClusterConfiguration) Clear() {
 	c.ID.Store("")
@@ -85,7 +89,7 @@ func (c *ClusterConfiguration) Clear() {
 	c.Port.Store("")
 	c.APIBasePath.Store("")
 	c.APINodesPath.Store("")
-	c.CertFetched.Store(false)
+	c.Certificate.Fetched.Store(false)
 	c.Name.Store("")
 	c.Description.Store("")
 }
@@ -177,15 +181,6 @@ func (c *Configuration) Load(swaggerJSON json.RawMessage, host string, port int)
 	if c.Mode.Load() == "" {
 		c.Mode.Store("single")
 	}
-	if c.Cluster.CertificatePath.Load() == "" {
-		c.Cluster.CertificatePath.Store("tls.crt")
-	}
-	if c.Cluster.CertificateKeyPath.Load() == "" {
-		c.Cluster.CertificateKeyPath.Store("tls.key")
-	}
-	if c.Cluster.CertificateCSR.Load() == "" {
-		c.Cluster.CertificateCSR.Store("csr.crt")
-	}
 
 	if c.Name.Load() == "" {
 		rand.Seed(time.Now().UnixNano())
@@ -205,9 +200,22 @@ func (c *Configuration) Save() error {
 		log.Fatalf("error: %v", err)
 	}
 
-	err = ioutil.WriteFile(c.HAProxy.DataplaneConfig, data, 0644)
+	err = renameio.WriteFile(c.HAProxy.DataplaneConfig, data, 0644)
 	if err != nil {
 		return err
 	}
 	return nil
 }
+
+func (c *Configuration) GetClusterCertDir() string {
+	dir := c.Cluster.Certificate.Dir.Load()
+	if dir == "" {
+		dir = c.HAProxy.ClusterTLSCertDir
+	}
+	if dir == "" {
+		// use same dir as dataplane config file
+		url := c.HAProxy.DataplaneConfig
+		dir = filepath.Dir(url)
+	}
+	return dir
+}