MINOR: add pebble supervisor

Author: ivanmatmati

Makefile

@@ -49,6 +49,10 @@ example-remove:
 build:
 	docker build -t haproxytech/kubernetes-ingress --build-arg TARGETPLATFORM=$(TARGETPLATFORM) -f build/Dockerfile .
 
+.PHONY: build-pebble
+build-pebble:
+	docker build -t haproxytech/kubernetes-ingress --build-arg TARGETPLATFORM=$(TARGETPLATFORM) -f build/Dockerfile.pebble .
+
 .PHONY: publish
 publish:
 	goreleaser release --rm-dist

build/Dockerfile

@@ -68,7 +68,8 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     chown haproxy:haproxy /var/run/s6 && \
     chmod ug+rwx /var/run/s6 && \
     sed -i 's/ root / haproxy /g' /etc/s6/init/init-stage2-fixattrs.txt && \
-    chmod ugo+x /etc/services.d/*/run /etc/cont-init.d/*
+    chmod ugo+x /etc/services.d/*/run /etc/cont-init.d/* && \
+    rm -rf /var/lib/pebble
 
 COPY --from=builder /src/fs/haproxy-ingress-controller .
 

build/Dockerfile.pebble

@@ -0,0 +1,62 @@
+# Copyright 2019 HAProxy Technologies LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM golang:1.20-alpine AS builder
+
+RUN apk --no-cache add git openssh
+
+COPY /go.mod /src/go.mod
+COPY /go.sum /src/go.sum
+RUN cd /src && go mod download
+
+COPY / /src
+
+RUN go install github.com/canonical/pebble/cmd/[email protected]
+
+RUN mkdir -p /var/run/vars && \
+    cd /src && \
+    git config --get remote.origin.url > /var/run/vars/GIT_REPO && \
+    git rev-parse --short HEAD > /var/run/vars/GIT_HEAD_COMMIT && \
+    git log -1 --date=format:"%Y/%m/%d %T" --format="%ad" > /var/run/vars/GIT_DATE_LAST_COMMIT && \
+    git describe --abbrev=0 --tags > /var/run/vars/GIT_LAST_TAG && \
+    git rev-parse --short $(cat /var/run/vars/GIT_LAST_TAG) > /var/run/vars/GIT_TAG_COMMIT && \
+    git diff $(cat /var/run/vars/GIT_HEAD_COMMIT) $(cat /var/run/vars/GIT_TAG_COMMIT) --quiet > /var/run/vars/GIT_MODIFIED1 || echo '.dev' > /var/run/vars/GIT_MODIFIED1 && \
+    git diff --quiet > /var/run/vars/GIT_MODIFIED2 || echo '.dirty' > /var/run/vars/GIT_MODIFIED2 && \
+    cat /var/run/vars/GIT_MODIFIED1 /var/run/vars/GIT_MODIFIED2 | tr -d '\n' > /var/run/vars/GIT_MODIFIED && \
+    CGO_ENABLED=0 go build \
+        -ldflags "-X main.GitRepo=$(cat /var/run/vars/GIT_REPO) -X main.GitTag=$(cat /var/run/vars/GIT_LAST_TAG) -X main.GitCommit=$(cat /var/run/vars/GIT_HEAD_COMMIT) -X main.GitDirty=$(cat /var/run/vars/GIT_MODIFIED) -X \"main.GitCommitDate=$(cat /var/run/vars/GIT_DATE_LAST_COMMIT)\"" \
+        -o fs/haproxy-ingress-controller .
+
+FROM haproxytech/haproxy-alpine:2.7
+
+ARG TARGETPLATFORM
+
+COPY /fs /
+
+RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
+    rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi && \
+    chgrp -R haproxy /usr/local/etc/haproxy /run /var && \
+    chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
+    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy && \
+    chown -R haproxy:haproxy /var/lib/pebble/default && \
+    chmod ugo+rwx /var/lib/pebble/default/* && \
+    rm -rf /etc/services.d/haproxy && \
+    rm -rf /etc/services.d/ingress-controller && \
+    rm -rf /etc/cont-init.d
+
+
+COPY --from=builder /go/bin/pebble /usr/local/bin
+COPY --from=builder /src/fs/haproxy-ingress-controller .
+
+ENTRYPOINT ["/start-pebble.sh"]

fs/start-pebble.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+#
+# Copyright 2017 The Kubernetes Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+if [ ! -e /etc/haproxy/haproxy-aux.cfg ]; then
+	touch /etc/haproxy/haproxy-aux.cfg
+	chgrp haproxy /etc/haproxy/haproxy-aux.cfg
+	chmod g+w /etc/haproxy/haproxy-aux.cfg
+fi
+
+export EXTRA_OPTIONS="$@"
+pebble run --verbose

fs/var/lib/pebble/default/layers/001-haproxy.yaml

@@ -0,0 +1,103 @@
+# (Optional) A short one line summary of the layer
+summary: Manage the HAPRoxy process
+
+# (Optional) A list of services managed by this configuration layer
+services:
+
+    haproxy:
+
+        # (Required) Control how this service definition is combined with any
+        # other pre-existing definition with the same name in the Pebble plan.
+        #
+        # The value 'merge' will ensure that values in this layer specification
+        # are merged over existing definitions, whereas 'replace' will entirely
+        # override the existing service spec in the plan with the same name.
+        override: replace
+
+        # (Required in combined layer) The command to run the service. It is executed
+        # directly, not interpreted by a shell, and may be optionally suffixed by default
+        # arguments within "[" and "]" which may be overriden via --args.
+        # Example: /usr/bin/somedaemon --db=/db/path [ --port 8080 ]
+        command: /var/lib/pebble/default/run-haproxy
+
+
+        # (Optional) Control whether the service is started automatically when
+        # Pebble starts. Default is "disabled".
+        startup: enabled
+
+        # (Optional) Username for starting service as a different user. It is
+        # an error if the user doesn't exist.
+        # user: haproxy
+
+        # (Optional) Group name for starting service as a different user. It is
+        # an error if the group doesn't exist.
+        # group: haproxy
+
+        # (Optional) Defines what happens when the service exits with a zero
+        # exit code. Possible values are: "restart" (default) which restarts
+        # the service after the backoff delay, "shutdown" which shuts down and
+        # exits the Pebble server, and "ignore" which does nothing further.
+        on-success: restart
+
+        # (Optional) Defines what happens when the service exits with a nonzero
+        # exit code. Possible values are: "restart" (default) which restarts
+        # the service after the backoff delay, "shutdown" which shuts down and
+        # exits the Pebble server, and "ignore" which does nothing further.
+        on-failure: restart
+
+    controller:
+
+        # (Required) Control how this service definition is combined with any
+        # other pre-existing definition with the same name in the Pebble plan.
+        #
+        # The value 'merge' will ensure that values in this layer specification
+        # are merged over existing definitions, whereas 'replace' will entirely
+        # override the existing service spec in the plan with the same name.
+        override: replace
+
+        # (Required in combined layer) The command to run the service. It is executed
+        # directly, not interpreted by a shell, and may be optionally suffixed by default
+        # arguments within "[" and "]" which may be overriden via --args.
+        # Example: /usr/bin/somedaemon --db=/db/path [ --port 8080 ]
+        command: /var/lib/pebble/default/run-controller
+
+
+        # (Optional) Control whether the service is started automatically when
+        # Pebble starts. Default is "disabled".
+        startup: enabled
+
+        # (Optional) Username for starting service as a different user. It is
+        # an error if the user doesn't exist.
+        #user: haproxy
+
+        # (Optional) Group name for starting service as a different user. It is
+        # an error if the group doesn't exist.
+        #group: haproxy
+
+        # (Optional) Defines what happens when the service exits with a zero
+        # exit code. Possible values are: "restart" (default) which restarts
+        # the service after the backoff delay, "shutdown" which shuts down and
+        # exits the Pebble server, and "ignore" which does nothing further.
+        on-success: restart
+
+        # (Optional) Defines what happens when the service exits with a nonzero
+        # exit code. Possible values are: "restart" (default) which restarts
+        # the service after the backoff delay, "shutdown" which shuts down and
+        # exits the Pebble server, and "ignore" which does nothing further.
+        on-failure: restart
+
+        after:
+            - haproxy
+
+checks:
+    check-haproxy:
+        # (Required) Control how this check definition is combined with any
+        # other pre-existing definition with the same name in the Pebble plan.
+        #
+        # The value 'merge' will ensure that values in this layer specification
+        # are merged over existing definitions, whereas 'replace' will entirely
+        # override the existing check spec in the plan with the same name.
+        override: replace
+        http:
+            # (Required) URL to fetch, for example "https://example.com/foo".
+            url: http://127.0.0.1:1042/healthz

fs/var/lib/pebble/default/run-controller

@@ -0,0 +1,24 @@
+#!/bin/sh
+
+MEMLIMIT=$(free -m | awk '/Mem:/ {print int($2 / 3)}')
+
+CG_LIMIT_FILE="/sys/fs/cgroup/memory/memory.limit_in_bytes"
+if [ -f "/sys/fs/cgroup/cgroup.controllers" ]; then
+    CG_LIMIT_FILE="/sys/fs/cgroup/memory.max"
+fi
+
+if [ -r "${CG_LIMIT_FILE}" ]; then
+    MEMLIMIT_CG=$(awk '{print int($1 / 1024 / 1024 / 3)}' "${CG_LIMIT_FILE}")
+
+    if [ "${MEMLIMIT_CG}" -gt 0 ]; then
+        if [ "${MEMLIMIT_CG}" -lt "${MEMLIMIT}" ]; then
+            MEMLIMIT="${MEMLIMIT_CG}"
+        fi
+    fi
+fi
+
+export GOMEMLIMIT="${MEMLIMIT}MiB"
+
+echo "Memory limit for Ingress Controller: ${GOMEMLIMIT}"
+
+exec /haproxy-ingress-controller --with-pebble ${EXTRA_OPTIONS}

fs/var/lib/pebble/default/run-haproxy

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+MEMLIMIT=$(free -m | awk '/Mem:/ {print int($2 * 2 / 3)}')
+
+CG_LIMIT_FILE="/sys/fs/cgroup/memory/memory.limit_in_bytes"
+if [ -f "/sys/fs/cgroup/cgroup.controllers" ]; then
+    CG_LIMIT_FILE="/sys/fs/cgroup/memory.max"
+fi
+
+if [ -r "${CG_LIMIT_FILE}" ]; then
+    MEMLIMIT_CG=$(awk '{print int($1 / 1024 / 1024 * 2 / 3)}' "${CG_LIMIT_FILE}")
+
+    if [ "${MEMLIMIT_CG}" -gt 0 ]; then
+        if [ "${MEMLIMIT_CG}" -lt "${MEMLIMIT}" ]; then
+            MEMLIMIT="${MEMLIMIT_CG}"
+        fi
+    fi
+fi
+
+echo "Memory limit for HAProxy: ${MEMLIMIT}MiB"
+
+exec /usr/local/sbin/haproxy -W -db -m "${MEMLIMIT}" -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/haproxy-aux.cfg

pkg/haproxy/process/interface.go

@@ -20,13 +20,19 @@ type Process interface {
 }
 
 func New(env env.Env, osArgs utils.OSArgs, auxCfgFile string, api api.HAProxyClient) (p Process) { //nolint:ireturn
-	if osArgs.UseWiths6Overlay {
+	switch {
+	case osArgs.UseWiths6Overlay:
 		p = &s6Control{
 			Env:    env,
 			OSArgs: osArgs,
 			API:    api,
 		}
-	} else {
+	case osArgs.UseWithPebble:
+		p = &pebbleControl{
+			Env:    env,
+			OSArgs: osArgs,
+		}
+	default:
 		p = &directControl{
 			Env:    env,
 			OSArgs: osArgs,

pkg/haproxy/process/pebble.go

@@ -0,0 +1,53 @@
+package process
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/api"
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/env"
+	"github.com/haproxytech/kubernetes-ingress/pkg/utils"
+)
+
+type pebbleControl struct {
+	Env    env.Env
+	OSArgs utils.OSArgs
+}
+
+func (d *pebbleControl) Service(action string) error {
+	if d.OSArgs.Test {
+		logger.Infof("HAProxy would be %sed now", action)
+		return nil
+	}
+	var cmd *exec.Cmd
+
+	switch action {
+	case "start":
+		// no need to start it is up already (pebble)
+		return nil
+	case "stop":
+		// no need to stop it (pebble)
+		return nil
+	case "reload":
+		cmd = exec.Command("pebble", "signal", "SIGUSR2", "haproxy")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
+	case "restart":
+		cmd = exec.Command("pebble", "restart", "haproxy")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
+	default:
+		return fmt.Errorf("unknown command '%s'", action)
+	}
+}
+
+func (d *pebbleControl) UseAuxFile(useAuxFile bool) {
+	// do nothing we always have it
+}
+
+func (d *pebbleControl) SetAPI(api api.HAProxyClient) {
+	// unused
+}

pkg/utils/flags.go

@@ -108,4 +108,5 @@ type OSArgs struct {
 	DisableHTTP                bool           `long:"disable-http" description:"toggle to disable the HTTP frontend"`
 	DisableIPV6                bool           `long:"disable-ipv6" description:"toggle to disable the IPv6 protocol from all frontends"`
 	DisableConfigSnippets      string         `long:"disable-config-snippets" description:"Allow to disable config snippets. List of comma separated values (possible values: all/global/backend/frontend)"`
+	UseWithPebble              bool           `long:"with-pebble" description:"use pebble to start/stop/reload HAProxy"`
 }