BUG/MEDIUM: Expose new client-native option validate_files_before

As well as validate_files_after. These options are useful when HAProxy
reads from several configuration files. They allow dataplaneapi to
launch HAProxy with the correct -f flags to validate the configuration.

For example, a common practice is to put the global section into a
separate file called global.def. To make sure this file is included
before the main configuration file, you would add it to to
"validate_files_before", which is a list of filenames.

Author: oliwer

client-native/cn.go

@@ -34,6 +34,7 @@ func ConfigureConfigurationClient(haproxyOptions dataplaneapi_config.HAProxyConf
 		configuration_options.UsePersistentTransactions,
 		configuration_options.TransactionsDir(haproxyOptions.TransactionDir),
 		configuration_options.ValidateCmd(haproxyOptions.ValidateCmd),
+		configuration_options.ValidateConfigFiles(haproxyOptions.ValidateFilesBefore, haproxyOptions.ValidateFilesAfter),
 		configuration_options.MasterWorker,
 		configuration_options.UseMd5Hash,
 		configuration_options.PreferredTimeSuffix(haproxyOptions.PreferredTimeSuffix),

configuration/configuration.go

@@ -49,6 +49,8 @@ type HAProxyConfiguration struct {
 	ReloadStrategy       string        `long:"reload-strategy" description:"Either systemd, s6 or custom" default:"custom" group:"reload"`
 	TransactionDir       string        `short:"t" long:"transaction-dir" description:"Path to the transaction directory" default:"/tmp/haproxy" group:"transaction"`
 	ValidateCmd          string        `long:"validate-cmd" description:"Executes a custom command to perform the HAProxy configuration check" group:"reload"`
+	ValidateFilesBefore  []string      `long:"validate-files-before" description:"A list of configuration files to be loaded before the main file for validation" group:"reload"`
+	ValidateFilesAfter   []string      `long:"validate-files-after" description:"A list of configuration files to be loaded after the main file for validation" group:"reload"`
 	BackupsDir           string        `long:"backups-dir" description:"Path to directory in which to place backup files" group:"transaction"`
 	MapsDir              string        `short:"p" long:"maps-dir" description:"Path to directory of map files managed by dataplane" default:"/etc/haproxy/maps" group:"resources"`
 	SpoeTransactionDir   string        `long:"spoe-transaction-dir" description:"Path to the SPOE transaction directory" default:"/tmp/spoe-haproxy" group:"resources"`

configuration/configuration_storage.go

@@ -81,14 +81,16 @@ type configTypeUserlist struct {
 }
 
 type configTypeReload struct {
-	ReloadDelay     *int    `yaml:"reload_delay,omitempty"`
-	ReloadCmd       *string `yaml:"reload_cmd,omitempty"`
-	RestartCmd      *string `yaml:"restart_cmd,omitempty"`
-	StatusCmd       *string `yaml:"status_cmd,omitempty"`
-	ServiceName     *string `yaml:"service_name,omitempty"`
-	ReloadRetention *int    `yaml:"reload_retention,omitempty"`
-	ReloadStrategy  *string `yaml:"reload_strategy,omitempty"`
-	ValidateCmd     *string `yaml:"validate_cmd,omitempty"`
+	ReloadDelay         *int      `yaml:"reload_delay,omitempty"`
+	ReloadCmd           *string   `yaml:"reload_cmd,omitempty"`
+	RestartCmd          *string   `yaml:"restart_cmd,omitempty"`
+	StatusCmd           *string   `yaml:"status_cmd,omitempty"`
+	ServiceName         *string   `yaml:"service_name,omitempty"`
+	ReloadRetention     *int      `yaml:"reload_retention,omitempty"`
+	ReloadStrategy      *string   `yaml:"reload_strategy,omitempty"`
+	ValidateCmd         *string   `yaml:"validate_cmd,omitempty"`
+	ValidateFilesBefore *[]string `yaml:"validate_files_before,omitempty"`
+	ValidateFilesAfter  *[]string `yaml:"validate_files_after,omitempty"`
 }
 
 type configTypeTransaction struct {
@@ -252,6 +254,12 @@ func copyToConfiguration(cfg *Configuration) { //nolint:cyclop,maintidx
 	if cfgStorage.Haproxy != nil && cfgStorage.Haproxy.Reload != nil && cfgStorage.Haproxy.Reload.ValidateCmd != nil && !misc.HasOSArg("", "validate-cmd", "") {
 		cfg.HAProxy.ValidateCmd = *cfgStorage.Haproxy.Reload.ValidateCmd
 	}
+	if cfgStorage.Haproxy != nil && cfgStorage.Haproxy.Reload != nil && cfgStorage.Haproxy.Reload.ValidateFilesBefore != nil && !misc.HasOSArg("", "validate-files-before", "") {
+		cfg.HAProxy.ValidateFilesBefore = *cfgStorage.Haproxy.Reload.ValidateFilesBefore
+	}
+	if cfgStorage.Haproxy != nil && cfgStorage.Haproxy.Reload != nil && cfgStorage.Haproxy.Reload.ValidateFilesAfter != nil && !misc.HasOSArg("", "validate-files-after", "") {
+		cfg.HAProxy.ValidateFilesAfter = *cfgStorage.Haproxy.Reload.ValidateFilesAfter
+	}
 	if cfgStorage.Dataplaneapi != nil && cfgStorage.Dataplaneapi.Transaction != nil && cfgStorage.Dataplaneapi.Transaction.TransactionDir != nil && !misc.HasOSArg("t", "transaction-dir", "") {
 		cfg.HAProxy.TransactionDir = *cfgStorage.Dataplaneapi.Transaction.TransactionDir
 	}

configuration/examples/example-full.yaml

@@ -72,6 +72,9 @@ haproxy:
     reload_retention: 1 # int 2
     reload_strategy: custom
     validate_cmd: null # string 2
+    validate_files_before:
+    - "/etc/haproxy/global.def"
+    validate_files_after: [] # []string
 cluster: # Deprecated starting 3.0, see ./README.md for more information
   cluster_tls_dir: null # string
   id: null # string

e2e/tests/raw_multi/data/container/usr/local/etc/haproxy/default

@@ -0,0 +1,51 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDciXjkAHqi+B+X
+jgFTEDlGrz6OAISOZTY7vA1eqTW2wnUHyHiaj73xnGegxp9rgZ05lqg/ZU4fO0lt
+9XWh1h8+pjwG3KoClS9yr2AK6+tpc7cjN6ZwkQo/3I+ulh9SfbIwW4TSay1yFp9v
+aDX2MIicRzh308Z0fw92jBEcMAfewXXEIr/+PSwHLj2WLS3Adme3GNCJwzAbcU/C
+OWKlSWrgbOEsYcCGI7Fv8GFeJp7sLAeN/G/ichXEQfJIn3Enb30zBr+B3VxgyYQV
+tiOxiT+LTKX/zG16chOJQzKLYfT+E7m4o6fQbfEjScEx0/4JHAfn6OydMMrw3g+f
+M10NhkRHAgMBAAECggEAUMFOMT8zqQVunBJ1zbK9JnL5Vwo9f97z8v+zbZxMfPXL
+4OO5te84wIZjM+5HZhh6OCJAzaYM60bMZqVhQ7eijVBV3rVi07tJOpeZdaZZ961V
+vGGeYs3ZkPT08BsssQox+58njd2NMJ+0Fhl02QeAnqk9tjMoEnSMdv5nLYkw+JH0
+Uw3cYD7ZjBzA/VYoD9nuZDhN/xiqhLksnOOYnucSleQI0feVbG/QSYfzQeGo42Om
+MjlVJr0LeJMebOcT34o3fQHoz6pQZt0WP4xNwRrk72ZqBl8HSkLGfrqzg2hlaldQ
+JfB7DuWkYRrUF0GKs7CbFo4yRsABVtp8DF6xiCL5AQKBgQD/dLPG8Garlc9liJG9
+ovCE2/kAkeni/Qjc14CFX4qkgcnBIaTTl79xeRmN5dp/WnTinNNMQTamaCJaKEgN
+5A28axTsE9Ec/9sGrv/Dt3fXtS+rBPYS9Hc1k5LQrnBlD6lEe5+Oqhc4Mzw5sglo
+sfiChEzojV9Vnyj/Y0m5q8t9hwKBgQDdAbqiHMJoAP7IEnsOw1xjA6zFaeY2jYDS
+F5ZvSN0IlWXX2Aqc941ws1qKZiGjC9pqaRcjlh1OvhaEIpY7ksTShM8453mstWGl
+GV3iYiI9E+KijwqFhWyuiXxi0m0l0u2vXPgj0u6txX9suQQab9+f2oSEXG34wXDu
+R9+s/rqzQQKBgFID9OgtLLlwGqsdgrUgyBnPyg0Ny8qttJe6tK+dchTI+q6AD7xD
+XxqeZ77wCguTTi2nbgtwcIxSqJzLi/6xtltFAe2dmyi1WGu36bO7hsWBjXFZ4WtK
+g6921s8bAkjgE1dCXYLfRx8rC+32JCEx6nh044BSS0ZhGDeOeBAdgPKnAoGBAIIa
+w3kt/xBlDZhQsNr3DUtI3Yv2FM2mreCAfFIVDfJAqQzRJSZU4ZIoM7Pn/gNTNgiQ
+x0tu0uAJLY4qIlD9zRq1jpxMQKf4u3wLG+bqqIdWToQuOx5xdpKlY3F1uUWcD8q9
+q2LDiTkJXENwA8dgdsBPTtXw59iaYFYWP8pCxzxBAoGANmDkR5qJBJMeQgD8pVKu
+xLwV7gInuVMLqfF67aBTCsQKAk+b+zWKUbPLpaldCXREj0YLsTEmp2srIP4KKSMH
+N/yjXtYxY4fmCsrHAzqqzpZiYWRYScXHwCSudvV0w7PFNwKndS68lqDj7JKyGkBe
+rAMB+WGlOTcNKJrsrq7mnPc=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIUSUdc/Tj4WL90KtoPif0wGpgEGlowDQYJKoZIhvcNAQEL
+BQAwfjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DU1vdW50YWluIFZpZXcxGjAYBgNVBAoMEVlvdXIgT3JnYW5pemF0aW9uMRIwEAYD
+VQQLDAlZb3VyIFVuaXQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yMzA1MjQxMDIy
+MjJaFw0zMzA1MjExMDIyMjJaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp
+Zm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRowGAYDVQQKDBFZb3VyIE9y
+Z2FuaXphdGlvbjESMBAGA1UECwwJWW91ciBVbml0MRIwEAYDVQQDDAlsb2NhbGhv
+c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDciXjkAHqi+B+XjgFT
+EDlGrz6OAISOZTY7vA1eqTW2wnUHyHiaj73xnGegxp9rgZ05lqg/ZU4fO0lt9XWh
+1h8+pjwG3KoClS9yr2AK6+tpc7cjN6ZwkQo/3I+ulh9SfbIwW4TSay1yFp9vaDX2
+MIicRzh308Z0fw92jBEcMAfewXXEIr/+PSwHLj2WLS3Adme3GNCJwzAbcU/COWKl
+SWrgbOEsYcCGI7Fv8GFeJp7sLAeN/G/ichXEQfJIn3Enb30zBr+B3VxgyYQVtiOx
+iT+LTKX/zG16chOJQzKLYfT+E7m4o6fQbfEjScEx0/4JHAfn6OydMMrw3g+fM10N
+hkRHAgMBAAGjUzBRMB0GA1UdDgQWBBQyAsLJnbNGf7ME+DokcSeSMYMN5jAfBgNV
+HSMEGDAWgBQyAsLJnbNGf7ME+DokcSeSMYMN5jAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQB62/lsOhVrIwUx07C4r3eGu6EmughelFJgqwijnOSS
+JmICWvLtfu+X8DQkl0ls5esnK8FZk2i5zBMqhdkD0vb9qa0iI++M6jcjbDrW/bZ/
+oLa/zvEvUeEQS3FqS8p3OUczm4T88cBze3MX4iDDo/QgK6B/46t2UeXByuIZEXsK
+6OzBfoX31qrZ+DvvKBSLQG1f13vkp9WDL2u60IQ4XaIgyr+O1R/x157ic0WPaWoV
+EwPYP7ds1d8Zz9z8u6LFNi+as33zkRhIBQble277U8vT7AOicXHxnf7y2rToO41h
+mi+hA0kvDDgbr4r/K/Lq909m8OUKWBZ5U+c9c7FdMqT+
+-----END CERTIFICATE-----

e2e/tests/raw_multi/data/container/usr/local/etc/haproxy/global.def

@@ -0,0 +1,10 @@
+global
+  chroot /var/lib/haproxy
+  user haproxy
+  group haproxy
+  maxconn 4000
+  pidfile /var/run/haproxy.pid
+  stats socket /var/lib/haproxy/stats level admin
+  log 127.0.0.1 local2
+  crt-base /etc/haproxy
+  ca-base /etc/haproxy

e2e/tests/raw_multi/data/haproxy.cfg

@@ -0,0 +1,31 @@
+# global is defined in global.def
+
+defaults mydefaults
+  mode http
+  maxconn 3000
+  log global
+  option httplog
+  option redispatch
+  option dontlognull
+  option http-server-close
+  option forwardfor except 127.0.0.0/8
+  timeout http-request 10s
+  timeout check 10s
+  timeout connect 10s
+  timeout client 1m
+  timeout queue 1m
+  timeout server 1m
+  timeout http-keep-alive 10s
+  retries 3
+
+backend test_backend
+  mode http
+  balance roundrobin
+  option forwardfor
+  server server_01 10.1.1.1:8080 check weight 80
+  server server_02 10.1.1.2:8080 check weight 80
+  server server_03 10.1.1.2:8080 check weight 80
+
+frontend test_frontend
+  bind :1443 ssl crt default
+  use_backend test_backend

e2e/tests/raw_multi/data/haproxy.cfg.json

@@ -0,0 +1 @@
+"# global is defined in global.def\n\ndefaults mydefaults\n  mode http\n  maxconn 3000\n  log global\n  option httplog\n  option redispatch\n  option dontlognull\n  option http-server-close\n  option forwardfor except 127.0.0.0/8\n  timeout http-request 10s\n  timeout check 10s\n  timeout connect 10s\n  timeout client 1m\n  timeout queue 1m\n  timeout server 1m\n  timeout http-keep-alive 10s\n  retries 3\n\nbackend test_backend\n  mode http\n  balance roundrobin\n  option forwardfor\n  server server_01 10.1.1.1:8080 check weight 80\n  server server_02 10.1.1.2:8080 check weight 80\n  server server_03 10.1.1.2:8080 check weight 80\n\nfrontend test_frontend\n  bind :1443 ssl crt default\n  use_backend test_backend\n"

e2e/tests/raw_multi/dataplaneapi.yaml

@@ -0,0 +1,29 @@
+# Same config as dataplaneapi-master-socket.yaml
+# but with an extra "validate_files_before".
+
+name: famous_condor
+dataplaneapi:
+  host: 0.0.0.0
+  port: 8080
+  userlist:
+    userlist_file: /etc/haproxy/userlist.cfg
+  resources:
+    maps_dir: /etc/haproxy/maps
+    ssl_certs_dir: /etc/haproxy/ssl
+    general_storage_dir: /etc/haproxy/general
+    dataplane_storage_dir: /etc/haproxy/dataplane
+    spoe_dir: /etc/haproxy/spoe
+haproxy:
+  config_file: /etc/haproxy/haproxy.cfg
+  haproxy_bin: /usr/local/sbin/haproxy
+  master_runtime: /var/lib/haproxy/master
+  master_worker_mode: true
+  reload:
+    reload_cmd: kill -s 12 1
+    restart_cmd: kill -s 12 1
+    validate_files_before:
+    - /etc/haproxy/global.def
+log:
+  log_to: file
+  log_file: /var/log/dataplaneapi.log
+  log_level: debug

e2e/tests/raw_multi/validate.bats

@@ -0,0 +1,30 @@
+#!/usr/bin/env bats
+#
+# Copyright 2025 HAProxy Technologies
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+load '../../libs/dataplaneapi'
+load '../../libs/debug'
+load "../../libs/get_json_path"
+load '../../libs/haproxy_config_setup'
+load '../../libs/resource_client'
+load '../../libs/version'
+
+_RAW_BASE_PATH="/services/haproxy/configuration/raw"
+
+@test "raw_multi: Validate a new configuration which depends on global.def" {
+  resource_post "$_RAW_BASE_PATH" 'data/haproxy.cfg.json' 'only_validate=1'
+  assert_equal "$SC" 202
+}