Move config files into the container

This is an experiment to move configuration files into the container and
only replace environment variables.

It creates a file to start the container where it creates all the needed
files based on templates and environment variables. If the file already
exists, it won't be overwritten. This allows bypassing the template.

Author: ekohl

container-images/candlepin/Containerfile

@@ -2,8 +2,19 @@ FROM quay.io/centos/centos:stream9
 RUN dnf -y update && \
     dnf clean all
 RUN dnf -y --nodocs --setopt install_weak_deps=False install \
+    gettext \
     https://yum.theforeman.org/candlepin/4.4/el9/x86_64/candlepin-4.4.14-1.el9.noarch.rpm \
     https://yum.theforeman.org/candlepin/4.4/el9/x86_64/candlepin-selinux-4.4.14-1.el9.noarch.rpm && \ 
     dnf clean all
 
-CMD ["/usr/libexec/tomcat/server", "start"]
+ENV CANDLEPIN_KEYSTORE_PATH=/etc/candlepin/certs/truststore
+ENV CANDLEPIN_KEYSTORE_PASSWORD=
+ENV CANDLEPIN_TRUSTSTORE_PATH=/etc/candlepin/certs/truststore
+# Optional - if unset, CANDLEPIN_KEYSTORE_PASSWORD is used
+ENV CANDLEPIN_TRUSTSTORE_PASSWORD=
+
+ADD broker.xml.tpl /etc/candlepin/
+
+ADD start /usr/libexec/candlepin/
+
+CMD ["/usr/libexec/candlepin/start"]

container-images/candlepin/README.md

@@ -0,0 +1,3 @@
+# Environment variables
+
+All environment variables are defined in `Containerfile`.

roles/candlepin/templates/broker.xml.j2 container-images/candlepin/broker.xml.tplroles/candlepin/templates/broker.xml.j2 renamed to container-images/candlepin/broker.xml.tpl

@@ -10,7 +10,7 @@
 
         <acceptors>
             <acceptor name="in-vm">vm://0</acceptor>
-            <acceptor name="stomp">tcp://localhost:61613?protocols=STOMP;useEpoll=false;sslEnabled=true;trustStorePath=/etc/candlepin/certs/truststore;trustStorePassword={{ candlepin_keystore_password }};keyStorePath=/etc/candlepin/certs/keystore;keyStorePassword={{ candlepin_keystore_password }};needClientAuth=true</acceptor>
+            <acceptor name="stomp">tcp://localhost:61613?protocols=STOMP;useEpoll=false;sslEnabled=true;trustStorePath=${CANDLEPIN_TRUSTSTORE_PATH};trustStorePassword=${CANDLEPIN_TRUSTSTORE_PASSWORD};keyStorePath=${CANDLEPIN_KEYSTORE_PATH};keyStorePassword=${CANDLEPIN_KEYSTORE_PASSWORD};needClientAuth=true</acceptor>
         </acceptors>
 
         <security-enabled>true</security-enabled>

container-images/candlepin/start

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+if [[ -z $CANDLEPIN_TRUSTSTORE_PASSWORD ]] ; then
+	CANDLEPIN_TRUSTSTORE_PASSWORD=$CANDLEPIN_KEYSTORE_PASSWORD
+	export CANDLEPIN_TRUSTSTORE_PASSWORD
+fi
+
+for template in /etc/candlepin/*.tpl ; do
+	destination=${template%%.tpl}
+	if [[ ! -f "$destination" ]] ; then
+		envsubst < "$template" > "$destination"
+	fi
+done
+
+exec /usr/libexec/tomcat/server start

roles/candlepin/tasks/artemis.yml

@@ -8,14 +8,11 @@
   ansible.builtin.set_fact:
     candlepin_artemis_client_dn: "{{ openssl_response.stdout | replace('subject=', '') }}"
 
-- name: Create Candlepin broker.xml
+- name: Create Candlepin keystore password secret
   containers.podman.podman_secret:
     state: present
-    name: candlepin-artemis-broker-xml
-    data: "{{ lookup('ansible.builtin.template', 'broker.xml.j2') }}"
-    labels:
-      filename: broker.xml
-      app: artemis
+    name: candlepin-keystore-password
+    data: "{{ candlepin_keystore_password }}"
 
 - name: Create Tomcat login config
   containers.podman.podman_secret:

roles/candlepin/tasks/main.yml

@@ -63,7 +63,7 @@
       - 'candlepin-tomcat-keystore,target=/etc/candlepin/certs/keystore,mode=0440,type=mount'
       - 'candlepin-tomcat-truststore,target=/etc/candlepin/certs/truststore,mode=0440,type=mount'
       - 'candlepin-candlepin-conf,target=/etc/candlepin/candlepin.conf,mode=0440,type=mount'
-      - 'candlepin-artemis-broker-xml,target=/etc/candlepin/broker.xml,mode=440,type=mount'
+      - 'candlepin-keystore-password,target=CANDLEPIN_KEYSTORE_PASSWORD,type=env'
       - 'candlepin-tomcat-server-xml,target=/etc/tomcat/server.xml,mode=440,type=mount'
       - 'candlepin-tomcat-conf,target=/etc/tomcat/tomcat.conf,mode=440,type=mount'
       - 'candlepin-artemis-login-config,target=/etc/tomcat/login.config,mode=440,type=mount'