Move config files into the container#102
Conversation
ekohl
force-pushed
the
move-config-file-into-container
branch
from
6363ecc to
db3197a
Compare
| RUN dnf -y update && \ | ||
| dnf clean all | ||
| RUN dnf -y --nodocs install \ | ||
| gettext \ |
There was a problem hiding this comment.
This provides envsubst. On Fedora 41 it's split off into gettext-envsubst so I think it'll be the same on EL10.
| <acceptors> | ||
| <acceptor name="in-vm">vm://0</acceptor> | ||
| <acceptor name="stomp">tcp://localhost:61613?protocols=STOMP;useEpoll=false;sslEnabled=true;trustStorePath=/etc/candlepin/certs/truststore;trustStorePassword={{ candlepin_keystore_password }};keyStorePath=/etc/candlepin/certs/keystore;keyStorePassword={{ candlepin_keystore_password }};needClientAuth=true</acceptor> | ||
| <acceptor name="stomp">tcp://localhost:61613?protocols=STOMP;useEpoll=false;sslEnabled=true;trustStorePath=/etc/candlepin/certs/truststore;trustStorePassword=${CANDLEPIN_KEYSTORE_PASSWORD};keyStorePath=/etc/candlepin/certs/keystore;keyStorePassword=${CANDLEPIN_KEYSTORE_PASSWORD};needClientAuth=true</acceptor> |
There was a problem hiding this comment.
I think https://activemq.apache.org/components/artemis/documentation/latest/configuring-transports.html#configuring-netty-ssl is the relevant documentation and I don't see a keystorePasswordFile option (or similar).
It does mention you can provide the javax.net.ssl.keyStorePassword system property as well. I wonder if Candlepin can reuse that same value. Perhaps we can end up with providing one big properties file with all secrets. Even if we don't directly expose that but still template it, it could be interesting to separate it out.
There was a problem hiding this comment.
I'd like to expand this file to also document expected file paths or perhaps also introduce CANDLEPIN_TRUSTSTORE_PATH which can get a default value. Then it becomes introspectable.
|
|
||
| for template in /etc/candlepin/*.tpl ; do | ||
| destination=$(basename "$template" .tpl) | ||
| if [[ ! -f "$destination" ]] ; then |
There was a problem hiding this comment.
This was intended to allow overrides but now I realize it may be created during container creation
ekohl
force-pushed
the
move-config-file-into-container
branch
2 times, most recently
from
d4e419c to
8c10029
Compare
|
This is failing because I'm making changes to the |
This is an experiment to move configuration files into the container and only replace environment variables. It creates a file to start the container where it creates all the needed files based on templates and environment variables. If the file already exists, it won't be overwritten. This allows bypassing the template.
ekohl
force-pushed
the
move-config-file-into-container
branch
from
91603c2 to
95ccc9d
Compare
| ENV CANDLEPIN_KEYSTORE_PATH=/etc/candlepin/certs/truststore | ||
| ENV CANDLEPIN_KEYSTORE_PASSWORD= | ||
| ENV CANDLEPIN_TRUSTSTORE_PATH=/etc/candlepin/certs/truststore | ||
| # Optional - if unset, CANDLEPIN_KEYSTORE_PASSWORD is used | ||
| ENV CANDLEPIN_TRUSTSTORE_PASSWORD= |
There was a problem hiding this comment.
I noticed every line is another layer so perhaps it's better to use the multi-line mode of ENV.
| # Optional - if unset, CANDLEPIN_KEYSTORE_PASSWORD is used | ||
| ENV CANDLEPIN_TRUSTSTORE_PASSWORD= | ||
|
|
||
| ADD broker.xml.tpl /etc/candlepin/ |
There was a problem hiding this comment.
I thought about creating a candlepin directory locally and use ADD candlepin/* /etc/candlepin/ so make it easier to scale but haven't experimented with that yet.
|
Worth noting that when I played around with this, there was one scenario that wasn't working for me using Candlepin's built in environment variable evaluation (#71 (comment)). I think this method of substitution would work around that. |
|
I think this idea would mean we cannot use the official Candlepin images directly. We could possibly use them as base containers, but we'd have to layer in our baseline configuration files on top of it. |
That's correct, so we'd be on the hook to rebuild. |
Could you next try this out with some of the values in |
|
Moved over to theforeman/candlepin-oci-images#3. |
3 participants
This is an experiment to move configuration files into the container and only replace environment variables.
It creates a file to start the container where it creates all the needed files based on templates and environment variables. If the file already exists, it won't be overwritten. This allows bypassing the template.
This is a potential first step towards #68.