MEDIUM: acme: Listen for HAProxy events on the master socket

For now, only the "newcert" event is handled. This allows HAProxy to
save a newly generated certificate to disk using dataplaneapi.

More events will be implemented in the future to support ACME's DNS
challenges.

Author: oliwer

client-native/events.go

@@ -0,0 +1,205 @@
+// Copyright 2025 HAProxy Technologies
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package cn
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	clientnative "github.com/haproxytech/client-native/v6"
+	"github.com/haproxytech/client-native/v6/runtime"
+	"github.com/haproxytech/dataplaneapi/log"
+)
+
+// Listen for HAProxy's event on the master socket.
+
+// Events categgories
+const (
+	EventAcme = "acme"
+)
+
+type HAProxyEventListener struct {
+	listener  *runtime.EventListener
+	client    clientnative.HAProxyClient // for storage only
+	rt        runtime.Runtime
+	stop      atomic.Bool
+	lastEvent time.Time
+}
+
+var (
+	ErrNoMasterSocket = errors.New("master socket not configured")
+	ErrOldVersion     = errors.New("this version of HAProxy does not support event sinks")
+)
+
+func ListenHAProxyEvents(ctx context.Context, client clientnative.HAProxyClient) (*HAProxyEventListener, error) {
+	rt, err := client.Runtime()
+	if err != nil {
+		return nil, err
+	}
+	if rt == nil || rt.IsStatsSocket() {
+		return nil, ErrNoMasterSocket
+	}
+
+	version, err := rt.GetVersion()
+	if err != nil {
+		return nil, err
+	}
+	// v3.2+
+	if version.Major < 3 || (version.Major == 3 && version.Minor < 2) {
+		return nil, ErrOldVersion
+	}
+
+	el, err := newHAProxyEventListener(rt.SocketPath())
+	if err != nil {
+		return nil, err
+	}
+
+	h := &HAProxyEventListener{
+		client:   client,
+		listener: el,
+		rt:       rt,
+	}
+
+	go h.listen(ctx)
+
+	log.Debugf("listening for HAProxy events on: %s", rt.SocketPath())
+
+	return h, nil
+}
+
+// Reconfigure a running listener with a new Runtime.
+func (h *HAProxyEventListener) Reconfigure(ctx context.Context, rt runtime.Runtime) error {
+	if rt == nil || rt.IsStatsSocket() {
+		return ErrNoMasterSocket
+	}
+
+	if rt.SocketPath() == h.rt.SocketPath() {
+		// no need to restart the listener
+		h.rt = rt
+		return nil
+	}
+
+	h.Reset()
+	h.rt = rt
+	h.stop.Store(false)
+	go h.listen(ctx)
+
+	return nil
+}
+
+func (h *HAProxyEventListener) Reset() {
+	if h.listener != nil {
+		if err := h.listener.Close(); err != nil {
+			log.Warning(err)
+		}
+		h.listener = nil
+	}
+}
+
+func (h *HAProxyEventListener) Stop() error {
+	h.stop.Store(true)
+	return h.listener.Close()
+}
+
+func newHAProxyEventListener(socketPath string) (*runtime.EventListener, error) {
+	// This is both the connect and write timeout.
+	// Use a small value here since at this point dataplane is supposed
+	// to be already connected to the master socket.
+	timeout := 3 * time.Second
+
+	el, err := runtime.NewEventListener("unix", socketPath, "dpapi", timeout, "-w", "-0")
+	if err != nil {
+		return nil, fmt.Errorf("could not listen to HAProxy's events: %w", err)
+	}
+
+	return el, nil
+}
+
+func (h *HAProxyEventListener) listen(ctx context.Context) {
+	var err error
+	retryAfter := 100 * time.Millisecond
+
+	for {
+		if h.stop.Load() {
+			// Stop requested.
+			h.Reset()
+			return
+		}
+		if h.listener == nil {
+			h.listener, err = newHAProxyEventListener(h.rt.SocketPath())
+			if err != nil {
+				// Try again.
+				log.Warning(err)
+				time.Sleep(retryAfter)
+				retryAfter *= 2
+				if retryAfter == 51200*time.Millisecond {
+					// Give up after 10 iterations.
+					h.stop.Store(true)
+				}
+				continue
+			}
+		}
+
+		for {
+			ev, err := h.listener.Listen(ctx)
+			if err != nil {
+				// EOF errors usually happen when HAProxy restarts, do not log.
+				if !errors.Is(err, io.EOF) {
+					log.Warning(err)
+				}
+				// Reset the connection.
+				h.Reset()
+				break
+			}
+
+			h.handle(ev)
+
+			if h.listener == nil { // just in case
+				break
+			}
+		}
+	}
+}
+
+func (h *HAProxyEventListener) handle(ev runtime.Event) {
+	if !ev.Timestamp.After(h.lastEvent) {
+		// Event already seen! Skip.
+		log.Debugf("events: skipping already seen: '%s'", ev.String())
+		return
+	}
+	h.lastEvent = ev.Timestamp
+
+	log.Debugf("events: new: '%s'", ev.String())
+
+	category, rest, ok := strings.Cut(ev.Message, " ")
+	if !ok {
+		log.Warningf("failed to parse HAProxy Event: '%s'", ev.Message)
+		return
+	}
+
+	if category == EventAcme {
+		h.handleAcmeEvent(rest)
+		return
+	}
+
+	// Do not expect dataplaneapi to be able to handle all event types.
+	log.Debugf("unknown HAProxy Event type: '%s'", ev.Message)
+}

client-native/events_acme.go

@@ -0,0 +1,95 @@
+// Copyright 2025 HAProxy Technologies
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package cn
+
+import (
+	"errors"
+	"io"
+	"path/filepath"
+	"strings"
+
+	"github.com/haproxytech/client-native/v6/configuration"
+	"github.com/haproxytech/dataplaneapi/log"
+)
+
+const EventAcmeNewCert = "newcert"
+
+func (h *HAProxyEventListener) handleAcmeEvent(message string) {
+	name, args, ok := strings.Cut(message, " ")
+	if !ok {
+		log.Warningf("failed to parse ACME Event: '%s'", message)
+		return
+	}
+
+	if name == EventAcmeNewCert {
+		h.handleAcmeNewCertEvent(args)
+		return
+	}
+
+	log.Debugf("unknown ACME Event type: '%s'", message)
+}
+
+// HAProxy has created a new certificate and needs dpapi to write it to Storage.
+// ex: acme newcert foobar.pem.rsa
+func (h *HAProxyEventListener) handleAcmeNewCertEvent(args string) {
+	if len(args) == 0 {
+		log.Error("received HAProxy Event 'acme newcert' without a cert name")
+		return
+	}
+
+	// Do not use the certificate name in args as a storage name.
+	// It could be an alias, or the user could have split keys and certs storage.
+
+	crt, err := h.rt.ShowCertificate(args)
+	if err != nil {
+		log.Errorf("events: acme newcert %s: %s", args, err.Error())
+		return
+	}
+
+	storage, err := h.client.SSLCertStorage()
+	if err != nil {
+		log.Error(err)
+		return
+	}
+
+	// 'dump ssl cert' can only be issued on sockets with level "admin".
+	pem, err := h.rt.DumpCertificate(crt.StorageName)
+	if err != nil {
+		log.Errorf("events: acme newcert %s: dump cert: %s", args, err.Error())
+		return
+	}
+
+	// The storage API only wants the filename, while the runtime API uses paths.
+	storageName := filepath.Base(crt.StorageName)
+
+	// Create or Replace the certificate.
+	_, _, err = storage.Get(storageName)
+	if err != nil {
+		if errors.Is(err, configuration.ErrObjectDoesNotExist) {
+			rc := io.NopCloser(strings.NewReader(pem))
+			_, _, err = storage.Create(storageName, rc)
+		}
+	} else {
+		_, err = storage.Replace(storageName, pem)
+	}
+
+	if err != nil {
+		log.Errorf("events: acme newcert %s: storage: %s", args, err.Error())
+		return
+	}
+
+	log.Debugf("events: OK: acme newcert %s => %s", args, crt.StorageName)
+}

configure_data_plane.go

@@ -33,7 +33,7 @@ import (
 	"github.com/getkin/kin-openapi/openapi2"
 	"github.com/getkin/kin-openapi/openapi2conv"
 	"github.com/getkin/kin-openapi/openapi3"
-	"github.com/go-openapi/errors"
+	api_errors "github.com/go-openapi/errors"
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/go-openapi/swag"
@@ -79,6 +79,7 @@ var (
 	AccLogger             *log.Logger
 	serverStartedCallback func()
 	clientMutex           sync.Mutex
+	eventListener         *cn.HAProxyEventListener
 )
 
 func SetServerStartedCallback(callFunc func()) {
@@ -159,7 +160,7 @@ func configureAPI(api *operations.DataPlaneAPI) http.Handler { //nolint:cyclop,m
 	// end overriding options with env variables
 
 	// configure the api here
-	api.ServeError = errors.ServeError
+	api.ServeError = api_errors.ServeError
 
 	// Set your custom logger if needed. Default one is log.Printf
 	// Expected interface func(string, ...interface{})
@@ -192,6 +193,8 @@ func configureAPI(api *operations.DataPlaneAPI) http.Handler { //nolint:cyclop,m
 
 	initDataplaneStorage(haproxyOptions.DataplaneStorageDir, client)
 
+	configureEventListener(clientCtx, client)
+
 	users := dataplaneapi_config.GetUsersStore()
 	// this is not part of GetUsersStore(),
 	// in case of reload we need to reread users
@@ -1286,6 +1289,28 @@ func configureNativeClient(cyx context.Context, haproxyOptions dataplaneapi_conf
 	return client
 }
 
+func configureEventListener(ctx context.Context, client client_native.HAProxyClient) {
+	rt, err := client.Runtime()
+	if err != nil {
+		return
+	}
+
+	if eventListener != nil {
+		err = eventListener.Reconfigure(ctx, rt)
+		if err != nil {
+			// Stop the listener if the new conf has no master socket.
+			log.Info("Stopping the EventListener:", err.Error())
+			_ = eventListener.Stop()
+		}
+	} else {
+		// First start.
+		eventListener, err = cn.ListenHAProxyEvents(ctx, client)
+		if err != nil && err != cn.ErrNoMasterSocket && err != cn.ErrOldVersion {
+			log.Error("Failed to start HAProxy's event listener:", err.Error())
+		}
+	}
+}
+
 func handleSignals(ctx context.Context, cancel context.CancelFunc, sigs chan os.Signal, client client_native.HAProxyClient, haproxyOptions dataplaneapi_config.HAProxyConfiguration, users *dataplaneapi_config.Users) {
 	for {
 		select {
@@ -1299,6 +1324,7 @@ func handleSignals(ctx context.Context, cancel context.CancelFunc, sigs chan os.
 					log.Infof("Unable to reload Data Plane API: %s", err.Error())
 				} else {
 					client.ReplaceRuntime(cn.ConfigureRuntimeClient(clientCtx, configuration, haproxyOptions))
+					configureEventListener(clientCtx, client)
 					log.Info("Reloaded Data Plane API")
 				}
 			} else if sig == syscall.SIGUSR2 {
@@ -1340,6 +1366,9 @@ func startWatcher(ctx context.Context, client client_native.HAProxyClient, hapro
 			reloadAgent.ReloadWithCallback(reconfigureFunc)
 		}
 
+		// Reconfigure the event listener if needed.
+		configureEventListener(ctx, client)
+
 		// get the last configuration which has been updated by reloadConfigurationFile and increment version in config file.
 		configuration, err := client.Configuration()
 		if err != nil {

go.mod

@@ -43,6 +43,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 )
 
+replace github.com/haproxytech/client-native/v6 => ../client-native
+
 require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.31 // indirect