Fix default template render output paths

images/router/haproxy/conf/haproxy-config.template

@@ -3,7 +3,7 @@
     					encryption before finally sending to a host_be which is the backend that is the final
     					backend for a route and contains all the endpoints for the service
 */}}
-{{- define "haproxy.config" }}
+{{- define "conf/haproxy.config" }}
 {{- $workingDir := .WorkingDir }}
 {{- $defaultDestinationCA := .DefaultDestinationCA }}
 {{- $dynamicConfigManager := .DynamicConfigManager }}
@@ -587,7 +587,7 @@ backend {{genBackendNamePrefix $cfg.TLSTermination}}:{{$cfgIdx}}
 			[sub]domain regexps. This map is used to check if
 			a host matches a [sub]domain with has wildcard support.
 */}}
-{{ define "os_wildcard_domain.map" -}}
+{{ define "conf/os_wildcard_domain.map" -}}
 {{     if isTrue (env "ROUTER_ALLOW_WILDCARD_ROUTES") -}}
 {{         range $idx, $line := generateHAProxyMap . -}}
 {{$line}}
@@ -602,7 +602,7 @@ backend {{genBackendNamePrefix $cfg.TLSTermination}}:{{$cfgIdx}}
                                                 be_edge_http for edge routes with InsecureEdgeTerminationPolicy Allow
                                                 be_secure for reencrypt routes with InsecureEdgeTerminationPolicy Allow
 */}}
-{{ define "os_http_be.map" -}}
+{{ define "conf/os_http_be.map" -}}
 {{     range $idx, $line := generateHAProxyMap . -}}
 {{$line}}
 {{     end -}}
@@ -615,7 +615,7 @@ backend {{genBackendNamePrefix $cfg.TLSTermination}}:{{$cfgIdx}}
                          by attaching prefix: be_edge_http for edge terminated routes
                                               be_secure for reencrypt routes
 */}}
-{{ define "os_edge_reencrypt_be.map" -}}
+{{ define "conf/os_edge_reencrypt_be.map" -}}
 {{     range $idx, $line := generateHAProxyMap . -}}
 {{$line}}
 {{     end -}}
@@ -627,7 +627,7 @@ backend {{genBackendNamePrefix $cfg.TLSTermination}}:{{$cfgIdx}}
     Map is used to redirect insecure traffic to use a secure scheme (https)
     if acls match for routes that have the insecure option set to redirect.
 */}}
-{{ define "os_route_http_redirect.map" -}}
+{{ define "conf/os_route_http_redirect.map" -}}
 {{     range $idx, $line := generateHAProxyMap . -}}
 {{$line}}
 {{     end -}}
@@ -638,7 +638,7 @@ backend {{genBackendNamePrefix $cfg.TLSTermination}}:{{$cfgIdx}}
     os_tcp_be.map: contains a mapping of www.example.com -> <service name>.  This map is used to discover the correct backend
                         by use_backend statements if acls are matched.
 */}}
-{{ define "os_tcp_be.map" -}}
+{{ define "conf/os_tcp_be.map" -}}
 {{     range $idx, $line := generateHAProxyMap . -}}
 {{$line}}
 {{     end -}}
@@ -649,7 +649,7 @@ backend {{genBackendNamePrefix $cfg.TLSTermination}}:{{$cfgIdx}}
     os_sni_passthrough.map: contains a mapping of routes that expect to have an sni header and should be passed
     					through to the host_be.  Driven by the termination type of the ServiceAliasConfigs
 */}}
-{{ define "os_sni_passthrough.map" -}}
+{{ define "conf/os_sni_passthrough.map" -}}
 {{     range $idx, $line := generateHAProxyMap . -}}
 {{$line}}
 {{     end -}}
@@ -663,7 +663,7 @@ backend {{genBackendNamePrefix $cfg.TLSTermination}}:{{$cfgIdx}}
           "<cert>: <domain-set>" is important as this allows us to use
          wildcards and/or use a deny set with !<domain> in the future.
 */}}
-{{ define "cert_config.map" -}}
+{{ define "conf/cert_config.map" -}}
 {{     range $idx, $line := generateHAProxyMap . -}}
 {{$line}}
 {{     end -}}

pkg/cmd/infra/router/template.go

@@ -150,7 +150,7 @@ func getIntervalFromEnv(name string, defaultValSecs int) time.Duration {
 }
 
 func (o *TemplateRouter) Bind(flag *pflag.FlagSet) {
-	flag.StringVar(&o.WorkingDir, "working-dir", "/var/lib/haproxy/router", "The working directory for the router plugin")
+	flag.StringVar(&o.WorkingDir, "working-dir", "/var/lib/haproxy", "The working directory for the router plugin")
 	flag.StringVar(&o.DefaultCertificate, "default-certificate", env("DEFAULT_CERTIFICATE", ""), "The contents of a default certificate to use for routes that don't expose a TLS server cert; in PEM format")
 	flag.StringVar(&o.DefaultCertificatePath, "default-certificate-path", env("DEFAULT_CERTIFICATE_PATH", ""), "A path to default certificate to use for routes that don't expose a TLS server cert; in PEM format")
 	flag.StringVar(&o.DefaultCertificateDir, "default-certificate-dir", env("DEFAULT_CERTIFICATE_DIR", ""), "A path to a directory that contains a file named tls.crt. If tls.crt is not a PEM file which also contains a private key, it is first combined with a file named tls.key in the same directory. The PEM-format contents are then used as the default certificate. Only used if default-certificate and default-certificate-path are not specified.")

pkg/router/template/router.go

@@ -10,7 +10,6 @@ import (
 	"os/exec"
 	"path/filepath"
 	"reflect"
-	"sort"
 	"strings"
 	"sync"
 	"text/template"
@@ -467,16 +466,11 @@ func (r *templateRouter) writeConfig() error {
 
 	log.V(4).Info("router certificate manager config committed")
 
-	pathNames := make([]string, 0)
-	for k := range r.templates {
-		pathNames = append(pathNames, filepath.Join(r.dir, k))
-	}
-	sort.Strings(pathNames)
-	for _, path := range pathNames {
-		template := r.templates[filepath.Base(path)]
-		file, err := os.Create(path)
+	for name, template := range r.templates {
+		filename := filepath.Join(r.dir, name)
+		file, err := os.Create(filename)
 		if err != nil {
-			return fmt.Errorf("error creating config file %s: %v", path, err)
+			return fmt.Errorf("error creating config file %s: %v", filename, err)
 		}
 
 		data := templateData{
@@ -493,7 +487,7 @@ func (r *templateRouter) writeConfig() error {
 		}
 		if err := template.Execute(file, data); err != nil {
 			file.Close()
-			return fmt.Errorf("error executing template for file %s: %v", path, err)
+			return fmt.Errorf("error executing template for file %s: %v", filename, err)
 		}
 		file.Close()
 	}