The translation of the article was prepared as part of the course "Infrastructure platform based on Kubernetes" . If you are interested in learning more about the course, come to the open day online.
1.5 HAProxy Kubernetes Ingress Controller. HAProxy , . TLS- - , Basic . , HAProxy, HAProxy 2.3.
- Kubernetes, . . .
-
, Kubernetes, (Service abstraction).
- Kubernetes. kube-proxy , , . Kubernetes, - . - HAProxy , .
, Kubernetes, Kubernetes. Kubernetes, HAProxy , (, Keepalived).
- Kubernetes , , CI/CD .., , . , :
HAProxy Kubernetes Ingress Controller;
HAProxy;
Kubeconfig Kubernetes;
, HAProxy .
- , <node-ip> - IP- , , HAProxy:
$ ip route add <pod-network> via <node-ip>
- Kubernetes, :
$ ./kubernetes-ingress -e \
--configmap=default/haproxy-kubernetes-ingress \
--program=/usr/bin/haproxy \
--disable-ipv6 \
--ipv4-bind-address=10.0.3.100
--http-bind-port=8080 \
--https-bind-port=8443
TLS
TLS (mTLS) - -, . TLS β , , , TLS, , . , TLS, , , TLS (Certificate Authority) (CA); , . , , . - -.
server-ca
server-crt
, Ingress, Service ConfigMap , . server-ca
Kubernetes, CA, TLS- -. server-crt
Kubernetes, , - .
, (Service):
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/server-ca: "default/server-tls-secret"
haproxy.org/server-crt: "default/client-tls-secret"
# ... other service settings...
, server-ssl, TLS- .
- , . , API, . , .
1.5 HTTP-. , . , auth-type
basic-auth
ConfigMap Ingress. auth-secret, Kubernetes, username: encrypted base-64 encoded password.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: web-ingress
namespace: default
annotations:
haproxy.org/ssl-redirect: "true"
haproxy.org/ssl-redirect-code: "301"
haproxy.org/ssl-certificate: "default/tls-secret"
haproxy.org/auth-type: basic-auth
haproxy.org/auth-secret: "default/logins"
# ... other ingress settings...
, , TLS .
- , , . HAProxy, haproxy.cfg, Kubernetes Ingress, Service ConfigMap kubectl. . . , SSL HTTP HTTPS, Ingress:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: web-ingress
namespace: default
annotations:
haproxy.org/ssl-redirect: "true"
haproxy.org/ssl-redirect-code: "301"
haproxy.org/ssl-certificate: "default/tls-secret"
# ... other ingress settings...
. , HAProxy, HAProxy Kubernetes Ingress Controller. . , , ssl-certificate
, , .
HAProxy . - HAProxy , , . global-config-snippet
ConfigMap -, HAProxy, , .
: ssl-default-bind-options
, ssl-default-bind-ciphers
, tune.ssl.default-dh-param
tune.bufsize
, :
apiVersion: v1
kind: ConfigMap
metadata:
name: haproxy-kubernetes-ingress
namespace: default
data:
global-config-snippet: |
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tune.ssl.default-dh-param 2048
tune.bufsize 32768
HAProxy. , . - , Kubernetes , . backend-config-snippet , :
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/backend-config-snippet: |
stick-table type binary size 1000 store http_req_rate(5s)
http-request track-sc0 url32+src
http-request deny if { url32+src,table_http_req_rate() gt 50 }
# ... other service settings...
stick-table
, IP- URL, . URL http-request track-sc0
http-request deny
. HAProxy. - rate-limit-requests
IP-, , , URL.
Ingress, , ingress. ConfigMap
-, . , .
HAProxy . , - . , .
HAProxy HTTP . , 403 Forbidden, http-request deny. 503 Service Unavailable, . --configmap-errorfile
HTTP.
ConfigMap
, HTML, :
apiVersion: v1
kind: ConfigMap
metadata:
name: customerrors
namespace: default
data:
503: |-
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>Oops, that's embarassing!</h1>
<p>There are no servers available to handle your request.</p>
</body></html>
--configmap-errorfile
ConfigMap
-:
args:
- --configmap-errorfile=default/customerrors
, , :
|
|
|
IP- HTTP-, L3-. , - , IP . , IP- ( , , ). |
|
PROXY -. |
|
HTTP- , HTTP Location. |
|
, . |
|
HTTPS. |
|
CORS Ingress-. |
|
Access-Control-Allow-Origin, , . |
|
Access-Control-Allow-Methods, HTTP, . |
|
Access-Control-Allow-Credentials, , . |
|
Access-Control-Allow-Headers, , HTTP- . |
|
Access-Control-Allow-Age, , preflight-. |
-. , HAProxy Map, , .
, . . use_backend
- ACL, http-request deny
http-request capture
:
frontend http
mode http
bind 0.0.0.0:80 name bind_1
bind :::80 v4v6 name bind_2
http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
http-request set-var(txn.path) path
http-request set-var(txn.base) base
http-request deny deny_status 403 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } or { var(txn.host) -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst }
http-request capture "hdr(Referer)" len 128 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/18288779858306557702.lst } or { var(txn.host) -f /etc/haproxy/maps/18288779858306557702.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/18288779858306557702.lst }
http-request capture "hdr(User-Agent)" len 128 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/15330672981640189476.lst } or { var(txn.host) -f /etc/haproxy/maps/15330672981640189476.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/15330672981640189476.lst }
use_backend echo-echo-3-http-echo-8080 if { var(txn.host) echo.k8s.local } { var(txn.path) -m beg /echo-3 }
use_backend echo-echo-2-http-echo-8080 if { var(txn.host) echo.k8s.local } { var(txn.path) -m beg /echo-2 }
use_backend echo-echo-3-http-echo-8080 if { var(txn.host) echo-3.k8s.local }
use_backend echo-echo-2-http-echo-8080 if { var(txn.host) echo-2.k8s.local }
use_backend echo-echo-1-http-echo-8443 if { var(txn.host) echo-1.k8s.local }
use_backend echo-echo-3-http-echo-8080 if { var(txn.path) -m beg /echo-3 }
use_backend echo-echo-2-http-echo-8080 if { var(txn.path) -m beg /echo-2 }
default_backend default-haproxy-1-4-kubernetes-ingress-default-backend-8080
1.5 :
frontend http
mode http
bind 0.0.0.0:80 name bind_1
bind :::80 name bind_2 v4v6
http-request set-var(txn.base) base
http-request set-var(txn.path) path
http-request set-var(txn.host) req.hdr(Host),field(1,:),lower,map(/etc/haproxy/maps/host.map)
http-request set-var(txn.host) req.hdr(Host),field(1,:),regsub(^[^.]*,,),lower,map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host) -m found }
http-request set-var(txn.match) var(txn.host),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
http-request set-var(txn.match) var(txn.host),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.match) -m found }
http-request deny deny_status 403 if { var(txn.match) -m dom 819381936 } { src -f /etc/haproxy/maps/blacklist-2602162148.map }
http-request capture "hdr(Referer)" len 128 if { var(txn.match) -m dom 4205828474 }
http-request capture "hdr(User-Agent)" len 128 if { var(txn.match) -m dom 2786470064 }
use_backend %[var(txn.match),field(1,.)]
default_backend default-haproxy-kubernetes-ingress-default-backend-8080
use_backend
http-request
HAProxy Map, . HAProxy Map , .
:
Host map, Host.
, , , Host.
"host/path", .
, , "" .
- , :
BackendName.ruleID1.ruleID2.ruleID3
HAProxy.
:
echo.k8s.local/echo-2 echo-echo-2-http-echo-8080.4205828474.278647006
, (, , / HAProxy ..) .
, : - .
, :
HAProxy Kubernetes Ingress Controller 1.5 , , , Kubernetes. HAProxy Kubernetes Custom Resource Definitions. !