HAProxy Kubernetes Ingress Controller 1.5 Announcement

The translation of the article was prepared as part of the course "Infrastructure platform based on Kubernetes" . If you are interested in learning more about the course, come to the open day online.






1.5 HAProxy Kubernetes Ingress Controller. HAProxy , . TLS- - , Basic . , HAProxy, HAProxy 2.3.





- Kubernetes, . . .





, GitHub, Slack.





Kubernetes:





, Kubernetes, (Service abstraction).





- Kubernetes. kube-proxy , , . Kubernetes, - . - HAProxy , .





, Kubernetes, Kubernetes. Kubernetes, HAProxy , (, Keepalived).





- Kubernetes , , CI/CD .., , . , :





  • HAProxy Kubernetes Ingress Controller;





  • HAProxy;





  • Kubeconfig Kubernetes;





  • , HAProxy .





- , <node-ip> - IP- , , HAProxy:





$ ip route add <pod-network> via <node-ip>
      
      



- Kubernetes, :





$ ./kubernetes-ingress -e \                                                              
    --configmap=default/haproxy-kubernetes-ingress \                                                                            
    --program=/usr/bin/haproxy \
    --disable-ipv6 \
    --ipv4-bind-address=10.0.3.100
    --http-bind-port=8080 \
    --https-bind-port=8443
      
      



.





TLS

TLS (mTLS) - -, . TLS β€” , , , TLS, , . , TLS, , , TLS (Certificate Authority) (CA); , . , , . - -.





server-ca



server-crt



, Ingress, Service ConfigMap , . server-ca



Kubernetes, CA, TLS- -. server-crt



Kubernetes, , - .





, (Service):





apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-ca: "default/server-tls-secret"
    haproxy.org/server-crt: "default/client-tls-secret"
# ... other service settings...
      
      



, server-ssl, TLS- .





- , . , API, . , .





1.5 HTTP-. , . , auth-type



basic-auth



ConfigMap Ingress. auth-secret, Kubernetes, username: encrypted base-64 encoded password.





apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/ssl-redirect: "true"
    haproxy.org/ssl-redirect-code: "301"
    haproxy.org/ssl-certificate: "default/tls-secret"
    haproxy.org/auth-type: basic-auth
    haproxy.org/auth-secret: "default/logins"
# ... other ingress settings...
      
      



, , TLS .





- , , . HAProxy, haproxy.cfg, Kubernetes Ingress, Service ConfigMap kubectl. . . , SSL HTTP HTTPS, Ingress:





apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
  annotations:
    haproxy.org/ssl-redirect: "true"
    haproxy.org/ssl-redirect-code: "301"
    haproxy.org/ssl-certificate: "default/tls-secret"
# ... other ingress settings...
      
      



. , HAProxy, HAProxy Kubernetes Ingress Controller. . , , ssl-certificate



, , .





HAProxy . - HAProxy , , . global-config-snippet



ConfigMap -, HAProxy, , .





: ssl-default-bind-options



, ssl-default-bind-ciphers



, tune.ssl.default-dh-param



tune.bufsize



, :





apiVersion: v1
kind: ConfigMap
metadata:
  name: haproxy-kubernetes-ingress
  namespace: default
data:
  global-config-snippet: |  
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    tune.ssl.default-dh-param 2048
    tune.bufsize 32768
      
      



HAProxy. , . - , Kubernetes , . backend-config-snippet , :





apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/backend-config-snippet: |
      stick-table type binary size 1000 store http_req_rate(5s)
      http-request track-sc0 url32+src
      http-request deny if {  url32+src,table_http_req_rate() gt 50 }
# ... other service settings...
      
      



stick-table



, IP- URL, . URL http-request track-sc0



http-request deny



. HAProxy. - rate-limit-requests



IP-, , , URL.





Ingress, , ingress. ConfigMap



-, . , .





HAProxy . , - . , .





HAProxy HTTP . , 403 Forbidden, http-request deny. 503 Service Unavailable, . --configmap-errorfile



HTTP.





ConfigMap



, HTML, :





apiVersion: v1
  kind: ConfigMap
  metadata:
    name: customerrors
    namespace: default
  data:
    503: |-
      HTTP/1.0 503 Service Unavailable
      Cache-Control: no-cache
      Connection: close
      Content-Type: text/html
  
      <html><body><h1>Oops, that's embarassing!</h1>
      <p>There are no servers available to handle your request.</p>
      </body></html>
      
      



--configmap-errorfile



ConfigMap



-:





args:
  - --configmap-errorfile=default/customerrors
      
      



, , :













src-ip-header







IP- HTTP-, L3-. , - , IP . , IP- ( , , ).





send-proxy-protocol







PROXY -.





request-redirect







HTTP- , HTTP Location. request-redirect-code



.





rate-limit-status-code







, .





ssl-redirect-port







HTTPS.





cors-enable







CORS Ingress-.





cors-allow-origin







Access-Control-Allow-Origin, , .





cors-allow-methods







Access-Control-Allow-Methods, HTTP, .





cors-allow-credentials







Access-Control-Allow-Credentials, , .





cors-allow-headers







Access-Control-Allow-Headers, , HTTP- .





cors-max-age







Access-Control-Allow-Age, , preflight-.





-. , HAProxy Map, , .





, . . use_backend



- ACL, http-request deny



http-request capture



:





frontend http
  mode http
  bind 0.0.0.0:80 name bind_1
  bind :::80 v4v6 name bind_2
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.path) path
  http-request set-var(txn.base) base
  http-request deny deny_status 403 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } or { var(txn.host) -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/16510262515213450.lst } { src -f /etc/haproxy/maps/7895261178644353572.lst }
  http-request capture "hdr(Referer)" len 128 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/18288779858306557702.lst } or { var(txn.host) -f /etc/haproxy/maps/18288779858306557702.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/18288779858306557702.lst }
  http-request capture "hdr(User-Agent)" len 128 if { var(txn.host),concat(,txn.path) -m beg -f /etc/haproxy/maps/15330672981640189476.lst } or { var(txn.host) -f /etc/haproxy/maps/15330672981640189476.lst } or { var(txn.path) -m beg -f /etc/haproxy/maps/15330672981640189476.lst }
  use_backend echo-echo-3-http-echo-8080 if { var(txn.host) echo.k8s.local } { var(txn.path) -m beg /echo-3 }
  use_backend echo-echo-2-http-echo-8080 if { var(txn.host) echo.k8s.local } { var(txn.path) -m beg /echo-2 }
  use_backend echo-echo-3-http-echo-8080 if { var(txn.host) echo-3.k8s.local }
  use_backend echo-echo-2-http-echo-8080 if { var(txn.host) echo-2.k8s.local }
  use_backend echo-echo-1-http-echo-8443 if { var(txn.host) echo-1.k8s.local }
  use_backend echo-echo-3-http-echo-8080 if { var(txn.path) -m beg /echo-3 }
  use_backend echo-echo-2-http-echo-8080 if { var(txn.path) -m beg /echo-2 }
  default_backend default-haproxy-1-4-kubernetes-ingress-default-backend-8080
      
      



1.5 :





frontend http 
  mode http
  bind 0.0.0.0:80 name bind_1
  bind :::80 name bind_2 v4v6
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower,map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host) req.hdr(Host),field(1,:),regsub(^[^.]*,,),lower,map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host) -m found }
  http-request set-var(txn.match) var(txn.host),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.match) var(txn.host),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.match) -m found }
  http-request deny deny_status 403 if { var(txn.match) -m dom 819381936 } { src -f /etc/haproxy/maps/blacklist-2602162148.map }
  http-request capture "hdr(Referer)" len 128 if { var(txn.match) -m dom 4205828474 }                                     
  http-request capture "hdr(User-Agent)" len 128 if { var(txn.match) -m dom 2786470064 }                        
  use_backend %[var(txn.match),field(1,.)]                                                                           
  default_backend default-haproxy-kubernetes-ingress-default-backend-8080
      
      



use_backend



http-request



HAProxy Map, . HAProxy Map , .





:





  • Host map, Host.





  • , , , Host.





  • "host/path", .





  • , , "" .





  • - , :





BackendName.ruleID1.ruleID2.ruleID3







HAProxy.





:





echo.k8s.local/echo-2 echo-echo-2-http-echo-8080.4205828474.278647006







, (, , / HAProxy ..) .





, : - .





, :





HAProxy Kubernetes Ingress Controller 1.5 , , , Kubernetes. HAProxy Kubernetes Custom Resource Definitions. !





? ! Twitter Slack.






Β« KubernetesΒ»








All Articles