New to Voyager? Please start here.
Configuration Volumes
You might want to provide additional files to the haproxy container and use them in the haproxy configuration. For example, specifying a CA file for verifying backend server. Using voyager, you can mount additional files from secrets/configmaps by configuring spec.configVolumes
.
Note that, when spec.configVolumes
is used, operator will skip the validation for generated haproxy configuration.
Example: Backend Server Verification
First create demo namespace for this example.
$ kubectl create namespace demo
namespace/demo created
Deploy Test Server
Deploy a TLS enabled test server.
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: test-server
name: test-server
namespace: demo
spec:
selector:
matchLabels:
run: test-server
template:
metadata:
labels:
run: test-server
spec:
containers:
- image: appscode/test-server:2.3
name: test-server
args:
- --ca
imagePullPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
labels:
run: test-server
name: test-server
namespace: demo
annotations:
ingress.appscode.com/backend-tls: ssl ca-file /tmp/ca/ca.pem
spec:
ports:
- port: 6443
targetPort: 6443
name: https
selector:
run: test-server
Here, using ingress.appscode.com/backend-tls
annotation we have specified the path of CA file. HAProxy will use this CA file to verify the backend server. So, we need to provide the CA file inside the haproxy-container in path /tmp/ca/ca.pem
.
Create Secret
If you use your own backend server, you might already have the CA file. Run following commands to get the CA file of the test-server used in this example.
$ kubectl get pods -n demo -l run=test-server
NAME READY STATUS RESTARTS AGE
test-server-64855d98cc-7bfpr 1/1 Running 0 74s
$ kubectl exec -it -n demo test-server-64855d98cc-7bfpr cat cert.pem > ca.pem
Now, create a secret using the CA file.
$ kubectl create secret generic ca-secret -n demo --from-file=ca.pem
secret/ca-secret created
Create Ingress
Create the ingress and specify the secret in spec.configVolumes
.
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
name: test-ingress
namespace: demo
spec:
configVolumes:
- name: ca-vol
secret:
secretName: ca-secret
mountPath: /tmp/ca
rules:
- host: "ssl.appscode.test"
http:
paths:
- path: /apis
backend:
service:
name: test-server
port:
number: 6443
Generated haproxy.cfg
# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!
global
daemon
stats socket /var/run/haproxy.sock level admin expose-fd listeners
server-state-file global
server-state-base /var/state/haproxy/
# log using a syslog socket
log /dev/log local0 info
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
lua-load /etc/auth-request.lua
hard-stop-after 30s
defaults
log global
# https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
# https://github.com/voyagermesh/voyager/pull/403
option dontlognull
option http-server-close
# Timeout values
timeout client 50s
timeout client-fin 50s
timeout connect 5s
timeout server 50s
timeout tunnel 50s
# Configure error files
# default traffic mode is http
# mode is overwritten in case of tcp services
mode http
frontend http-0_0_0_0-80
bind *:80
mode http
option httplog
option forwardfor
acl is_proxy_https hdr(X-Forwarded-Proto) https
acl is_proxy_https ssl_fc
http-request set-var(req.scheme) str(https) if is_proxy_https
http-request set-var(req.scheme) str(http) if ! is_proxy_https
acl acl_ssl.appscode.test hdr(host) -i ssl.appscode.test
acl acl_ssl.appscode.test hdr(host) -i ssl.appscode.test:80
acl acl_ssl.appscode.test:apis path_beg /apis
use_backend test-server.demo:6443 if acl_ssl.appscode.test acl_ssl.appscode.test:apis
backend test-server.demo:6443
server pod-test-server-64855d98cc-7bfpr 172.17.0.5:6443 ssl ca-file /tmp/ca/ca.pem
Check Response
$ minikube service --url voyager-test-ingress -n demo
http://192.168.99.100:32598
$ curl -H "Host: ssl.appscode.test" 'http://192.168.99.100:32598/apis'
{"type":"http","host":"ssl.appscode.test","serverPort":":6443","path":"/apis","method":"GET","headers":{"Accept":["*/*"],"Connection":["close"],"User-Agent":["curl/7.58.0"],"X-Forwarded-For":["172.17.0.1"]}}
Note that, in this example, curl
connects with HAProxy in no-tls mode, but HAProxy connects with backend server in tls mode.
Cleanup
$ kubectl delete ns demo
namespace "demo" deleted