Skip to content
Branch: master
Find file History
oktalz MAJOR: endpoints: fix num of servers
fix issues with inproper number of  backend servers.
server-increment was not respected properly.
Latest commit e1a53cc Jul 11, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md BUG/MEDIUM: ingress.class: handle empty class in more secure name Jul 9, 2019
controller.md MAJOR: endpoints: fix num of servers Jul 11, 2019

README.md

HAProxy

HAProxy kubernetes ingress controller

Options for starting controller can be found in controller.md

Available annotations

ℹ️ Ingress and service annotations can have ingress.kubernetes.io, haproxy.org and haproxy.com prefixes

Example: haproxy.com/ssl-redirect and haproxy.org/ssl-redirect are same annotation

Annotation Type Default Dependencies Config map Ingress Service
check ["enabled"] "enabled" 🔵 🔵 🔵
check-interval time check 🔵 🔵 🔵
forwarded-for ["enabled", "disabled"] "enabled" 🔵 🔵 🔵
ingress.class string "" ⚪️ 🔵 ⚪️
load-balance string "roundrobin" 🔵 🔵 🔵
maxconn number 🔵 ⚪️ ⚪️
nbthread number 🔵 ⚪️ ⚪️
pod-maxconn number ⚪️ ⚪️ 🔵
rate-limit "ON"/"OFF" "OFF" 🔵 ⚪️ ⚪️
rate-limit-expire string "30m" rate-limit 🔵 ⚪️ ⚪️
rate-limit-interval string "10s" rate-limit 🔵 ⚪️ ⚪️
rate-limit-size string "100k" rate-limit 🔵 ⚪️ ⚪️
servers-increment number "42" 🔵 ⚪️ ⚪️
ssl-certificate string 🔵 ⚪️ ⚪️
ssl-redirect "ON"/"OFF" "ON" tls-secret 🔵 ⚪️ ⚪️
ssl-redirect-code [301, 302, 303] "302" tls-secret 🔵 ⚪️ ⚪️
timeout-http-request time "5s" 🔵 ⚪️ ⚪️
timeout-connect time "5s" 🔵 ⚪️ ⚪️
timeout-client time "50s" 🔵 ⚪️ ⚪️
timeout-queue time "5s" 🔵 ⚪️ ⚪️
timeout-server time "50s" 🔵 ⚪️ ⚪️
timeout-tunnel time "1h" 🔵 ⚪️ ⚪️
timeout-http-keep-alive time "1m" 🔵 ⚪️ ⚪️
whitelist IPs or CIDRs "" 🔵 🔵 🔵
whitelist-with-rate-limit "ON"/"OFF" "OFF" 🔵 🔵 🔵

ℹ️ Annotations have hierarchy: default <- Configmap <- Ingress <- Service

Service annotations have highest priority. If they are not defined, controller goes one level up until it finds value.

This is usefull if we want, for instance, to change default behaviour, but want to keep default for some service. etc.

Options

Balance Algorithm

  • Annotation: load-balance
  • use in format haproxy.org/load-balance: <algorithm> [ <arguments> ]

Backend Checks

  • Annotation: check - activate pod check
  • Annotation: check-interval - interval between checks [check must be "enabled"]

Ingress Class

  • Annotation: ingress.class
    • default: ""
    • used to monitor specific ingress objects in multiple controllers environment
    • any ingress object which have class specified and its different from one defined in image arguments will be ignored

Https

  • Annotation ssl-redirect
    • by default this is activated if tls key is provided
    • redirects http trafic to https
    • default ON, can be set to "OFF" to disable
  • Annotation ssl-redirect-code
    • HTTP status code on redirect

Maximum Concurent Connections

  • Annotation: maxconn

Maximum Concurent Backend Connections

  • Annotation: pod-maxconn
  • related to backend servers (pods)

Number of threads

  • Annotation: nbthread
  • default value is number of procesors available

Rate limit

Keep in mind this setting is global and will applied to all your traffic. The number of requests a client can do per rate-limit-interval is 10.

  • Annotation: rate-limit
    • ON / OFF - enable or disable rate limiting
  • Annotation: rate-limit-expire
    • Table entries expire after rate-limit-expire of inactivity.
  • Annotation: rate-limit-interval
    • request rate for the last rate-limit-interval
  • Annotation: rate-limit-size
    • number of ip entries in table

Servers slots increment

  • Annotation servers-increment- determines how much backend servers should we put in maintenance mode so controller can dynamically insert new pods without hitless reload

Timeouts

  • Annotation http-request
  • Annotation connect
  • Annotation client
  • Annotation queue
  • Annotation server
  • Annotation tunnel
  • Annotation http-keep-alive

X-Forwarded-For

  • Annotation: forwarded-for
  • by default enabled, can be disabled per service or globally

Whitelist

  • Annotation: whitelist
  • by default disabled
  • IPs or CIDR - coma or space separated list of IP addresses or CIDRs
  • ℹ️ service annotation will override ingress one that overrides config map annotation
  • Annotation: whitelist-with-rate-limit
    • apply rate-limiting, but exclude addresses from whitelist

Secrets

tls-secret

  • define through pod arguments
    • --default-ssl-certificate=<namespace>/<secret>
  • Annotation ssl-certificate in config map
    • <namespace>/<secret>
  • single certificate secret can contain two items:
    • tls.key
    • tls.crt
  • certificate secret with rsa and ecdsa certificates:
    • ℹ️ only one certificate is also acceptable setup
    • rsa.key
    • rsa.crt
    • ecdsa.key
    • ecdsa.crt

Data types

Port

  • value between <0, 65535]

Time

  • number + type
  • in miliseconds, "s" suffix denotes seconds
  • example: "1s"
You can’t perform that action at this time.