From e33dc37553fb7cdcb1347b4f2c087530d72bc3a8 Mon Sep 17 00:00:00 2001 From: Andrew McDermott Date: Tue, 6 Feb 2024 14:10:01 +0000 Subject: [PATCH 1/3] container builds: switch to haproxy28 RPM package Bump haproxy RPM package from haproxy26 to haproxy28. --- images/router/haproxy/Dockerfile | 2 +- images/router/haproxy/Dockerfile.rhel | 2 +- images/router/haproxy/Dockerfile.rhel8 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/images/router/haproxy/Dockerfile b/images/router/haproxy/Dockerfile index 88bc73126..c2dbcd29c 100644 --- a/images/router/haproxy/Dockerfile +++ b/images/router/haproxy/Dockerfile @@ -1,5 +1,5 @@ FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base-router -RUN INSTALL_PKGS="haproxy26 rsyslog sysvinit-tools" && \ +RUN INSTALL_PKGS="haproxy28 rsyslog sysvinit-tools" && \ yum install -y $INSTALL_PKGS && \ rpm -V $INSTALL_PKGS && \ yum clean all && \ diff --git a/images/router/haproxy/Dockerfile.rhel b/images/router/haproxy/Dockerfile.rhel index ee94b156f..98417c118 100644 --- a/images/router/haproxy/Dockerfile.rhel +++ b/images/router/haproxy/Dockerfile.rhel @@ -1,5 +1,5 @@ FROM registry.svc.ci.openshift.org/ocp/4.0:base-router -RUN INSTALL_PKGS="haproxy26 rsyslog sysvinit-tools" && \ +RUN INSTALL_PKGS="haproxy28 rsyslog sysvinit-tools" && \ yum install -y $INSTALL_PKGS && \ rpm -V $INSTALL_PKGS && \ yum clean all && \ diff --git a/images/router/haproxy/Dockerfile.rhel8 b/images/router/haproxy/Dockerfile.rhel8 index 3da2ed12f..1695ee29d 100644 --- a/images/router/haproxy/Dockerfile.rhel8 +++ b/images/router/haproxy/Dockerfile.rhel8 @@ -1,5 +1,5 @@ FROM registry.ci.openshift.org/ocp/4.16:haproxy-router-base -RUN INSTALL_PKGS="haproxy26 rsyslog procps-ng util-linux" && \ +RUN INSTALL_PKGS="haproxy28 rsyslog procps-ng util-linux" && \ yum install -y $INSTALL_PKGS && \ rpm -V $INSTALL_PKGS && \ yum clean all && \ From 5de9e85635115bb8976683cb60f9b1e6db5b6c25 Mon Sep 17 00:00:00 2001 From: Andrew McDermott Date: Tue, 6 Feb 2024 14:10:57 +0000 Subject: [PATCH 2/3] hack/Dockerfile.debug: Switch to transient HAProxy 2.8 RPM package This change updates the debug RPM consumed in the hack/Dockerfile.debug to use the HAProxy 2.8 package, as the 'no-alpn' keyword is unavailable in HAProxy 2.6. Without this update, any usage of the debug container build would fail due to the missing support in HAProxy 2.6. --- hack/Dockerfile.debug | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/Dockerfile.debug b/hack/Dockerfile.debug index 356eef79e..978dc2457 100644 --- a/hack/Dockerfile.debug +++ b/hack/Dockerfile.debug @@ -1,5 +1,5 @@ FROM registry.access.redhat.com/ubi8/ubi -RUN yum install -y https://github.com/frobware/haproxy-builds/raw/master/rhaos-4.14-rhel-8/haproxy26-2.6.13-2.rhaos4.14.el8.x86_64.rpm +RUN yum install -y https://github.com/frobware/haproxy-builds/raw/master/rhaos-4.16-rhel-9/haproxy28-2.8.5-1.rhaos4.16.el9.x86_64.rpm RUN haproxy -vv RUN INSTALL_PKGS="rsyslog procps-ng util-linux socat" && \ yum install -y $INSTALL_PKGS && \ From 6be0189d885b9749e50c6f74d11b8aead6393dbb Mon Sep 17 00:00:00 2001 From: Andrew McDermott Date: Wed, 10 Jan 2024 11:59:20 +0000 Subject: [PATCH 3/3] Disable ALPN by default on fe_sni and fe_no_sni TLS Listeners (HAProxy 2.8) This commit is from: https://github.com/openshift/router/pull/554. We need this commit for the openshift/origin tests to pass. In response to HAProxy 2.8's default behaviour of implicitly enabling ALPN h2, this commit unconditionally introduces the 'no-alpn' directive for the 'fe_sni' and 'fe_no_sni' TLS listeners in the HAProxy template. This change is independent of the HTTP/2 status in the ingress controller. The HAProxy 2.8 release notes highlight this default shift: "HTTP/2 is now advertised by default in ALPN on TLS listeners. This marks a pivotal change, as HTTP/2 has been available for 5 years and enabled by default in clear text as an HTTP/1 upgrade for 4 years. However, some users were still unaware of how to enable it. Now, ALPN will default to 'h2,http/1.1' on TCP and 'h3' on QUIC, ensuring these protocol versions work by default. Adjustments to ALPN settings remain possible to enable or disable these protocols..." By implementing 'no-alpn', we maintain the existing behaviour of previous OpenShift / HAProxy releases, where ALPN negotiation is not the default. This approach facilitates controlled and deliberate ALPN enablement, especially for HTTP/2 support. Notably, ALPN h2 is still available and will be explicitly enabled for routes/backends specifying a custom certificate, as these will have corresponding ALPN entries in the `cert-config.map`. This ensures precise and context-specific application of ALPN configurations. [1] https://www.mail-archive.com/haproxy@formilux.org/msg43600.html --- images/router/haproxy/conf/haproxy-config.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/images/router/haproxy/conf/haproxy-config.template b/images/router/haproxy/conf/haproxy-config.template index 797db3226..c722685b1 100644 --- a/images/router/haproxy/conf/haproxy-config.template +++ b/images/router/haproxy/conf/haproxy-config.template @@ -330,6 +330,7 @@ frontend fe_sni {{- if $haveCRLs }} crl-file /var/lib/haproxy/mtls/latest/crls.pem {{ end }} {{- end }} {{- end }} + {{- "" }} no-alpn mode http {{- range $idx, $captureHeader := .CaptureHTTPRequestHeaders }} @@ -440,6 +441,7 @@ frontend fe_no_sni {{- if $haveCRLs }} crl-file /var/lib/haproxy/mtls/latest/crls.pem {{ end }} {{- end }} {{- end }} + {{- "" }} no-alpn mode http {{- range $idx, $captureHeader := .CaptureHTTPRequestHeaders }}