Skip to content

Map files #1026

New issue
New issue
Open
Open
Map files#1026
Labels
kind/featurelifecycle/backlog
@tumd

Description

@tumd
tumd
opened on Sep 25, 2023

What are you trying to do

We are pretty heavy users of map-files where we (for example) keep a list of allowed IP-numbers. These map-files is currently deployed using a special ConfigMap key that gets mounted as it's own file.
This file is then used in various Ingress-annotations like this;

haproxy-ingress.github.io/config-backend: |
  http-request deny unless { src -f /etc/haproxy/custom-maps/trusted-ips.map }

This works well for the most part, but has a few shortcomings;

  1. Doesn't work on the Path-scope
  2. Requires manually triggered reload of haproxy-ingress (mentioned here: Blacklisting IP's from file #509 (comment))
  3. Might be incompatible when running haproxy-ingress as non-root
  4. Might be incompatible when running in chroot

We are primarily affected by the first two points - even though (2) is more of an annoyance. I haven't verified if the last two is actually valid issues.

What HAProxy Ingress should do or how it should behave differently

The solution I would be looking for is really twofold and heavily inspired from what I read in haproxytech docs;

First, haproxy-ingress would need to be aware of such custom map-files internally somehow. For example by a cmd-line argument naming the ConfigMap used for custom-maps. (I.e. --configmap-custom-maps=$(POD_NAMESPACE)/custom-maps)

Then all relevant configuration key's that could benefit from reading their values from a map-file would get an alternative way to set their values to indicate that the value should come from a file.
For example, with the above example using a map-file look like something like this;

apiVersion: v1
kind: ConfigMap
metadata:
  name: custom-maps
  namespace: ingress-controller
data:
  trusted-ips: |
    127.0.0.1
    ::1
    10.0.0.0/8

haproxy-ingress.github.io/denylist-source-range: custom-maps/trusted-ips

The prefix of the value (in this example custom-maps/) decides if it should be parsed as a string or path to a maps-file.

This would ensure the annotation still supports the current syntax;

haproxy-ingress.github.io/denylist-source-range: "127.0.0.1, ::1, 10.0.0.0/8"

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featurelifecycle/backlog

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions