You can use Helm to install the HAProxy Kubernetes Ingress Controller into your Kubernetes cluster, making it easier to start routing traffic using the powerful HAProxy load balancer.
Learn more by registering for our webinar: “HAProxy Skills Lab: Introduction to Helm“
Want to supercharge your ingress routing with HAProxy? Download our free eBook now!
Helm is the Kubernetes package manager, resembling apt and yum, but born into the world of containers. It grew up alongside Kubernetes and was introduced early on, at the first KubeCon. Its job is to bundle up an application’s Kubernetes resources into a package, here called a chart, making it convenient to store, distribute, version, and upgrade those resources. That includes pods, services, config maps, roles, service accounts, and any other type available within the Kubernetes ecosystem. Helm charts let you calibrate their behavior during install, such as to toggle from a Deployment to a Daemonset simply by setting a parameter, which makes them perfect for delivering sophisticated services with lots of moving parts.
Recently, we added a Helm chart that you can use to install the HAProxy Kubernetes Ingress Controller, streamlining the install process and making it easier to get started routing external traffic into your cluster. Our ingress controller is built around HAProxy, the fastest and most widely used load balancer. Having that foundation means that there are plenty of powerful features that you get right away, while benefiting from HAProxy’s legendary performance.
It’s easier to set up Helm than it used to be. You no longer need to install Tiller, the component that had been responsible for executing API commands and storing state within your cluster. Helm version 3 removed Tiller and has been rearchitected to use built-in Kubernetes constructs instead. That has made Helm simpler to use. It also makes it more secure due to its tighter integration with the Kubernetes role-based access controls.
In this post, you’ll see how to install the HAProxy Kubernetes Ingress Controller using Helm, and how to customize its settings.
First, The Basics
Helm is now boringly simple to install. You need only to download the pre-built Helm binary and store it on your PATH. Unlike previous versions, there are no steps to install any server-side components, like Tiller, into your Kubernetes cluster prior to use. There are several good options to get a small Kubernetes cluster up and running, such as Minikube, MicroK8s and Kind.
Helm charts are stored in repositories. The main one is Helm Hub, which is hosted by the Helm project. However, you can add other, third-party repositories too. The HAProxy Kubernetes Ingress Controller is available by adding the HAProxy Technologies repository via the
helm repo add command, like this:
The next step is to refresh your list of charts by using the
helm repo update command.
Get an overview of available charts by invoking the helm search repo command:
This shows the latest version of a chart, but you can also see older versions by including the
versions argument. To install this chart, run
The install command takes two parameters. The first, which I’ve set to mycontroller, assigns a name to this release; The second identifies the chart that you want to install. Here’s how the Helm documentation defines a release:
A Release is an instance of a chart running in a Kubernetes cluster. One chart can be installed many times into the same cluster. And each time it is installed, a new release is created.
The concept of a release is what makes Helm a vital addition to Kubernetes, since it lets you manage the delivery cycle of an application in a more controlled, less error-prone, way. Compare this to editing Kubernetes YAML files by hand and you’ll no doubt appreciate the safety this offers. Having a repository of versioned releases gives you a way to handle upgrades and rollbacks with ease, since Helm can track which version is currently deployed into your environment and can access older and newer versions instantly.
helm list command to check which releases are deployed in your cluster:
Once a new version of the chart has been published to the repository, you can get it by refreshing your list with
helm repo update and then invoking
Uninstall the chart with the
helm uninstall command:
The Helm chart deploys the HAProxy Kubernetes Ingress Controller with default settings, but you can override them. For example, it adds a self-signed TLS certificate and configures TLS encryption, enabling a redirect from http:// to https://. You can disable the redirect by changing the value of the ssl-redirect key when you run the install command. Add a set-string argument, like this:
Turning off the redirect is useful when you want to access your services without TLS. Alternatively, if you want to configure the controller for production use, follow these steps to enable TLS termination with your own certificate:
- Create an SSL certificate.
- Store its private key in one PEM-formatted file and its public certificate in another (e.g. mycert.key and mycert.crt).
- Add the files to your Kubernetes cluster by defining a TLS secret:
- Pass the name of the secret to Helm when you install the chart:
Deployment or Daemonset
Two of the most popular ways to launch an application in Kubernetes are to use a Deployment or a Daemonset. The former creates a certain number of pods and distributes them throughout the cluster; The latter creates one pod on each server node.
The default mode for the HAProxy Kubernetes Ingress Controller is to use a Deployment with two replicas; When you take into account the huge amount of requests that HAProxy can handle, that is usually sufficient for routing traffic. However, a Daemonset works well for small clusters where having an instance of the controller running on every node has its advantages, such as being able to expose the service over well known TCP ports instead of mapping them to unique NodePorts.
In the following example, the controller is installed as a Daemonset so that you can access your services directly over well-known ports.
Note that the case matters, so be sure to spell it DaemonSet. The useHostPort parameter tells it to forward ports 80 and 443 on the host so that you can access your services directly over those ports. Otherwise, it will map them to unique NodePorts, the same as a Deployment.
You may also want to configure the controller to forward its traffic logs to standard out on the container, which can be done by setting the syslog-server field during the installation.
You can also forward logs to a remote Syslog server. Note that you must escape commas that appear in the value by prefixing them with a backslash.
Any of the options listed in the controller’s documentation can be set in this way. When you have many keys to set, you can store them in a YAML file and then pass the name of the file to the
helm install command. For example, suppose you created the following file and named it overrides.yaml:
You would reference this file by using the values flag, as shown:
This approach allows you to save the file in version control and makes the helm install command more concise and the process more repeatable. Now that you’ve learned how to use Helm, you are assured an error-proof deployment of the HAProxy Kubernetes Ingress Controller!
In this blog post, we introduced the Helm chart for the HAProxy Kubernetes Ingress Controller, making it easier to begin routing traffic into your cluster using the powerful HAProxy load balancer. Helm facilitates deploying software by providing streamlined package management. You can use it to plan for, install, and upgrade the controller, which you can further customize with features like SSL termination and log forwarding.
The Enterprise version of the ingress controller combines HAProxy, the world’s fastest and most widely used open-source software load balancer, with enterprise-class features, including the HAProxy Enterprise WAF, and premium support. Contact us to learn more about it and sign up for a free trial. If you enjoyed this post and want to see more like it, subscribe to our blog! You can also follow us on Twitter and join the conversation on Slack.