Use Helm to Install the HAProxy Kubernetes Ingress Controller

You can use Helm to install the HAProxy Kubernetes Ingress Controller into your Kubernetes cluster, making it easier to start routing traffic using the powerful HAProxy load balancer.

Helm is the Kubernetes package manager, resembling apt and yum, but born into the world of containers. It grew up alongside Kubernetes and was introduced early on, at the first KubeCon. Its job is to bundle up an application’s Kubernetes resources into a package, here called a chart, making it convenient to store, distribute, version, and upgrade those resources. That includes pods, services, config maps, roles, service accounts, and any other type available within the Kubernetes ecosystem. Helm charts let you calibrate their behavior during installation, such as to toggle from a Deployment to a Daemonset simply by setting a parameter, which makes them perfect for delivering sophisticated services with lots of moving parts.

Recently, we added a Helm chart that you can use to install the HAProxy Kubernetes Ingress Controller, streamlining the install process and making it easier to get started routing external traffic into your cluster. Our ingress controller is built around HAProxy, the fastest and most widely used load balancer. Having that foundation means that there are plenty of powerful features that you get right away while benefiting from HAProxy’s legendary performance.

It’s easier to set up Helm than it used to be. You no longer need to install Tiller, the component that had been responsible for executing API commands and storing state within your cluster. Helm version 3 removed Tiller and has been rearchitected to use built-in Kubernetes constructs instead. That has made Helm simpler to use. It also makes it more secure due to its tighter integration with Kubernetes role-based access controls.

In this post, you’ll see how to install our Kubernetes Ingress Controller using Helm, and how to customize its settings.

Learn more by registering for our webinar: “HAProxy Skills Lab: Introduction to Helm

First, The Basics

Helm is now boringly simple to install. You need only to download the pre-built Helm binary and store it on your PATH. Unlike previous versions, there are no steps to install any server-side components, like Tiller, into your Kubernetes cluster prior to use. There are several good options to get a small Kubernetes cluster up and running, such as MinikubeMicroK8s and Kind.

Helm charts are stored in repositories. The main one is Helm Hub, which is hosted by the Helm project. However, you can add other, third-party repositories too. The HAProxy Kubernetes Ingress Controller is available by adding the HAProxy Technologies repository via the helm repo add command, like this:

$ helm repo add haproxytech https://haproxytech.github.io/helm-charts
"haproxytech" has been added to your repositories
view raw 20200320-01.sh hosted with ❤ by GitHub

The next step is to refresh your list of charts by using the helm repo update command.

$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "haproxytech" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
view raw 20200320-02.sh hosted with ❤ by GitHub

Get an overview of available charts by invoking the helm search repo command:

$ helm search repo haproxy
NAME CHART VERSION APP VERSION DESCRIPTION
haproxytech/kubernetes-ingress 0.7.3 1.3.2 A
view raw 20200320-03.sh hosted with ❤ by GitHub

This shows the latest version of a chart, but you can also see older versions by including the versions argument. To install this chart, run helm install.

$ helm install mycontroller haproxytech/kubernetes-ingress
NAME: mycontroller
LAST DEPLOYED: Tue Mar 10 14:57:41 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
HAProxy Kubernetes Ingress Controller has been successfully installed.
view raw 20200320-04.sh hosted with ❤ by GitHub

The install command takes two parameters. The first, which I’ve set to mycontroller, assigns a name to this release; The second identifies the chart that you want to install. Here’s how the Helm documentation defines a release:

Release is an instance of a chart running in a Kubernetes cluster. One chart can be installed many times into the same cluster. And each time it is installed, a new release is created.

The concept of a release is what makes Helm a vital addition to Kubernetes, since it lets you manage the delivery cycle of an application in a more controlled, less error-prone, way. Compare this to editing Kubernetes YAML files by hand and you’ll no doubt appreciate the safety this offers. Having a repository of versioned releases gives you a way to handle upgrades and rollbacks with ease since Helm can track which version is currently deployed into your environment and can access older and newer versions instantly.

Use the helm list command to check which releases are deployed in your cluster:

$ helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
mycontroller default 1 2020-03-10 15:07:00.463855042 -0400 EDT deployed kubernetes-ingress-0.7.3 1.3.2
view raw 20200320-05.sh hosted with ❤ by GitHub

Once a new version of the chart has been published to the repository, you can get it by refreshing your list with helm repo update and then invoking helm upgrade:

$ helm repo update
$ helm upgrade mycontroller haproxytech/kubernetes-ingress
view raw 20200320-06.sh hosted with ❤ by GitHub

Uninstall the chart with the helm uninstall command:

$ helm uninstall mycontroller
release "mycontroller" uninstalled
view raw 20200320-07.sh hosted with ❤ by GitHub

TLS Termination

The Helm chart deploys the HAProxy Kubernetes Ingress Controller with default settings, but you can override them. For example, it adds a self-signed TLS certificate and configures TLS encryption, enabling a redirect from http:// to https://. You can disable the redirect by changing the value of the ssl-redirect key when you run the install command. Add a set-string argument, like this:

$ helm install mycontroller haproxytech/kubernetes-ingress \
--set-string "controller.config.ssl-redirect=false"
view raw 20200320-08.sh hosted with ❤ by GitHub

Turning off the redirect is useful when you want to access your services without TLS. Alternatively, if you want to configure the controller for production use, follow these steps to enable TLS termination with your own certificate:

Create an SSL certificate.

  1. Create an SSL certificate.

  2. Store its private key in one PEM-formatted file and its public certificate in another (e.g. mycert.key and mycert.crt).

  3. Add the files to your Kubernetes cluster by defining a TLS secret:

    $ kubectl create secret tls mycert --key="mycert.key" --cert="mycert.crt"

    view raw

  4. Pass the name of the secret to Helm when you install the chart:

    $ helm install mycontroller haproxytech/kubernetes-ingress \

    --set-string "controller.defaultTLSSecret.secret=default/mycert"

    view raw

Deployment or Daemonset

Two of the most popular ways to launch an application in Kubernetes are to use a Deployment or a Daemonset. The former creates a certain number of pods and distributes them throughout the cluster; The latter creates one pod on each server node.

The default mode for the HAProxy Kubernetes Ingress Controller is to use a Deployment with two replicas; When you take into account the huge amount of requests that HAProxy can handle, that is usually sufficient for routing traffic. However, a Daemonset works well for small clusters where having an instance of the controller running on every node has its advantages, such as being able to expose the service over well known TCP ports instead of mapping them to unique NodePorts.

In the following example, the controller is installed as a Daemonset so that you can access your services directly over well-known ports.

$ helm install mycontroller haproxytech/kubernetes-ingress \
--set controller.kind=DaemonSet \
--set controller.daemonset.useHostPort=true
view raw 20200320-11.sh hosted with ❤ by GitHub

Note that the case matters, so be sure to spell it DaemonSet. The useHostPort parameter tells it to forward ports 80 and 443 on the host so that you can access your services directly over those ports. Otherwise, it will map them to unique NodePorts, the same as a Deployment.

Forwarding Logs

You may also want to configure the controller to forward its logs to a remote Syslog server, which can be done by setting the syslog-server key. Note that you must escape commas that appear in the value by prefixing them with a backslash.

$ helm install mycontroller haproxytech/kubernetes-ingress \
--set-string "controller.config.syslog-server=address:10.105.98.88\,facility:local0\,level:info" \
--set-string "controller.config.ssl-redirect=false"
view raw 20200320-12.sh hosted with ❤ by GitHub

Any of the options listed in the controller’s documentation can be set in this way. When you have many keys to set, you can store them in a YAML file and then pass the name of the file to the helm install command. For example, suppose you created the following file and named it overrides.yaml:

controller:
config:
ssl-redirect: "true"
syslog-server: "address:10.105.98.88, facility:local0, level:info"
defaultTLSSecret:
enabled: true
secret: default/mycert

You would reference this file by using the values flag, as shown:

$ helm install mycontroller haproxytech/kubernetes-ingress --values overrides.yaml
view raw 20200320-14.sh hosted with ❤ by GitHub

This approach allows you to save the file in version control and makes the helm install command more concise and the process more repeatable. Now that you’ve learned how to use Helm, you are assured an error-proof deployment of the HAProxy Kubernetes Ingress Controller!

Conclusion

In this blog post, we introduced the Helm chart for the HAProxy Kubernetes Ingress Controller, making it easier to begin routing traffic into your cluster using the powerful HAProxy load balancer. Helm facilitates deploying software by providing streamlined package management. You can use it to plan for, install, and upgrade the controller, which you can further customize with features like SSL termination and log forwarding.

The Enterprise version of the ingress controller combines HAProxy, the world’s fastest and most widely used open-source software load balancer, with enterprise-class features, including the HAProxy Enterprise WAF, and premium support. Contact us to learn more about it and sign up for a free trial. If you enjoyed this post and want to see more like it, subscribe to this blog! You can also follow us on Twitter and join the conversation on Slack.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.