Implementing a Kubernetes Ingress Controller

One of the ways that you can use HAProxy Enterprise with Kubernetes is by implementing a Kubernetes Ingress Controller.

For this purpose, we created an image containing HAProxy Enterprise and an open-source Ingress Controller, which we designed to take advantage of the Runtime API.

To use the Kubernetes Ingress Controller image, you must have a working Kubernetes cluster that is installed and configured according to the official Kubernetes documentation.

Note

This documentation covers HAProxy Enterprise 1.8r1 packaged together with an open-source Kubernetes Ingress Controller for HAProxy version v0.5-beta.1.

Implementation

The implementation of Kubernetes consists of:

  • Running the Ingress Controller

  • Allowing traffic into the Ingress Controller

  • Configuring HAProxy Enterprise

Run the Controller

  1. Insert your HAProxy Enterprise subscription credentials into your Kubernetes secrets registry as follows, and replace the items in uppercase with your corresponding values, as follows:

    Note

    The complete procedure is explained in the official Kubernetes documentation under Pull an Image from a Private Registry.

    kubectl create secret docker-registry regsecret --docker-server=kubernetes-registry.haproxy.com --docker-username=USERNAME --docker-password=PASSWORD --docker-email=EMAIL

    This creates a new secret named regsecret in the Kubernetes secrets registry. If you are already using the secrets registry, make sure you pick a unique name for the secret.

  2. To use SSL with the Ingress Controller, you import a default certificate into the registry. You create an ad hoc certificate as follows:

    openssl req -x509 -newkey rsa:2048 -nodes -days 365 -keyout tls.key -out tls.crt
  3. Import this certificate into the registry, as follows:

    kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key

    This creates a TLS secret named tls-secret in the Kubernetes namespace default, and populates it with the contents of the provided files.

  4. Create a pod to receive incoming traffic by default when there is no matching or existing Ingress rules. The Ingress Controller cannot run without a specified default backend.

    Note

    If you already have a pod, you can skip the creation step and specify the existing pod in the args YAML attribute in the next section.

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        run: ingress-default-backend
      name: ingress-default-backend
    spec:
      replicas: 1
      selector:
        matchLabels:
          run: ingress-default-backend
      template:
        metadata:
          labels:
            run: ingress-default-backend
        spec:
          containers:
            - name: ingress-default-backend
              image: gcr.io/google_containers/defaultbackend:1.0
              ports:
              - containerPort: 8080
    ---
    apiVersion: v1
    kind: Service
    metadata:
      labels:
        run: ingress-default-backend
      name: ingress-default-backend
      namespace: default
    spec:
      ports:
      - name: port-1
        port: 8080
        protocol: TCP
        targetPort: 8080
      selector:
        run: ingress-default-backend
  5. Apply the file above with the file name as the argument:

    kubectl create -f <filename>
  6. Build a Kubernetes deployment for the Ingress Controller, as follows:

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        run: hapee-ingress
      name: hapee-ingress
      annotations:
        ingress.kubernetes.io/affinity: cookie
    spec:
      replicas: 1
      selector:
        matchLabels:
          run: hapee-ingress
      template:
        metadata:
          labels:
            run: hapee-ingress
        spec:
          imagePullSecrets:
          - name: regsecret
          containers:
          - name: hapee-ingress
            image: kubernetes-registry.haproxy.com/hapee-kubernetes:1.7r2
            args:
            - --default-backend-service=default/ingress-default-backend
            - --default-ssl-certificate=default/tls-secret
            - --configmap=$(POD_NAMESPACE)/haproxy-configmap
            - --reload-strategy=native
            ports:
            - name: http
            containerPort: 80
            - name: https
            containerPort: 443
            - name: stat
            containerPort: 1936
            env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace

    Note

    • regsecret (from imagePullSecrets) was created at the start of the procedure)

    • - --default-backend-service=default/ingress-default-backend refers to the pod just created

  7. Apply the file by above with the file name as the argument:

    kubectl apply -f <filename>

    This pulls the specified image and runs one replica of the image on a node in your Kubernetes cluster.

Allow external traffic into the Controller

With the Ingress Controller running, the next step is to allow traffic outside the Kubernetes cluster to reach it.

This process is identical for any pod running in a cluster that needs to receive incoming traffic.

You do this by creating a service of type NodePort to forward random ports on the node running the Ingress Controller to container ports. Or, you can explicitly ask for specific ports and specify the IP address of the node running the container.

For this example, we select the first option to create a service definition for the previous Ingress Controller deployment, as follows:

kubectl expose deploy/hapee-ingress --type=NodePort

This opens a random port on the Kubernetes cluster for each container port listed in the example deployment (container ports 80, 443, and 1936). Kubernetes forwards these open ports to the running Ingress Controller container. To find which random ports were assigned, you can inspect the NodePort service that you created, as follows:

 kubectl get svc hapee-ingress -oyaml
 apiVersion: v1
 kind: Service
 metadata:
   creationTimestamp: 2018-01-29T15:01:25Z
   labels:
     run: hapee-ingress
   name: hapee-ingress
   namespace: default
   resourceVersion: "8682"
   selfLink: /api/v1/namespaces/default/services/hapee-ingress
   uid: 46de9d3a-0505-11e8-9d3e-0800277ad4a8
 spec:
   clusterIP: 10.247.128.183
   ports:
   - name: port-1
     nodePort: 31068
     port: 80
     protocol: TCP
     targetPort: 80
  - name: port-2
    nodePort: 32648
    port: 443
    protocol: TCP
    targetPort: 443
  - name: port-3
    nodePort: 30628
    port: 1936
    protocol: TCP
    targetPort: 1936
  selector:
    run: hapee-ingress
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

Note the nodePort entries for each port. In this example, a curl command to any Kubernetes node IP on port 30628 returns HAProxy Enterprise the status page for the HAProxy Enterprise instance running alongside the Ingress Controller.

Configure HAProxy Enterprise

To configure HAProxy Enterprise in the HAProxy Enterprise Kubernetes Ingress Controller, you pass configuration options to the Ingress Controller.

You can only use options that the Ingress Controller supports. There are three ways of passing options, using:

  1. Annotations to Ingress resources for resource-specific configuration

  2. configmap key-value pairs as global HAProxy Enterprise configuration options

  3. Command line options in the Kubernetes Ingress Controller specification that are also global

Annotations

The Ingress Controller released with this version of HAProxy Enterprise supports the following annotations:

ingress.kubernetes.io/affinity
ingress.kubernetes.io/auth-type
  • Annotates an Ingress resource with the auth-type for using Basic HTTP Authentication.

  • Supported values: basic

ingress.kubernetes.io/auth-realm
  • Annotates an Ingress resource with the auth-realm for using Basic HTTP Authentication, optional.

  • Supported values: a realm string

ingress.kubernetes.io/auth-secret
  • Annotates an Ingress resource with the secret stored in the Kubernetes secret registry which will be used to check usernames and passwords. The entry in the Kubernetes secret registry contains one or more username-password pairs, as usually stored in a .htpasswd.

  • Supported values: a secret name

ingress.kubernetes.io/auth-tls-secret
  • Part of the set of options to configure client authentication with a X509 certificate. In order to use client authentication on an Ingress resource, it must be configured to use TLS.

  • Annotates an Ingress resource with the certificate authority certificate or certificate bundle to use for checking the validity of the client certificate.

  • Supported values: namespace/secret name

  • A related annotation is ingress.kubernetes.io/auth-tls-error-page>

ingress.kubernetes.io/auth-tls-error-page
  • Part of the set of options to configure client authentication with a X509 certificate. In order to use client authentication on an Ingress resource, it must be configured to use TLS.

  • Annotates an Ingress resource with the (optional) error page to display to the client upon failing the client certificate validation.

  • Supported values: url

  • A related annotation is ingress.kubernetes.io/auth-tls-secret

ingress.kubernetes.io/hsts
  • Defines per Ingress resource whether to enable adding a HSTS (HTTP Strict Transport Security) header to responses. Default value when not set is true. To enable this setting globally for all - Ingress resources implemented by a particular Ingress Controller, refer to ConfigMap options.

  • Supported values: true, false

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-max-age and ingress.kubernetes.io/hsts-preload>.

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age and hsts-preload.

ingress.kubernetes.io/hsts-include-subdomains
  • Defines per Ingress resource whether to enable adding a HSTS (HTTP Strict Transport Security) header to responses from subdomains as well. The default value when not set is false. To enable this setting globally for all Ingress resources implemented by a particular Ingress Controller, refer to ConfigMap options.

  • Supported values: true, false

  • Related annotations are ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age and ingress.kubernetes.io/hsts-preload.

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age and hsts-preload.

ingress.kubernetes.io/hsts-max-age
  • Defines per Ingress resource (in number of seconds) the length of time browsers should remember the HSTS configuration. The default value when not set is 15768000. To enable this setting globally for all Ingress resources implemented by a particular Ingress Controller, refer to ConfigMap options.

  • Supported values: integer number of seconds

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains and ingress.kubernetes.io/hsts-preload.

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age and hsts-preload.

ingress.kubernetes.io/hsts-preload
  • Defines per Ingress resource whether the browser should include the domain to the HSTS preload list as detailed on https://hstspreload.org/. The default value when not set is false. To enable this setting globally for all Ingress resources implemented by a particular Ingress Controller, refer to ConfigMap options.

  • Supported values: true, false

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains and ingress.kubernetes.io/hsts-max-age.

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age and hsts-preload.

ingress.kubernetes.io/proxy-body-size
  • Annotates an Ingress resource to specify the maximum number of bytes HAProxy Enterprise will allow in the body of the proxied requests. When not set, the default is unlimited (no checking). The values support suffixes of k, m and g.

  • Supported values: size (bytes)

  • A related ConfigMap option is proxy-body-size.

ingress.kubernetes.io/secure-backends
  • Annotates an Ingress resource whether to enable SSL encryption on outgoing connections to backend servers.

  • Supported values: true, false

  • A related annotation is ingress.kubernetes.io/secure-verify-ca-secret.

ingress.kubernetes.io/secure-verify-ca-secret
  • Annotates an Ingress resource with a certificate bundle to use to enable verification of certificates presented by backend servers when secure-backends is enabled.

  • Supported values: a secret name

  • A related annotation is ingress.kubernetes.io/secure-backends.

ingress.kubernetes.io/ssl-passthrough
  • Annotates an Ingress resource to denote that connections to backend servers should be processed purely as TCP, with expectation that they perform SSL encryption.

  • Supported values: true, false

ingress.kubernetes.io/ssl-redirect
  • Annotates an Ingress resource to redirect requests from HTTP to HTTPS.

  • Supported values: true, false

  • A related annotation is ingress.kubernetes.io/app-root.

  • A related ConfigMap option is ssl-redirect.

ingress.kubernetes.io/app-root
  • Annotates an Ingress resource with the URL to be redirected to upon requesting /, when ssl-redirect is enabled.

  • Supported values: url

  • A related annotation is ingress.kubernetes.io/app-root.

ingress.kubernetes.io/whitelist-source-range
  • Annotates an Ingress resource with the list of IPs allowed to access it. Other IPs will be rejected.

  • Supported values: CIDR

ingress.kubernetes.io/server-alias
  • Annotates an Ingress resource to create a hostname alias for the resource. The same backend will be used as for the annotated resource, but the ACL will be different.

  • Supported values: hostname string or regex without ^ and $

ConfigMap Options

You can perform the general configuration of HAProxy Enterprise and Kubernetes Ingress Controller using ConfigMap. To specify which ConfigMap to use with a particular Ingress Controller deployment, modify the line --configmap=<namespace>/<configmap-name> in the deployment configuration.

balance-algorithm
backend-check-interval
backend-server-slots-increment
  • Defines the minimum number of server slots to populate with backend servers, as well as the increment by which the number of slots are increased or decreased, depending on changes in the number of - - backend servers expected to be active. The default value is 32.

  • Supported values: integer

  • A related ConfigMap option is dynamic-scaling.

dynamic-scaling
  • Defines whether to use HAProxy Enterprise Runtime API to change backend server definitions. This is done without reloading HAProxy Enterprise, as long as the number of servers is within a multiple of backend-server-slots-increment.

  • Supported values: true, false (default)

  • A related ConfigMap option is backend-server-slots-increment.

forwardfor
healthz-port
hsts
  • Defines globally whether to enable the attachment of a HSTS (HTTP Strict Transport Security) header to responses. Default value when not set is true. To enable this option per Ingress resource, use annotations.

  • Supported values: true, false

  • Related ConfigMap options are hsts-include-subdomains, hsts-max-age, hsts-preload.

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age, and ingress.kubernetes.io/hsts-preload.

hsts-include-subdomains
  • Defines globally whether enable the attachment of a HSTS (HTTP Strict Transport Security) header to responses from subdomains as well. Default value when not set is false. To enable this option per Ingress resource, use annotations.

  • Supported values: true, false

  • Related ConfigMap options are hsts, hsts-max-age, hsts-preload.

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age, and ingress.kubernetes.io/hsts-preload.

hsts-max-age
  • Defines globally the length of time in number of seconds that browsers should remember the HSTS configuration. The default value when not set is 15768000. To enable this option per Ingress resource, use annotations.

  • Supported values: integer number of seconds

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-preload.

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age, and ingress.kubernetes.io/hsts-preload.

hsts-preload
  • Defines globally to enable whether the browser should include the domain to the HSTS preload list, as detailed on https://hstspreload.org/. The default value when not set is false. To enable this option per Ingress resource, use annotations.

  • Supported values: true, false

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age.

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age, and ingress.kubernetes.io/hsts-preload.

http-log-format
  • Defines globally the log format for logging proxied HTTP requests to a UDP syslog server. Default value when not set is the default HAProxy Enterprise HTTP log format. Has effect only when syslog-endpoint ConfigMap option is also set.

  • Supported values: log format string with expansions as in https://haproxy.com/documentation/hapee/1.8r1/onepage/#8.2.4

  • Related ConfigMap options are tcp-log-format, https-log-format, and syslog-endpoint.

https-log-format
  • Defines globally the log format for logging proxied https requests to a UDP syslog server, compatible with TCP request logging. Default behavior when not set is not to log. Has effect only when syslog-endpoint ConfigMap option is also set.

  • Supported values: log format string with expansions as in https://haproxy.com/documentation/hapee/1.8r1/onepage/#8.2.4

  • Related ConfigMap options are http-log-format, tcp-log-format, and syslog-endpoint.

tcp-log-format
  • Defines globally the log format for logging proxied TCP requests to a UDP syslog server. Default value when not set is the default HAProxy Enterprise TCP log format. Has effect only when syslog-endpoint ConfigMap option is also set.

  • Supported values: log format string with expansions as in https://haproxy.com/documentation/hapee/1.8r1/onepage/#8.2.4

  • Related ConfigMap options are http-log-format, https-log-format, and syslog-endpoint.

  • Related command-line option is --tcp-services-configmap.

https-to-http-port
  • Defines the port number to listen on for requests coming from another load balancer performing SSL offloading. The default value when not set is 0 (not listening). Requests arriving on this port are treated as if they had the X-Forwarded-Proto header and its value is set to https (i.e. no redirection for non-SSL traffic). HSTS headers are added if they are configured.

  • Using 80 for this ConfigMap setting relies on having the X-Forwarded-Proto present for the described behavior; otherwise, the presence of this header in requests arriving at the https-pto-http-port is optional.

  • Supported values: integer port number

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age, and hsts-preload.

max-connections
  • Defines the maximum number of simultaneously active connections on all proxies. Default value when not set is the HAProxy Enterprise default, 2000.

  • Supported values: integer number

proxy-body-size
  • Defines globally the maximum number of bytes HAProxy Enterprise can allow in the body of the proxied requests. When not set, the default is unlimited (no checking), and the values support suffixes of k, m and g.

  • Supported values: size (bytes)

  • A related annotation is ingress.kubernetes.io/proxy-body-size.

ssl-ciphers
  • Defines the list of SSL ciphers used for SSL/TLS handshakes. Default value when not set is ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK. Corresponds to values detailed at https://haproxy.com/documentation/hapee/1.8r1/onepage/#3.1-ssl-default-bind-ciphers.

  • Supported values: string of SSL cipher names separated with colons

  • Related ConfigMap options are ssl-dh-default-max-size, ssl-dh-param, ssl-options, and ssl-redirect.

ssl-dh-default-max-size
ssl-dh-param
ssl-options
  • Defines which SSL/TLS connections will be acceptable. The default value when not set is no-sslv3 no-tls-tickets.

  • Supported options are no-tls-tickets (enables stateful session resumption), no-tlsv10 (disable support for TLSv1.0), no-tlsv11 (disable support for TLSv1.1), no-tlsv12 (disable support for TLSv1.2), force-sslv3 (enables use of SSLv3 only), force-tlsv10 (enables use of TLSv1.0 only), force-tlsv11 (enables use of TLSv1.1 only), force-tlsv12 (enables use of TLSv1.2 only) and no-sslv3 (disable support for SSLv3).

  • Supported values: string containing space-separated supported options

  • Related ConfigMap options are ssl-ciphers, ssl-dh-default-max-size, ssl-dh-param, and ssl-redirect.

ssl-redirect
  • Defines a global default whether to redirect HTTP requests to HTTPS. This is used when there is no per Ingress annotation ingress.kubernetess.io/ssl-redirect Defaults to true.

  • Supported values: true and false

  • Related ConfigMap options are ssl-ciphers, ssl-dh-default-max-size, ssl-dh-param, and ssl-options.

stats-auth
  • Defines the basic authentication credentials required to access the HAProxy Enterprise status page. Default when not set is no auth.

  • Supported values: string consisting of username and password separated by colon

  • Related ConfigMap options are stats-port and stats-proxy-protocol.

stats-port
  • Defines the port on which HAProxy Enterprise will return the status page. The default value when not set is 1936.

  • Supported values: integer port number

  • Related ConfigMap options are stats-auth and stats-proxy-protocol.

stats-proxy-protocol
  • Defines whether the stats endpoint should use the PROXY protocol. The default value when not set is false.

  • Supported values: true and false

  • Related ConfigMap options are stats-auth and stats-port.

syslog-endpoint
  • Defines the target IP address and UDP port to which HAProxy Enterprise should send syslog logs. The default value when not set is to not send logs.

  • Supported values: string with contents of ip_address:port

  • Related ConfigMap options are http-log-format, tcp-log-format and https-log-format.

timeout-client
  • Defines the maximum time of client inactivity before dropping the connection. Default value when not set is 50s. Also see https://haproxy.com/documentation/hapee/1.8r1/onepage/#4-timeout%20client.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client-fin, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server, timeout-server-fin, and timeout-tunnel

timeout-client-fin
  • Defines the inactivity timeout on the client side for half-closed connections. Default value when not set is 50s. Also see https://haproxy.com/documentation/hapee/1.8r1/onepage/#4.2-timeout%20client-fin.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server, timeout-server-fin, and timeout-tunnel.

timeout-connect
  • Defines the maximum time to wait for a connection attempt to a server to succeed. Default value when not set is 5s. Also see https://haproxy.com/documentation/hapee/1.8r1/onepage/#4.2-timeout%20connect.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-http-request, timeout-keep-alive, timeout-server, timeout-server-fin, and timeout-tunnel.

timeout-http-request
  • Defines the maximum allowed time to wait for a complete HTTP request. The default value when not set is 5s. Also see https://haproxy.com/documentation/hapee/1.8r1/onepage/#timeout%20http-request.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-keep-alive, timeout-server, timeout-server-fin, and timeout-tunnel.

timeout-keep-alive
  • Defines the maximum allowed time to wait for a new HTTP request to appear. The default value when not set is 1m. Also see https://haproxy.com/documentation/hapee/1.8r1/onepage/#timeout%20http-keep-alive.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-http-request, timeout-server, timeout-server-fin, and timeout-tunnel.

timeout-server
  • Defines the maximum inactivity time on the server (backend) side. The default value when not set is 50s. Also see https://haproxy.com/documentation/hapee/1.8r1/onepage/#4.2-timeout%20server.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server-fin and timeout-tunnel.

timeout-server-fin
  • Defines the inactivity timeout on the server (backend) side for half-closed connections. The default value when not set is 50s. Also see https://haproxy.com/documentation/hapee/1.8r1/onepage/#4.2-timeout%20server-fin.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server and timeout-tunnel.

timeout-tunnel
  • Defines the the maximum inactivity time on the client and server side for tunnels. The default value when not set is 1h. Also see https://haproxy.com/documentation/hapee/1.8r1/onepage/#4.2-timeout%20tunnel.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server and timeout-server-fin.

Command Line Options

Command-line options for the Ingress Controller set important defaults and can be specified in the deployment configuration for the Controller. Two of the options (default-backend-service and default-ssl-certificate) are mandatory or the Controller does not start.

default-backend-service
  • Specifies the namespace and service name for requests that do not match any of the configured Ingress resources (hostname or path). There is no default value but this option must be set in the Controller deployment configuration or the Controller will not start. For example (as in the installation guide), this could be default/ingress-default-backend.

  • Supported values: string of the form "namespace/servicename"

default-ssl-certificate
  • Specifies the SSL certificate to use for requests to Ingress resources that do not have the SSL certificate selected. The SSL certificate needs to be added to the Kubernetes secret store. There is no default value and this option must be set in the Controller deployment configuration or the Controller will not start. For example (as in the installation guide), this could be default/tls-secret.

  • Supported values: string of the form "namespace/secretname"

ingress-class
  • Resources annotated with the matching value of the kubernetes.io/ingress.class annotation or with no annotation will be managed by the Ingress Controller instances that are part of the deployment and other resources will be ignored.

  • In case of multiple Ingress Controller deployments (HAProxy Enterprise or otherwise) existence of Ingress resources without annotations that assign them to a specific Controller deployment will result in the Ingress Controllers complaining about the unannotated resources.

  • Supported values: string (ingress name)

kubeconfig
  • Can be used when running the Ingress Controller outside of the Kubernetes cluster. Within the cluster the Controller uses pre-set environment variables and a service account to connect to the Kubernetes Controller. Outside of a Kubernetes cluster this option is mandatory and the argument should be a kubeconfig filename containing the address and credentials for connecting to a Kubernetes Controller. The default value when not set is to assume running in-cluster.

  • Supported values: string (filename)

reload-strategy
  • Specifies how to perform reloading of HAProxy Enterprise when a reload is needed in order to change aspects of HAProxy Enterprise configuration. Default value when not set is native, meaning HAProxy Enterprise will be reloaded normally. The other supported option is multibinder which makes use of the Ruby multibinder daemon to assist in keeping active connections open while HAProxy Enterprise is reloading.

  • Supported values: native and multibinder

sort-backends
  • Specifies whether to keep using the random ordering of backends for Ingress resources when the Controller requires reloading HAProxy Enterprise, in order to prevent the same backends receiving initial requests after a HAProxy Enterprise reload. Default value when not set is false.

  • Supported values: true and false