Implementing a Kubernetes Ingress Controller

Attention!

This document is deprecated in newer versions of HAProxy in favor of the HAProxy Kubernetes Ingress Controller.

One of the ways that you can use HAProxy Enterprise with Kubernetes is by implementing a Kubernetes Ingress Controller.

For this purpose, we created an image containing HAProxy Enterprise and an open-source Ingress Controller, which we designed to take advantage of the Runtime API.

To use the Kubernetes Ingress Controller image, you must have a working Kubernetes cluster that is installed and configured according to the official Kubernetes documentation.

Note

This documentation covers HAProxy Enterprise 1.8r2 packaged together with an open-source Kubernetes Ingress Controller for HAProxy version v0.5-beta.1.

Implementation

The implementation of Kubernetes consists of:

  • Running the Ingress Controller

  • Allowing traffic into the Ingress Controller

  • Configuring HAProxy Enterprise

Run the Controller

  1. Insert your HAProxy Enterprise subscription credentials into your Kubernetes secrets registry and replace the items in uppercase with your corresponding values, as follows:

    Note

    The complete procedure is explained in the official Kubernetes documentation under Pull an Image from a Private Registry.

    kubectl create secret docker-registry regsecret --docker-server=kubernetes-registry.haproxy.com --docker-username=USERNAME --docker-password=PASSWORD --docker-email=EMAIL

    This creates a new secret named regsecret in the Kubernetes secrets registry. If you are already using the secrets registry, make sure you pick a unique name for the secret.

  2. To use SSL with the Ingress Controller, you import a default certificate into the registry. You create an ad hoc certificate as follows:

    openssl req -x509 -newkey rsa:2048 -nodes -days 365 -keyout tls.key -out tls.crt
  3. Import this certificate into the registry, as follows:

    kubectl create secret tls tls-secret --cert=tls.crt --key=tls.key

    This creates a TLS secret named tls-secret in the Kubernetes namespace default, and populates it with the contents of the provided files.

  4. Create a pod to receive incoming traffic by default when there is no matching or existing Ingress rules. The Ingress Controller cannot run without a specified default backend.

    Note

    If you already have a pod, you can skip the creation step and specify the existing pod in the args YAML attribute in the next section.

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        run: ingress-default-backend
      name: ingress-default-backend
    spec:
      replicas: 1
      selector:
        matchLabels:
          run: ingress-default-backend
      template:
        metadata:
          labels:
            run: ingress-default-backend
        spec:
          containers:
            - name: ingress-default-backend
              image: gcr.io/google_containers/defaultbackend:1.0
              ports:
              - containerPort: 8080
    ---
    apiVersion: v1
    kind: Service
    metadata:
      labels:
        run: ingress-default-backend
      name: ingress-default-backend
      namespace: default
    spec:
      ports:
      - name: port-1
        port: 8080
        protocol: TCP
        targetPort: 8080
      selector:
        run: ingress-default-backend
  5. Apply the file above with the file name as the argument:

    kubectl create -f <filename>
  6. Build a Kubernetes deployment for the Ingress Controller, as follows:

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        run: hapee-ingress
      name: hapee-ingress
      annotations:
        ingress.kubernetes.io/affinity: cookie
    spec:
      replicas: 1
      selector:
        matchLabels:
          run: hapee-ingress
      template:
        metadata:
          labels:
            run: hapee-ingress
        spec:
          imagePullSecrets:
          - name: regsecret
          containers:
          - name: hapee-ingress
            image: kubernetes-registry.haproxy.com/hapee-kubernetes:1.7r2
            args:
            - --default-backend-service=default/ingress-default-backend
            - --default-ssl-certificate=default/tls-secret
            - --configmap=$(POD_NAMESPACE)/haproxy-configmap
            - --reload-strategy=native
            ports:
            - name: http
            containerPort: 80
            - name: https
            containerPort: 443
            - name: stat
            containerPort: 1936
            env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace

    Note

    • regsecret (from imagePullSecrets) was created at the start of the procedure)

    • - --default-backend-service=default/ingress-default-backend refers to the pod just created

  7. Apply the file above with the file name as the argument:

    kubectl apply -f <filename>

    This pulls the specified image and runs one replica of the image on a node in your Kubernetes cluster.

Allow external traffic into the Controller

With the Ingress Controller running, the next step is to allow traffic outside the Kubernetes cluster to reach it.

This process is identical for any pod running in a cluster that needs to receive incoming traffic.

You do this by creating a service of type NodePort to forward random ports on the node running the Ingress Controller to container ports. Or, you can explicitly ask for specific ports and specify the IP address of the node running the container.

For this example, we select the first option to create a service definition for the previous Ingress Controller deployment, as follows:

kubectl expose deploy/hapee-ingress --type=NodePort

This opens a random port on the Kubernetes cluster for each container port listed in the example deployment (container ports 80, 443, and 1936).

Kubernetes forwards these open ports to the running Ingress Controller container.

To find the assigned random ports, you can inspect the NodePort service that you created, as follows:

 kubectl get svc hapee-ingress -oyaml
 apiVersion: v1
 kind: Service
 metadata:
   creationTimestamp: 2018-01-29T15:01:25Z
   labels:
     run: hapee-ingress
   name: hapee-ingress
   namespace: default
   resourceVersion: "8682"
   selfLink: /api/v1/namespaces/default/services/hapee-ingress
   uid: 46de9d3a-0505-11e8-9d3e-0800277ad4a8
 spec:
   clusterIP: 10.247.128.183
   ports:
   - name: port-1
     nodePort: 31068
     port: 80
     protocol: TCP
     targetPort: 80
  - name: port-2
    nodePort: 32648
    port: 443
    protocol: TCP
    targetPort: 443
  - name: port-3
    nodePort: 30628
    port: 1936
    protocol: TCP
    targetPort: 1936
  selector:
    run: hapee-ingress
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}

Note the nodePort entries for each port. In this example, a curl command to any Kubernetes node IP on port 30628 returns the status page for the HAProxy Enterprise instance running alongside the Ingress Controller.

Configure HAProxy Enterprise

To configure HAProxy Enterprise in the HAProxy Enterprise Kubernetes Ingress Controller, you pass configuration options to the Ingress Controller.

You can only use options that the Ingress Controller supports. There are three ways of passing options, using:

  • Annotations to Ingress resources for resource-specific configuration

  • configmap key-value pairs as global HAProxy Enterprise configuration options

  • Command line options in the Kubernetes Ingress Controller specification that are also global

Annotations

The Ingress Controller in this version of HAProxy Enterprise supports the following annotations:

ingress.kubernetes.io/affinity
ingress.kubernetes.io/auth-type
  • Annotates an Ingress resource with the auth-type for using Basic HTTP Authentication.

  • Supported values: basic

ingress.kubernetes.io/auth-realm
  • Annotates an Ingress resource with the auth-realm for using Basic HTTP Authentication; optional.

  • Supported values: a realm string

ingress.kubernetes.io/auth-secret
  • Annotates an Ingress resource with the secret stored in the Kubernetes secret registry to check usernames and passwords. The entry in the Kubernetes secret registry contains one or more username-password pairs, as usually done in a .htpasswd file.

  • Supported values: a secret name

ingress.kubernetes.io/auth-tls-secret
  • Part of the set of options to configure client authentication with a X509 certificate. In order to use client authentication on an Ingress resource, you must configure it to use TLS.

  • Annotates an Ingress resource with the certificate authority certificate or certificate bundle to use for checking the validity of the client certificate.

  • Supported values: namespace/secret name

  • A related annotation is ingress.kubernetes.io/auth-tls-error-page

ingress.kubernetes.io/auth-tls-error-page
  • Part of the set of options to configure client authentication with a X509 certificate. In order to use client authentication on an Ingress resource, you must configure it to use TLS.

  • Annotates an Ingress resource with the (optional) error page to display to the client when the client certificate validation fails.

  • Supported values: url

  • A related annotation is ingress.kubernetes.io/auth-tls-secret

ingress.kubernetes.io/hsts
  • Defines per Ingress resource whether to enable adding a HSTS (HTTP Strict Transport Security) header to responses. Default value is true. To enable this setting globally for all Ingress resources from a particular Ingress Controller, refer to ConfigMap Options.

  • Supported values: true, false

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-max-age and ingress.kubernetes.io/hsts-preload

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age and hsts-preload

ingress.kubernetes.io/hsts-include-subdomains
  • Defines per Ingress resource whether to add a HSTS (HTTP Strict Transport Security) header to responses from subdomains as well. The default value is false. To enable this setting globally for all Ingress resources from a particular Ingress Controller, refer to ConfigMap Options.

  • Supported values: true, false

  • Related annotations are ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age and ingress.kubernetes.io/hsts-preload

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age and hsts-preload

ingress.kubernetes.io/hsts-max-age
  • Defines per Ingress resource (in number of seconds) the length of time for browsers to remember the HSTS configuration. The default value is 15768000. To enable this setting globally for all Ingress resources from a particular Ingress Controller, refer to ConfigMap Options.

  • Supported values: integer number of seconds

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains and ingress.kubernetes.io/hsts-preload.

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age and hsts-preload

ingress.kubernetes.io/hsts-preload
  • Defines per Ingress resource whether the browser should include the domain to the HSTS preload list as detailed on https://hstspreload.org/. The default value is false. To enable this setting globally for all Ingress resources from a particular Ingress Controller, refer to ConfigMap Options.

  • Supported values: true, false

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains and ingress.kubernetes.io/hsts-max-age.

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age and hsts-preload

ingress.kubernetes.io/proxy-body-size
  • Annotates an Ingress resource to specify the maximum number of bytes HAProxy Enterprise allows in the body of the proxied requests. The default is unlimited (no checking). The values support suffixes of k, m and g.

  • Supported values: size (bytes)

  • A related ConfigMap option is proxy-body-size

ingress.kubernetes.io/secure-backends
  • Annotates an Ingress resource whether to enable SSL encryption on outgoing connections to backend servers.

  • Supported values: true, false

  • A related annotation is ingress.kubernetes.io/secure-verify-ca-secret.

ingress.kubernetes.io/secure-verify-ca-secret
  • Annotates an Ingress resource with a certificate bundle to use to verify certificates that backend servers present when secure-backends is enabled.

  • Supported values: a secret name

  • A related annotation is ingress.kubernetes.io/secure-backends

ingress.kubernetes.io/ssl-passthrough
  • Annotates an Ingress resource to specify that connections to backend servers be processed purely as TCP, with the expectation that they perform SSL encryption.

  • Supported values: true, false

ingress.kubernetes.io/ssl-redirect
  • Annotates an Ingress resource to redirect requests from HTTP to HTTPS.

  • Supported values: true, false

  • A related annotation is ingress.kubernetes.io/app-root

  • A related ConfigMap option is ssl-redirect

ingress.kubernetes.io/app-root
  • Annotates an Ingress resource with the URL to redirect to upon requesting /, when ssl-redirect is enabled.

  • Supported values: url

  • A related annotation is ingress.kubernetes.io/app-root

ingress.kubernetes.io/whitelist-source-range
  • Annotates an Ingress resource to allow access for a list of IPs, and reject other IPs.

  • Supported values: CIDR

ingress.kubernetes.io/server-alias
  • Annotates an Ingress resource to create a hostname alias for the resource. The same backend works as for the annotated resource, but the ACL is different.

  • Supported values: hostname string or regex without ^ and $

ConfigMap Options

You can perform the general configuration of HAProxy Enterprise and Kubernetes Ingress Controller using ConfigMap. To specify which ConfigMap to use with a particular Ingress Controller deployment, modify the line --configmap=<namespace>/<configmap-name> in the deployment configuration.

balance-algorithm
backend-check-interval
backend-server-slots-increment
  • Defines the minimum number of server slots to populate with backend servers, as well as the increment by which the number of slots are increased or decreased, depending on changes in the number of backend servers expected to be active. The default value is 32.

  • Supported values: integer

  • A related ConfigMap option is dynamic-scaling

dynamic-scaling
  • Defines whether to use HAProxy Enterprise Runtime API to change backend server definitions without reloading HAProxy Enterprise, as long as the number of servers is within a multiple of backend-server-slots-increment.

  • Supported values: true, false (default)

  • A related ConfigMap option is backend-server-slots-increment

forwardfor
healthz-port
hsts
  • Defines globally whether to enable the attachment of a HSTS (HTTP Strict Transport Security) header to responses. Default value is true. To enable this option per Ingress resource, use annotations.

  • Supported values: true, false

  • Related ConfigMap options are hsts-include-subdomains, hsts-max-age, hsts-preload

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age, and ingress.kubernetes.io/hsts-preload

hsts-include-subdomains
  • Defines globally whether enable the attachment of a HSTS (HTTP Strict Transport Security) header to responses from subdomains as well. Default value is false. To enable this option per Ingress resource, use annotations.

  • Supported values: true, false

  • Related ConfigMap options are hsts, hsts-max-age, hsts-preload

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age, and ingress.kubernetes.io/hsts-preload

hsts-max-age
  • Defines globally the length of time in number of seconds for browsers to remember the HSTS configuration. The default value is 15768000. To enable this option per Ingress resource, use annotations.

  • Supported values: integer number of seconds

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-preload

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age, and ingress.kubernetes.io/hsts-preload

hsts-preload
  • Defines globally to enable whether the browser should include the domain to the HSTS preload list, as detailed on https://hstspreload.org/. The default value is false. To enable this option per Ingress resource, use annotations.

  • Supported values: true, false

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age.

  • Related annotations are ingress.kubernetes.io/hsts, ingress.kubernetes.io/hsts-include-subdomains, ingress.kubernetes.io/hsts-max-age, and ingress.kubernetes.io/hsts-preload

http-log-format
  • Defines globally the log format for logging proxied HTTP requests to a UDP syslog server. Default value is the default HAProxy Enterprise HTTP log format. Has effect only when syslog-endpoint option is also set.

  • Supported values: log format string with expansions as in https://haproxy.com/documentation/hapee/1.8r2/onepage/#8.2.4

  • Related ConfigMap options are tcp-log-format, https-log-format, and syslog-endpoint.

https-log-format
  • Defines globally the log format for logging proxied https requests to a UDP syslog server, compatible with TCP request logging. Default behavior is not to log. Has effect only when syslog-endpoint option is also set.

  • Supported values: log format string with expansions as in https://haproxy.com/documentation/hapee/1.8r2/onepage/#8.2.4

  • Related ConfigMap options are http-log-format, tcp-log-format, and syslog-endpoint

tcp-log-format
  • Defines globally the log format for logging proxied TCP requests to a UDP syslog server. Default value is the default HAProxy Enterprise TCP log format. Has effect only when syslog-endpoint ConfigMap option is also set.

  • Supported values: log format string with expansions as in https://haproxy.com/documentation/hapee/1.8r2/onepage/#8.2.4

  • Related ConfigMap options are http-log-format, https-log-format, and syslog-endpoint.

  • Related command-line option is --tcp-services-configmap.

https-to-http-port
  • Defines the port number to listen on for requests coming from another load balancer performing SSL offloading. The default value is 0 (not listening). This option treats requests arriving on this port as if they had the X-Forwarded-Proto header and sets its value to https (i.e. no redirection for non-SSL traffic). It adds HSTS headers if specified.

  • Using 80 for this ConfigMap setting relies on having the X-Forwarded-Proto present for the described behavior; otherwise, the presence of this header in requests arriving at the https-pto-http-port is optional.

  • Supported values: integer port number

  • Related ConfigMap options are hsts, hsts-include-subdomains, hsts-max-age, and hsts-preload

max-connections
  • Defines the maximum number of simultaneously active connections on all proxies. Default value is the HAProxy Enterprise default, 2000.

  • Supported values: integer number

proxy-body-size
  • Defines globally the maximum number of bytes HAProxy Enterprise allows in the body of the proxied requests. The default value is unlimited (no checking), and the values support suffixes of k, m and g.

  • Supported values: size (bytes)

  • A related annotation is ingress.kubernetes.io/proxy-body-size

ssl-ciphers
  • Defines the list of SSL ciphers to use for SSL/TLS handshakes. Default value is ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK. Corresponds to values detailed at https://haproxy.com/documentation/hapee/1.8r2/onepage/#3.1-ssl-default-bind-ciphers.

  • Supported values: string of SSL cipher names separated with colons

  • Related ConfigMap options are ssl-dh-default-max-size, ssl-dh-param, ssl-options, and ssl-redirect

ssl-dh-default-max-size
ssl-dh-param
ssl-options
  • Defines which SSL/TLS connections to accept. The default value is no-sslv3 no-tls-tickets.

  • Supported options are no-tls-tickets (enables stateful session resumption), no-tlsv10 (disable support for TLSv1.0), no-tlsv11 (disable support for TLSv1.1), no-tlsv12 (disable support for TLSv1.2), force-sslv3 (enables use of SSLv3 only), force-tlsv10 (enables use of TLSv1.0 only), force-tlsv11 (enables use of TLSv1.1 only), force-tlsv12 (enables use of TLSv1.2 only) and no-sslv3 (disable support for SSLv3).

  • Supported values: string containing space-separated supported options

  • Related ConfigMap options are ssl-ciphers, ssl-dh-default-max-size, ssl-dh-param, and ssl-redirect

ssl-redirect
  • Defines globally whether to redirect HTTP requests to HTTPS. This applies when there is no per Ingress annotation ingress.kubernetess.io/ssl-redirect. Defaults to true.

  • Supported values: true and false

  • Related ConfigMap options are ssl-ciphers, ssl-dh-default-max-size, ssl-dh-param, and ssl-options.

stats-auth
  • Defines the basic authentication credentials required to access the HAProxy Enterprise status page. Default value is no auth.

  • Supported values: string consisting of username and password separated by colon

  • Related ConfigMap options are stats-port and stats-proxy-protocol

stats-port
  • Defines the port where HAProxy Enterprise returns the status page. The default value is 1936.

  • Supported values: integer port number

  • Related ConfigMap options are stats-auth and stats-proxy-protocol

stats-proxy-protocol
  • Defines whether the stats endpoint uses the PROXY protocol. The default value is false.

  • Supported values: true and false

  • Related ConfigMap options are stats-auth and stats-port

syslog-endpoint
  • Defines the target IP address and UDP port where HAProxy Enterprise must send the syslog logs. The default value is not to send logs.

  • Supported values: string with contents of ip_address:port

  • Related ConfigMap options are http-log-format, tcp-log-format and https-log-format

timeout-client
  • Defines the maximum time of client inactivity before dropping the connection. Default value is 50s. Also see https://haproxy.com/documentation/hapee/1.8r2/onepage/#4-timeout%20client.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client-fin, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server, timeout-server-fin, and timeout-tunnel

timeout-client-fin
  • Defines the inactivity timeout on the client side for half-closed connections. Default value is 50s. Also see https://haproxy.com/documentation/hapee/1.8r2/onepage/#4.2-timeout%20client-fin.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server, timeout-server-fin, and timeout-tunnel

timeout-connect
  • Defines the maximum time to wait for a server connection attempt to succeed. Default value is 5s. Also see https://haproxy.com/documentation/hapee/1.8r2/onepage/#4.2-timeout%20connect.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-http-request, timeout-keep-alive, timeout-server, timeout-server-fin, and timeout-tunnel

timeout-http-request
  • Defines the maximum allowed time to wait for a complete HTTP request. The default value is 5s. Also see https://haproxy.com/documentation/hapee/1.8r2/onepage/#timeout%20http-request.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-keep-alive, timeout-server, timeout-server-fin, and timeout-tunnel

timeout-keep-alive
  • Defines the maximum allowed time to wait for a new HTTP request to appear. The default value is 1m. Also see https://haproxy.com/documentation/hapee/1.8r2/onepage/#timeout%20http-keep-alive.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-http-request, timeout-server, timeout-server-fin, and timeout-tunnel

timeout-server
  • Defines the maximum inactivity time on the server (backend) side. The default value is 50s. Also see https://haproxy.com/documentation/hapee/1.8r2/onepage/#4.2-timeout%20server.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server-fin and timeout-tunnel

timeout-server-fin
  • Defines the inactivity timeout on the server (backend) side for half-closed connections. The default value is 50s. Also see https://haproxy.com/documentation/hapee/1.8r2/onepage/#4.2-timeout%20server-fin.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server and timeout-tunnel

timeout-tunnel
  • Defines the the maximum inactivity time on the client and server side for tunnels. The default value is 1h. Also see https://haproxy.com/documentation/hapee/1.8r2/onepage/#4.2-timeout%20tunnel.

  • Supported values: integer number with supported HAProxy Enterprise time suffix like "s", "m", "h" etc.

  • Related ConfigMap options are: timeout-client, timeout-client-fin, timeout-connect, timeout-http-request, timeout-keep-alive, timeout-server and timeout-server-fin

Command Line Options

Command-line options for the Ingress Controller set important defaults which you can define in the deployment configuration for the Controller. Two of the options (default-backend-service and default-ssl-certificate) are mandatory for the controller to start.

default-backend-service
  • Specifies the namespace and service name for requests that do not match any of the configured Ingress resources (hostname or path). There is no default value, but you must set this option in the Controller deployment configuration for the controller to start. Example (as in the installation guide): default/ingress-default-backend.

  • Supported values: string of the form "namespace/servicename"

default-ssl-certificate
  • Specifies the SSL certificate to use for requests to Ingress resources that do not have a selected SSL certificate. You must add the SSL certificate to the Kubernetes secret store. There is no default value, but you must set this option in the Controller deployment configuration for the controller to start. Example (as in the installation guide): default/tls-secret

  • Supported values: string of the form "namespace/secretname"

ingress-class
  • The Ingress Controller instances manage the resources annotated with the matching value of the kubernetes.io/ingress.class annotation or with no annotation that are part of the deployment, and ignore any other resources.

  • When there are multiple Ingress Controller deployments (HAProxy Enterprise or otherwise), Ingress resources without annotations assigned to a specific controller deployment result in complaints from the Ingress Controllers about these unannotated resources.

  • Supported values: string (ingress name)

kubeconfig
  • You can use this option when running the Ingress Controller outside the Kubernetes cluster. Within the cluster the Controller uses pre-set environment variables and a service account to connect to the Kubernetes Controller. Outside a Kubernetes cluster, this option is mandatory and the argument is a kubeconfig filename containing the address and credentials to connect to a Kubernetes Controller. The default value is to assume the controller runs in-cluster.

  • Supported values: string (filename)

reload-strategy
  • Specifies how to reload HAProxy Enterprise when a reload is necessary to change aspects of HAProxy Enterprise configuration. Default value is native, meaning HAProxy Enterprise gets reloaded normally. The other supported option is multibinder, which uses the Ruby multibinder daemon to assist in keeping active connections open while HAProxy Enterprise reloads.

  • Supported values: native and multibinder

sort-backends
  • Specifies whether to keep using the random ordering of backends for Ingress resources when the Controller must reload HAProxy Enterprise. This is to prevent the same backends from receiving initial requests after a HAProxy Enterprise reload. Default value is false.

  • Supported values: true and false