Service Options
These options can be set in a Service object’s metadata.annotations section to change how requests are routed for a particular service.
Enables TCP level health checks on pods and attempts a TCP connection periodically.
Values
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/check: "true"
Enables HTTP level health checks on pods and sends an HTTP request periodically. The check
setting must be true.
Values
- URI to make HTTP requests to, e.g.
/health
- URI with method, e.g.
HEAD /health
- URI, method and HTTP version, e.g.
HEAD /health HTTP/1.1
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/check: "true"
haproxy.org/check-http: "/health"
Sets the interval between health checks when check
is enabled.
Values
- Integer with time unit suffix (1m = 1 minute, 10s = 10 seconds)
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/check: "true"
haproxy.org/check-interval: "1m"
Defines a group of configuration directives to add directly to a HAProxy backend section.
Values
- One or more valid HAProxy directives
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
Enables persistent connections between a client and a pod by inserting a cookie into the client’s browser that is used to remember which backend pod they connected to before.
- This will insert the following cookie configuration in the corresponding backend
cookie <cookie-name> insert indirect nocache
with <cookie-name>
the value of this annotation.
Values
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/cookie-persistence: "mycookie"
Adds the X-Forwarded-For HTTP header to requests to capture and relay the client’s source IP address to backend pods.
Values
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/forwarded-for: "true"
Sets the load-balancing algorithm to use.
Values
- roundrobin
- static-rr
- leastconn
- first
- source
- uri
- url_param
- hdr([name])
- random
- random([draws])
- rdp-cookie
- rdp-cookie([name])
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/load-balance: "leastconn"
Sets the maximum number of concurrent backend connections allowed.
Values
- An integer setting the maximum number of concurrent backend connections
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/pod-maxconn: 30
Uses the PROXY Protocol when connecting to backend servers.
Values
- proxy - Uses PROXY v1
- proxy-v1 - Uses PROXY v1
- proxy-v2 - Uses PROXY v2
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/send-proxy-protocol: proxy-v2
Specifies the path of a secret containing a CA certificate (certificate authority) enabling HAProxy to verify a backend’s certificate via the ca-file
directive. When the CA certificate is properly configured this also sets the HAProxy verify directive to required.
- The secret must use ‘tls.crt’ key.
Values
- Secret path following namespace/secretname format.
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/server-ca: "ns1/ca"
Specifies the path of a secret containing a client certificate that HAProxy can provide during SSL communication with the backend servers via the HAProxy crt
directive.
- The secret must use ‘tls.key’ and ‘tls.crt’ keys.
Values
- Secret path following namespace/secretname format.
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/server-crt: "ns1/client"
HTTP/1.1 is the default protocol for backend servers communication. Currently, the server-proto
annotation supports only “h2” as a value (supporting fcgi is also planned) which transmits HTTP/2 messages in the clear to the backend servers.
However, when SSL is enabled on the backend, server-proto
is ignored and both HTTP/1.1 and HTTP/2 are advertised via ALPN and transmitted as encrypted messages.
Values
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/server-proto: "h2"
Enables SSL to pods.
- Enable HTTP/2 support for backend severs.
- Current implementation does not verify server certificates
Values
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/server-ssl: "true"
Passes SSL/TLS traffic through at Layer 4 directly to the backend service without Layer 7 inspection.
- Traffic is proxied in TCP mode which makes unavailable a number of the controller annotations (requiring HTTP mode).
Values
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/ssl-passthrough: "true"
Sets an additional check timeout, but only after a connection has been already established.
Values
- An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour)
Default
Example
apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/timeout-check: 5s