Service Options

These options can be set in a Service object’s metadata.annotations section to change how requests are routed for a particular service.

`check`

Enables TCP level health checks on pods and attempts a TCP connection periodically.

Values

true
false

Default

true

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/check: "true"

`check-http`

Enables HTTP level health checks on pods and sends an HTTP request periodically. The check setting must be true.

Values

URI to make HTTP requests to, e.g. /health
URI with method, e.g. HEAD /health
URI, method and HTTP version, e.g. HEAD /health HTTP/1.1

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/check: "true"
    haproxy.org/check-http: "/health"

`check-interval`

Sets the interval between health checks when check is enabled.

Values

Integer with time unit suffix (1m = 1 minute, 10s = 10 seconds)

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/check: "true"
    haproxy.org/check-interval: "1m"

`backend-config-snippet`

Defines a group of configuration directives to add directly to a HAProxy backend section.

Values

One or more valid HAProxy directives

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:

Enables persistent connections between a client and a pod by inserting a cookie into the client’s browser that is used to remember which backend pod they connected to before.

This will insert the following cookie configuration in the corresponding backend cookie <cookie-name> insert indirect nocache with <cookie-name> the value of this annotation.

Values

A name for the cookie

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/cookie-persistence: "mycookie"

`forwarded-for`

Adds the X-Forwarded-For HTTP header to requests to capture and relay the client’s source IP address to backend pods.

Values

true
false

Default

true

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/forwarded-for: "true"

`load-balance`

Sets the load-balancing algorithm to use.

Values

roundrobin
static-rr
leastconn
first
source
uri
url_param
hdr([name])
random
random([draws])
rdp-cookie
rdp-cookie([name])

Default

roundrobin

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/load-balance: "leastconn"

`pod-maxconn`

Sets the maximum number of concurrent backend connections allowed.

Values

An integer setting the maximum number of concurrent backend connections

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/pod-maxconn: 30

`send-proxy-protocol`

Uses the PROXY Protocol when connecting to backend servers.

Values

proxy - Uses PROXY v1
proxy-v1 - Uses PROXY v1
proxy-v2 - Uses PROXY v2

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/send-proxy-protocol: proxy-v2

Specifies the path of a secret containing a CA certificate (certificate authority) enabling HAProxy to verify a backend’s certificate via the ca-file directive. When the CA certificate is properly configured this also sets the HAProxy verify directive to required.

The secret must use ‘tls.crt’ key.

Values

Secret path following namespace/secretname format.

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-ca: "ns1/ca"

`server-crt`

Specifies the path of a secret containing a client certificate that HAProxy can provide during SSL communication with the backend servers via the HAProxy crt directive.

The secret must use ‘tls.key’ and ‘tls.crt’ keys.

Values

Secret path following namespace/secretname format.

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-crt: "ns1/client"

`server-proto`

HTTP/1.1 is the default protocol for backend servers communication. Currently, the server-proto annotation supports only “h2” as a value (supporting fcgi is also planned) which transmits HTTP/2 messages in the clear to the backend servers. However, when SSL is enabled on the backend, server-proto is ignored and both HTTP/1.1 and HTTP/2 are advertised via ALPN and transmitted as encrypted messages.

Values

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-proto: "h2"

`server-ssl`

Enables SSL to pods.

Enable HTTP/2 support for backend severs.
Current implementation does not verify server certificates

Values

true
false

Default

false

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-ssl: "true"

`ssl-passthrough`

Passes SSL/TLS traffic through at Layer 4 directly to the backend service without Layer 7 inspection.

Traffic is proxied in TCP mode which makes unavailable a number of the controller annotations (requiring HTTP mode).

Values

true
false

Default

false

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/ssl-passthrough: "true"

`timeout-check`

Sets an additional check timeout, but only after a connection has been already established.

Values

An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour)

Default

no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/timeout-check: 5s

Next up

Usage