Service Options

These options can be set in a Service object’s metadata.annotations section to change how requests are routed for a particular service.

check


Enables TCP level health checks on pods and attempts a TCP connection periodically.

Values

  • true
  • false

Default

  • true

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/check: "true"

check-http


Enables HTTP level health checks on pods and sends an HTTP request periodically. The check setting must be true.

Values

  • URI to make HTTP requests to, e.g. /health
  • URI with method, e.g. HEAD /health
  • URI, method and HTTP version, e.g. HEAD /health HTTP/1.1

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/check: "true"
    haproxy.org/check-http: "/health"

check-interval


Sets the interval between health checks when check is enabled.

Values

  • Integer with time unit suffix (1m = 1 minute, 10s = 10 seconds)

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/check: "true"
    haproxy.org/check-interval: "1m"

backend-config-snippet


Defines a group of configuration directives to add directly to a HAProxy backend section.

Values

  • One or more valid HAProxy directives

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:


Enables persistent connections between a client and a pod by inserting a cookie into the client’s browser that is used to remember which backend pod they connected to before.

  • This will insert the following cookie configuration in the corresponding backend cookie <cookie-name> insert indirect nocache with <cookie-name> the value of this annotation.

Values

  • A name for the cookie

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/cookie-persistence: "mycookie"

forwarded-for


Adds the X-Forwarded-For HTTP header to requests to capture and relay the client’s source IP address to backend pods.

Values

  • true
  • false

Default

  • true

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/forwarded-for: "true"

load-balance


Sets the load-balancing algorithm to use.

Values

  • roundrobin
  • static-rr
  • leastconn
  • first
  • source
  • uri
  • url_param
  • hdr([name])
  • random
  • random([draws])
  • rdp-cookie
  • rdp-cookie([name])

Default

  • roundrobin

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/load-balance: "leastconn"

pod-maxconn


Sets the maximum number of concurrent backend connections allowed.

Values

  • An integer setting the maximum number of concurrent backend connections

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/pod-maxconn: 30

send-proxy-protocol


Uses the PROXY Protocol when connecting to backend servers.

Values

  • proxy - Uses PROXY v1
  • proxy-v1 - Uses PROXY v1
  • proxy-v2 - Uses PROXY v2

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/send-proxy-protocol: proxy-v2

server-ca


Specifies the path of a secret containing a CA certificate (certificate authority) enabling HAProxy to verify a backend’s certificate via the ca-file directive. When the CA certificate is properly configured this also sets the HAProxy verify directive to required.

  • The secret must use ‘tls.crt’ key.

Values

  • Secret path following namespace/secretname format.

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-ca: "ns1/ca"

server-crt


Specifies the path of a secret containing a client certificate that HAProxy can provide during SSL communication with the backend servers via the HAProxy crt directive.

  • The secret must use ‘tls.key’ and ‘tls.crt’ keys.

Values

  • Secret path following namespace/secretname format.

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-crt: "ns1/client"

server-proto


HTTP/1.1 is the default protocol for backend servers communication. Currently, the server-proto annotation supports only “h2” as a value (supporting fcgi is also planned) which transmits HTTP/2 messages in the clear to the backend servers. However, when SSL is enabled on the backend, server-proto is ignored and both HTTP/1.1 and HTTP/2 are advertised via ALPN and transmitted as encrypted messages.

Values

  • h2

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-proto: "h2"

server-ssl


Enables SSL to pods.

  • Enable HTTP/2 support for backend severs.
  • Current implementation does not verify server certificates

Values

  • true
  • false

Default

  • false

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/server-ssl: "true"

ssl-passthrough


Passes SSL/TLS traffic through at Layer 4 directly to the backend service without Layer 7 inspection.

  • Traffic is proxied in TCP mode which makes unavailable a number of the controller annotations (requiring HTTP mode).

Values

  • true
  • false

Default

  • false

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/ssl-passthrough: "true"

timeout-check


Sets an additional check timeout, but only after a connection has been already established.

Values

  • An integer with a unit of time (1 second = 1s, 1 minute = 1m, 1h = 1 hour)

Default

  • no default value

Example

apiVersion: v1
kind: Service
metadata:
  labels:
    run: web
  name: web
  annotations:
    haproxy.org/timeout-check: 5s

Next up

Usage