### Create Example Environment Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/README.md Run 'make example' to set up a sample environment for testing the HAProxy Ingress Controller. ```bash make example ``` -------------------------------- ### Image Arguments Configuration Example Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/cmd/docs/README.md Defines arguments for generating controller documentation. Specify argument details, possible values, defaults, version constraints, and examples. ```yaml - argument: --some-argument description: descritpion about what is this argument values: - values that argument can have default: default value that argument have (if any) version_min: minimal version that have this feature (SEMVER, only MAJOR.MINOR) version_max: last version that have this feature example: |- args: - --some-argument=some value ``` -------------------------------- ### Install kind Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/deploy/tests/README.md Installs the kind tool, a local Kubernetes cluster manager. Ensure GO111MODULE is set to 'on' before running. ```bash GO111MODULE="on" go get sigs.k8s.io/kind@v0.8.1 ``` -------------------------------- ### Annotation Configuration Example Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/cmd/docs/README.md Defines data for generating README.md, including annotation titles, types, groups, dependencies, defaults, descriptions, tips, values, applicability, version constraints, and examples. ```yaml - title: annotation-name type: type of data group: what group does it belong to (to keep related annotations together) dependencies: does it have any dependency (other annotation) default: default value description: - list of description lines for annotation tip: - extra info values: - list of values (can be descriptive) that annotation can have applies_to: - configmap - ingress - service version_min: minimal version that have this feature (SEMVER, only MAJOR.MINOR) version_max: last version that have this feature example: - list of examples (usually one) example_configmap: |- example that overrides global one example_ingress: |- example that overrides global one example_service: |- example that overrides global one ``` -------------------------------- ### Example http-echo Request and Output Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/deploy/tests/images/http-echo/README.md This example shows how to use curl to send a request to the running http-echo service and the JSON output it returns, detailing various request attributes. ```bash curl -b "test=bar" -k https://localhost:8443/path\?a\=foo1\&b\=foo2 ``` ```json { "http": { "cookies": [ "test=bar" ], "headers": { "Accept": "*/*", "Cookie": "test=bar", "User-Agent": "curl/7.70.0" }, "host": "localhost:8443", "method": "GET", "path": "/path", "protocol": "HTTP/2.0", "query": "a=foo1\u0026b=foo2", "raw": "GET /path?a=foo1\u0026b=foo2 HTTP/1.1\r\nHost: localhost:8443\r\nUser-Agent: curl/7.70.0\r\nAccept: */*\r\nCookie: test=bar\r\n\r\n" }, "os": { "hostname": "traktour" }, "tcp": { "ip": "[::1]", "port": "53364" }, "tls": { "cipher": "TLS_AES_128_GCM_SHA256", "sni": "localhost" } } ``` -------------------------------- ### Start Controller with TCP Services ConfigMap Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Command-line argument to specify the TCP services ConfigMap when starting the HAProxy Kubernetes Ingress controller. ```bash --configmap-tcp-services=haproxy-controller/tcp-services ``` -------------------------------- ### Group Configuration Example Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/cmd/docs/README.md Configures data for generating README.md, allowing multiline markdown strings for headers and footers related to annotation groups. ```yaml tls-secret: header: | multiline string for entering additional data that is related to group of annotations can be written in markdown format footer: | multiline string for entering additional data that is related to group of annotations can be written in markdown format ``` -------------------------------- ### Create Basic Auth Kubernetes Secret Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Example command to create a Kubernetes Secret for basic authentication using openssl to hash passwords. ```bash kubectl create secret generic haproxy-credentials \ --from-literal=bob=$(openssl passwd -1 bobPassword) \ --from-literal=alice=$(openssl passwd -1 alicePassword) # secret/haproxy-credentials created ``` -------------------------------- ### Implement Canary Deployment with Service Annotations Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Set up canary releases by routing a percentage of traffic to a staging service using annotations. This example sends ~25% of traffic to `app-staging`. ```yaml # Production service (receives ~75% of traffic) apiVersion: v1 kind: Service metadata: name: app-prod spec: selector: app: app-prod ports: - port: 80 targetPort: 8080 --- # Staging service with route-acl (receives ~25% of traffic) apiVersion: v1 kind: Service metadata: name: app-staging annotations: haproxy.org/route-acl: "rand(100) lt 25" spec: selector: app: app-staging ports: - port: 80 targetPort: 8080 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: canary-ingress spec: rules: - host: app.example.com http: paths: - path: / pathType: Prefix backend: service: name: app-prod port: number: 80 - pathType: ImplementationSpecific backend: service: name: app-staging port: number: 80 ``` -------------------------------- ### TCP Services ConfigMap Example Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md An example of a Kubernetes ConfigMap defining TCP service mappings. It maps frontend ports to backend services, with an option for SSL offloading. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: tcp namespace: haproxy-controller data: 3306: mysql-ns/mysql:3306 389: ldap-ns/ldap:389:ssl 6379: redis-ns/redis:6379 ``` -------------------------------- ### Build and Run Proxy Protocol Docker Image Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/deploy/tests/images/proxy-protocol/README.md Builds a Docker image for the proxy protocol Go web server and runs it, exposing port 8080. Ensure Docker is installed and running. ```bash docker build -t haproxytech/proxy-protocol -f deploy/tests/images/proxy-protocol/Dockerfile deploy/tests/images/proxy-protocol docker run -p 8080:8080 --rm -t haproxytech/proxy-protocol ``` -------------------------------- ### Apply Gateway API Resources Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md Applies the necessary Gateway API resources for HAProxy Ingress controller testing. Ensure these are installed before other resources. ```bash kubectl apply -f deploy/tests/config/experimental/gwapi.experimental.yaml ``` -------------------------------- ### HAProxy Route Configuration Example Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/canary-deployment.md Illustrates the HAProxy configuration generated by the `route-acl` annotation, directing traffic to the staging backend based on a random condition. ```haproxy use_backend default-echo-staging-http if { var(txn.host) echo.haproxy.local} { rand(100) lt 25 } ``` -------------------------------- ### Kubernetes Deployment and Service Definitions Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resource-tcp.md Example Kubernetes manifests for a Deployment and Service used with the HAProxy Ingress Controller. Ensure the image is accessible and ports match your configuration. ```yaml --- kind: Deployment apiVersion: apps/v1 metadata: name: http-echo namespace: test spec: replicas: 1 selector: matchLabels: app: http-echo template: metadata: creationTimestamp: null labels: app: http-echo spec: containers: - name: http-echo image: haproxytech/http-echo:latest imagePullPolicy: Never args: - --default-response=hostname ports: - name: http containerPort: 8888 protocol: TCP - name: https containerPort: 8443 protocol: TCP --- kind: Service apiVersion: v1 metadata: name: http-echo namespace: test spec: ipFamilyPolicy: RequireDualStack ports: - name: http protocol: TCP port: 8888 targetPort: http - name: https protocol: TCP port: 8443 targetPort: https selector: app: http-echo --- ``` -------------------------------- ### Run Pebble Supervisor Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/pebble.md Start the Pebble supervisor. This command is used in external mode after setting up the Pebble directory and scripts. ```bash pebble run ``` -------------------------------- ### Frontend Annotation Example in ConfigMap Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations-custom.md Illustrates how to define frontend annotations for HAProxy Ingress by adding them as annotations to the HAProxy Kubernetes Ingress controller's ConfigMap. This allows customization of frontend behavior. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: haproxy-kubernetes-ingress namespace: haproxy-controller annotations: frontend.example.com/timeout-server: "5s" frontend.example.com/timeout-client: "6s" data: ... ``` -------------------------------- ### Create TLS Secret using kubectl Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Example of creating a Kubernetes TLS secret using kubectl, containing a private key and certificate. ```bash kubectl create secret tls my-secret --key= --cert= ``` -------------------------------- ### Create Generic Secret with Multiple Certificate Formats Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Example of creating a generic Kubernetes secret to store certificates in multiple formats (RSA and ECDSA). ```bash kubectl create secret generic my-secret --from-file=rsa.key= --from-file=rsa.crt= \ --from-file=ecdsa.key= --from-file=ecdsa.crt= ``` -------------------------------- ### HAProxy Frontend Configuration with TLS Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resource-tcp.md Example of a frontend configuration in HAProxy, binding to a specific port and enabling SSL using a certificate. The certificate path is specified using `crt`. ```haproxy frontend tcpcr_test_fe-http-echo-443 mode tcp bind :32766 name v4 crt /etc/haproxy/certs/tcp/test_tcp-test-cert.pem ssl bind [::]:32766 name v4v6 v4v6 log-format '%{+Q}o %t %s' option tcplog default_backend test_svc_http-echo_https ``` -------------------------------- ### Ingress Resource with IngressClassName Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/ingressclass.md Example of an Ingress object specifying an `ingressClassName` to target a particular controller. ```yaml kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: test spec: ingressClassName: haproxy rules: - host: test.k8s.local http: paths: - path: / backend: serviceName: http-echo servicePort: http ``` -------------------------------- ### Configure Backend Settings with Backend CRD Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Use the Backend CRD to define custom configurations for specific services. This example sets HTTP mode, least connection balancing, and default server options. ```yaml apiVersion: "ingress.v1.haproxy.org/v1" kind: Backend metadata: name: my-backend namespace: haproxy-controller spec: config: mode: http balance: algorithm: "leastconn" abortonclose: disabled default_server: verify: none resolve-prefer: ipv4 check-sni: example.com sni: str(example.com) ``` -------------------------------- ### Backend Custom Resource Definition Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resource-tcp.md Example Kubernetes Backend Custom Resource manifest. This CR allows for advanced configuration of backend services, overriding defaults. ```yaml apiVersion: ingress.v3.haproxy.org/v3 kind: Backend metadata: name: mybackend namespace: haproxy-controller spec: abortonclose: disabled balance: algorithm: leastconn default_server: check-sni: example.com resolve-prefer: ipv4 sni: str(example.com) verify: none mode: http name: toto ``` -------------------------------- ### Configure HAProxy Frontend with Frontend CRD Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Define custom HAProxy frontends using the Frontend CRD. This example configures an HTTP frontend listening on port 8080. ```yaml apiVersion: ingress.v3.haproxy.org/v3 kind: Frontend metadata: name: custom-frontend namespace: haproxy-controller spec: accept_invalid_http_request: enabled binds: custom: address: 0.0.0.0 port: 8080 name: custom name: custom-http ``` -------------------------------- ### Usage of Multiline Backend Timeout Annotation Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations-custom.md Provides an example of how to use the multiline backend timeout annotation by supplying a JSON object with specific timeout values. This JSON is processed by the template defined in the annotation. ```yaml backend.example.com/timeouts: | { "server": "42s", "server_fin": "10s", "tarpit": "5s" } ``` -------------------------------- ### Build HAProxy Ingress Controller from Source Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/README.md Use 'make build' to compile the HAProxy Ingress Controller from source. For non-default platforms, specify TARGETPLATFORM. ```bash make build ``` ```bash make build TARGETPLATFORM=linux/arm/v6 ``` -------------------------------- ### Create Kubernetes Cluster with HAProxy Ingress Controller Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/deploy/tests/README.md Initializes a Kubernetes cluster named 'dev' using kind and deploys the HAProxy Ingress Controller with configurations from the 'deploy/tests/config' directory. ```bash ./create.sh ``` -------------------------------- ### Configure Path Rewriting Ingress Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt An Ingress resource that rewrites URL paths before forwarding requests to backend services. This example strips the '/api' prefix. ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: rewrite-ingress annotations: # Strip /api prefix: "/api/users" becomes "/users" haproxy.org/path-rewrite: "/api/(.*) /\1" spec: rules: - host: app.example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 8080 ``` -------------------------------- ### Build and Run http-echo Docker Image Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/deploy/tests/images/http-echo/README.md Use these commands to build the Docker image for http-echo and then run it, exposing the HTTP and HTTPS ports. ```bash docker build -t haproxytech/http-echo -f deploy/tests/images/http-echo/Dockerfile deploy/tests/images/http-echo docker run -p 8888:80 -p 8443:443 --rm -t haproxytech/http-echo ``` -------------------------------- ### Deploy Test Application Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/deploy/tests/README.md Deploys the 'haproxytech/http-echo' application to the Kubernetes cluster for testing purposes. ```bash kubectl apply -f ./config/echo-app.yaml ``` -------------------------------- ### Enable Job Check CRD Mode Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Activates a special mode for the controller to verify CRD installation and version. This mode does not run the ingress controller itself. ```yaml --job-check-crd ``` -------------------------------- ### Deploy HAProxy Ingress Controller Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Deploy the ingress controller using the provided manifest and verify the deployment by checking the pods and services. ```bash # Deploy the ingress controller with default configuration kubectl apply -f deploy/haproxy-ingress.yaml # Verify the deployment kubectl get pods -n haproxy-controller kubectl get svc -n haproxy-controller ``` -------------------------------- ### HAProxy Backend Configuration Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resource-tcp.md Example of a backend configuration in HAProxy for TCP mode, defining servers and health checks. Includes both IPv4 and IPv6 server addresses. ```haproxy backend test_svc_http-echo_https mode tcp balance roundrobin no option abortonclose timeout server 50000 default-server check server SRV_1 10.244.0.8:8443 enabled server SRV_2 [fd00:10:244::8]:8443 enabled server SRV_3 127.0.0.1:8443 disabled server SRV_4 127.0.0.1:8443 disabled ``` -------------------------------- ### Create ConfigMap for ACL Pattern Files Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Create a Kubernetes ConfigMap to store pattern files for ACLs. Use `kubectl create configmap` with the `--from-file` flag to load IP lists or domain lists. ```bash # Create pattern file ConfigMap kubectl create -n haproxy-controller configmap acl-patterns \ --from-file=allowed-ips=/tmp/allowed-ips.txt \ --from-file=blocked-domains=/tmp/blocked-domains.txt ``` -------------------------------- ### Apply Frontend Resource with kubectl Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resources.md Command to apply the defined Frontend custom resource to the Kubernetes cluster. ```bash $ kubectl apply -f myfrontend.yaml ``` -------------------------------- ### Configure Log as Soon as Possible (logasap) Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Enable logging of request and response data as soon as the server returns complete HTTP response headers. This annotation is available on configmaps. ```yaml logasap: "true" ``` -------------------------------- ### Configure TCP Service with TCP CRD Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Define TCP services with full frontend and backend control using the TCP CRD. This example configures a MySQL TCP service. ```yaml apiVersion: ingress.v3.haproxy.org/v3 kind: TCP metadata: name: tcp-mysql namespace: database annotations: ingress.class: haproxy spec: - name: mysql-tcp frontend: name: fe-mysql binds: v4: name: v4 port: 3306 v4v6: address: '::' name: v4v6 port: 3306 v4v6: true tcplog: true log_format: '%{+Q}o %t %s' service: name: mysql port: 3306 ``` -------------------------------- ### Generated Configuration with Predefined Values Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations-custom.md Illustrates the HAProxy configuration generated from the backend timeout annotation using predefined values. It includes comments with owner, reason, and other contextual information. ```txt ### example.com/timeouts ### # ============================================== # custom annotation, owner: oktalz - Reason: custom annotations demo for default_svc_http-echo_http # namespace default, ingress http-echo, service http-echo # POD_NAME haproxy-ingress-56ml56gs, POD_NAMESPACE haproxy-controller, POD_IP 10.8.0.2 # ============================================== timeout server 51s timeout server-fin 20s timeout tarpit 5s ``` -------------------------------- ### Deploy HAProxy Ingress Controller with kubectl Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/README.md Apply the HAProxy Ingress Controller deployment configuration using kubectl. Ensure you have the 'deploy/haproxy-ingress.yaml' file available. ```bash kubectl apply -f deploy/haproxy-ingress.yaml ``` -------------------------------- ### Create ReferenceGrant Resource Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md Establishes a ReferenceGrant in the 'default' namespace, allowing TCPRoute resources in the same namespace to refer to Services. ```bash echo \ '\ apiVersion: gateway.networking.k8s.io/v1alpha2\ kind: ReferenceGrant\ metadata:\n name: refgrantns1\ namespace: default\ spec:\n from:\n - group: \"gateway.networking.k8s.io\"\ kind: \"TCPRoute\"\ namespace: default\ to:\n - group: \"\"\ kind: \"Service\"' | kubectl apply -f - ``` -------------------------------- ### Create Basic Auth Secret Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Create a Kubernetes secret to store credentials for basic authentication. Passwords should be encrypted using `openssl passwd -1`. ```bash kubectl create secret generic haproxy-credentials \ --from-literal=admin=$(openssl passwd -1 adminPassword) \ --from-literal=user=$(openssl passwd -1 userPassword) ``` -------------------------------- ### Reference Resolvers in Backend Config Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/secondary-config.md Reference the defined resolvers section in the `backend-config-snippet` to configure the default DNS resolution behavior for backend services. This ensures services start in a down state and use the specified resolvers. ```haproxy-config backend-config-snippet: default-server init-addr none resolvers mydns ``` -------------------------------- ### Testing Canary Deployment Rollout Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/canary-deployment.md A shell command to test the canary deployment by sending multiple requests to the ingress host and observing the responses from staging and production. ```bash $ for i in `seq 10`; do curl -H "Host: echo.haproxy.local" http://127.0.0.1; done ``` -------------------------------- ### TCP Custom Resource Definition Example Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resource-tcp.md This YAML defines a TCP Custom Resource for HAProxy Kubernetes Ingress. It specifies frontend and backend configurations for a TCP service. Ensure the namespace matches where the CR is deployed. ```yaml apiVersion: ingress.v3.haproxy.org/v3 kind: TCP metadata: annotations: ingress.class: haproxy name: tcp-1 namespace: test spec: - frontend: binds: v4: name: v4 port: 32766 v4v6: address: '::' name: v4v6 port: 32766 v4v6: true log_format: '%{+Q}o %t %s' name: fe-http-echo-8443 tcplog: true name: tcp-http-echo-8443 service: name: http-echo port: 8443 ``` -------------------------------- ### Apply Backend Resource with kubectl Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resources.md Command to apply the defined Backend custom resource to the Kubernetes cluster. ```bash $ kubectl apply -f mybackend.yaml ``` -------------------------------- ### Specify Input File for CRD Conversion Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Provide the path to a v1 CRD manifest to convert to v3. This option requires --output-file for the result. ```bash --input-file=/home/xxx/convert/v1/global-full.yaml ``` -------------------------------- ### Create ConfigMap for Secondary HAProxy Config Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/secondary-config.md Create a Kubernetes ConfigMap to store the secondary HAProxy configuration file. This ConfigMap will be mounted into the ingress controller pod. ```bash kubectl create configmap haproxy-aux-cfg --from-file /tmp/haproxy-aux.cfg configmap/haproxy-aux-cfg created ``` -------------------------------- ### Enable Prometheus Metrics Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/prometheus.md Add the `--prometheus` flag to the ingress controller's command-line arguments to activate Prometheus endpoints. The metrics are available at the same address as the ingress controller on the path `/metrics`. ```bash http(s)://:/metrics ``` -------------------------------- ### Apply Additional Gateway API Resources Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md Applies additional resources for Gateway API testing, including configuration, echo application, and RBAC. ```bash kubectl apply -f deploy/tests/config/experimental/gwapi-resources.yaml ``` ```bash kubectl apply -f deploy/tests/config/experimental/gwapi-echo-app.yaml ``` ```bash kubectl apply -f deploy/tests/config/experimental/gwapi-rbac.yaml ``` -------------------------------- ### Enable Standalone Backend Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Configure a separate backend for an ingress to prevent configuration conflicts when multiple ingresses refer to the same service. ```yaml haproxy.org/standalone-backend: "true" ``` -------------------------------- ### Load Balancing Algorithm Configuration Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Configure load balancing algorithms and cookie persistence for backend services using annotations on a Service resource. ```yaml apiVersion: v1 kind: Service metadata: name: my-service annotations: haproxy.org/load-balance: "leastconn" # Options: roundrobin, leastconn, source, uri, random haproxy.org/cookie-persistence: "SERVERID" spec: selector: app: my-app ports: - port: 80 targetPort: 8080 ``` -------------------------------- ### Enable Backend SSL (Re-encryption) with Service Annotations Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Configure SSL communication between HAProxy and backend pods for end-to-end encryption. Use annotations like `haproxy.org/server-ssl`, `haproxy.org/server-ca`, `haproxy.org/server-crt`, and `haproxy.org/server-proto`. ```yaml apiVersion: v1 kind: Service metadata: name: secure-backend annotations: haproxy.org/server-ssl: "true" haproxy.org/server-ca: "default/backend-ca-secret" haproxy.org/server-crt: "default/client-cert-secret" haproxy.org/server-proto: "h2" spec: selector: app: secure-app ports: - port: 443 targetPort: 8443 ``` -------------------------------- ### Specify Output File for CRD Conversion Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Provide the path to a manifest where the converted v3 CRDs will be written from a v1 manifest. This option requires --input-file. ```bash --output-file=/home/xxx/convert/v3/global-full.yaml ``` -------------------------------- ### Define Frontend Configuration Snippet Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Insert directives into main HTTP/HTTPS frontends. Applies to all traffic. Controller configuration is evaluated first. Prefer backend-config-snippet to avoid conflicts. ```yaml frontend-config-snippet: | unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid unique-id-header X-Unique-ID ``` -------------------------------- ### Configure Syslog Servers for Logging Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Set up external syslog servers for centralized logging by defining their addresses, ports, facilities, and log levels in a ConfigMap. The log format and null logging behavior can also be specified. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: haproxy-kubernetes-ingress namespace: haproxy-controller data: syslog-server: | address:192.168.1.10, port:514, facility:local0, level:info address:192.168.1.11, port:514, facility:local1, level:warning log-format: "'%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs \"%HM %[var(txn.base)] %HV\"'" dontlognull: "true" ``` -------------------------------- ### Configure IP Allow List (Deprecated) Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Deprecated: Use `allow-list` instead. Blocks all IPs except those specified. Supports comma-separated IPs/CIDRs or a pattern file. ```yaml whitelist: "192.168.1.0/24, 192.168.2.100" ``` -------------------------------- ### Predefined Values Backend Timeout Annotation Template Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations-custom.md Demonstrates a multiline template for backend timeouts that includes predefined values like owner, reason, namespace, and ingress details. This allows for richer, context-aware annotation configurations. ```yaml timeouts: section: backend template: | # ============================================== # custom annotation, owner: {{.owner}} - Reason: {{.reason}} for {{.BACKEND}} # namespace {{.NAMESPACE}}, ingress {{.INGRESS}}, service {{.SERVICE}} # POD_NAME {{.POD_NAME}}, POD_NAMESPACE {{.POD_NAMESPACE}}, POD_IP {{.POD_IP}} # ============================================== timeout server {{.server}} timeout server-fin {{.server_fin}} timeout tarpit {{.tarpit}} # ============================================== type: json rule: | 'owner' in value && 'reason' in value && 'server' in value && value.server.matches('^[0-9]+[smh]?$') && 'server_fin' in value && value.server_fin.matches('^[0-9]+[smh]?$') && 'tarpit' in value && value.tarpit.matches('^[0-9]+[smh]?$') ``` -------------------------------- ### Apply Global Resource Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resources.md Command to apply the defined Global custom resource to your Kubernetes cluster. ```bash $kubectl apply -f myglobal.yaml ``` -------------------------------- ### Configure Controller Command-Line Arguments Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Customize the HAProxy Ingress controller's behavior by specifying various command-line arguments in its Deployment configuration. This includes settings for configmaps, ports, logging levels, and Prometheus integration. ```yaml apiVersion: apps/v1 kind: Deployment metadata: name: haproxy-kubernetes-ingress namespace: haproxy-controller spec: template: spec: containers: - name: haproxy-ingress image: haproxytech/kubernetes-ingress args: - --configmap=haproxy-controller/haproxy-kubernetes-ingress - --configmap-tcp-services=haproxy-controller/tcp-services - --configmap-errorfiles=haproxy-controller/errorfiles - --default-ssl-certificate=haproxy-controller/default-cert - --ingress.class=haproxy - --publish-service=haproxy-controller/haproxy-kubernetes-ingress - --sync-period=5s - --log=info - --prometheus - --http-bind-port=8080 - --https-bind-port=8443 ``` -------------------------------- ### Apply Defaults Resource Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/custom-resources.md Command to apply the defined Defaults custom resource to your Kubernetes cluster. ```bash $kubectl apply -f mydefaults.yml ``` -------------------------------- ### Bind ClusterRole to Service Account Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md This command creates a ClusterRoleBinding to associate the 'haproxy-kubernetes-ingress-gwapi' ClusterRole with the 'haproxy-kubernetes-ingress' ServiceAccount in the 'haproxy-controller' namespace. This grants the ingress controller the necessary permissions for Gateway API resources. ```bash echo ' kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: haproxy-kubernetes-ingress-gwapi namespace: haproxy-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: haproxy-kubernetes-ingress-gwapi subjects: - kind: ServiceAccount name: haproxy-kubernetes-ingress namespace: haproxy-controller' | kubectl apply -f - ``` -------------------------------- ### Enable Basic Authentication Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Sets the authentication strategy to basic-auth and specifies the Kubernetes Secret containing credentials. ```yaml auth-type: basic-auth auth-secret: default/haproxy-credentials ``` -------------------------------- ### Define Backend Configuration Snippet Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Add directives directly to a HAProxy backend section. Available on configmap, ingress, and service. ```yaml backend-config-snippet: | http-send-name-header x-dst-server stick-table type string len 32 size 100k expire 30m stick on req.cook(sessionid) ``` -------------------------------- ### Enable Proxy Protocol for Specific IPs Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Configure the Proxy Protocol on the client side for a specified list of IP addresses or CIDR ranges. Enabling for `0.0.0.0/0` applies it to all incoming traffic. ```yaml proxy-protocol: "192.168.1.0/24, 192.168.2.100" ``` -------------------------------- ### Test Application with curl Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/deploy/tests/README.md Sends a request to the deployed test application using curl, specifying a custom host header. The response will contain application POD name and request attributes. ```bash curl --header "Host: echo.haproxy.local" 127.0.0.1:30080 ``` -------------------------------- ### Build Pebble Docker Image Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/pebble.md Build a custom Docker image for the HAProxy Ingress Controller supervised by Pebble. This command assumes you have the necessary build tools and Dockerfile available. ```bash make build-pebble ``` -------------------------------- ### Lint Code with Task Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/README.md Execute 'task lint' to perform code linting according to the project's standards. ```bash task lint ``` -------------------------------- ### Configure External Mode with HAProxy Binary Path Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Specifies the path to the HAProxy binary when running the controller in external mode. This option is only available in external mode. ```yaml --external --program=/usr/bin/haproxy ``` -------------------------------- ### All Options Annotation Configuration Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations-custom.md Defines a comprehensive configuration for a 'timeout-server' annotation, specifying its section, allowed namespaces and resources, ingress limitations, priority, template, data type, and validation rule. This provides granular control over annotation behavior. ```yaml timeout-server: # name of annotation section: all # can be all, fronted, backend (default) namespaces: # we can limit namespace usage - haproxy-controller - default resources: # limit usage to Service, Frontend or Backend names (list) - ingresses: # limit usage to specific ingresses - order_priority: 100 # order of custom annotations in config. higher is more priority template: "timeout server {{.}}" # template we can use (golang templates) type: duration # expected data type for conversion (duration;int;uint;bool;string;float;json;) rule: "value > duration('42s') && value <= duration('42m')" # CEL expression ``` -------------------------------- ### Create Gateway Resource Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md Defines a Gateway resource named 'gateway1' that listens on port 8000 for TCP traffic. It references the 'haproxy-gwc' GatewayClass. ```bash echo \ '\ apiVersion: gateway.networking.k8s.io/v1alpha2\ kind: Gateway\ metadata:\n name: gateway1\ namespace: default\ spec:\n gatewayClassName: haproxy-gwc\ listeners:\n - allowedRoutes:\n kinds:\n - group: gateway.networking.k8s.io\ kind: TCPRoute\ namespaces:\n from: All\ name: listener1\ port: 8000\ protocol: TCP' | kubectl apply -f - ``` -------------------------------- ### Announce QUIC Port Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Adjust the port in the alt-svc header to redirect to the exposed port if it differs from the QUIC binding port. ```yaml args: - --quic-announce-port=10443 ``` -------------------------------- ### Configure Path Rewriting with Single Line Annotations Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Apply path rewriting rules using single-line annotations. Supports basic replacements, prefix additions, suffix additions, and path stripping. ```yaml haproxy.org/path-rewrite: "/" ``` ```yaml haproxy.org/path-rewrite: "(.*) /foo\1" ``` ```yaml haproxy.org/path-rewrite: "([^?]*)(\?(.*))? \1/foo\2" ``` ```yaml haproxy.org/path-rewrite: "/foo/(.*) /\1" ``` -------------------------------- ### Configure IP Allow List Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Blocks all IP addresses except the whitelisted ones. Accepts a comma-separated list of IPs/CIDRs or a path to a pattern file. ```yaml allow-list: "192.168.1.0/24, 192.168.2.100" ``` -------------------------------- ### Enable pprof Endpoint Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Enable the pprof profiling endpoint using the `--pprof` flag. If `--default-backend-port` is not set, it defaults to port 6060. ```yaml --pprof ``` -------------------------------- ### Configure Syslog Servers Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Define one or more Syslog servers for log forwarding. Each server can be configured with address, facility, format, length, level, minlevel, and port. Available on configmaps. ```yaml # a single entry syslog-server: "address:192.158.1.1, port:514, facility:local0" ``` ```yaml # log to stdout syslog-server: "address:stdout, format: raw, facility:daemon" ``` ```yaml # multiple entries syslog-server: | address:127.0.0.1, port:514, facility:local0 address:192.168.1.1, port:514, facility:local1 ``` -------------------------------- ### Configure External Mode with Runtime Directory Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Specifies the path to the HAProxy runtime directory for external mode, which includes resources like PID files and runtime sockets. This option is only available in external mode. ```yaml --external --runtime-dir=/haproxy-ingress/run ``` -------------------------------- ### Create HAProxy GatewayClass Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md Creates a GatewayClass resource for HAProxy Ingress. The controllerName must match the one configured for the HAProxy gateway controller. ```bash echo \ '\ apiVersion: gateway.networking.k8s.io/v1alpha2\ kind: GatewayClass\ metadata:\n name: haproxy-gwc\ spec:\n controllerName: haproxy.org/gateway-controller' | kubectl apply -f - ``` -------------------------------- ### Mount Secondary ConfigMap in Pod Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/secondary-config.md Mount the ConfigMap containing the secondary HAProxy configuration as a volume in the ingress controller pod. Ensure the mount path is set to `/etc/haproxy/haproxy-aux.cfg`. ```yaml containers: - name: haproxy-ingress image: haproxytech/kubernetes-ingress:latest volumeMounts: - name: haproxy-cfg-vol mountPath: /etc/haproxy/haproxy-aux.cfg volumes: - name: haproxy-cfg-vol configMap: name: haproxy-aux-cfg ``` -------------------------------- ### Set Load Balancing Algorithm Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Sets the load-balancing algorithm to use. Available options include roundrobin, leastconn, source, uri, hdr, random, and rdp-cookie. ```yaml load-balance: "leastconn" ``` -------------------------------- ### Create ClusterRole for HAProxy Gateway API Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/gateway-api.md This command creates a ClusterRole named 'haproxy-kubernetes-ingress-gwapi' granting permissions to manage Gateway API resources like TCPRoutes, Gateways, and their statuses. It's recommended for separating Gateway API configurations. ```bash echo ' kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: haproxy-kubernetes-ingress-gwapi rules: - apiGroups: - "gateway.networking.k8s.io" resources: - referencegrants - gateways - gatewayclasses - tcproutes verbs: - get - list - watch - apiGroups: - "gateway.networking.k8s.io" resources: - gatewayclasses/status - gateways/status - tcproutes/status verbs: - update' | kubectl apply -f - ``` -------------------------------- ### Enable Prometheus Metrics in Controller Deployment Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Configure the HAProxy Ingress controller deployment to expose Prometheus metrics. Ensure the `--prometheus` flag is set in the container's arguments and the metrics port is exposed. ```yaml # Controller deployment with Prometheus enabled apiVersion: apps/v1 kind: Deployment metadata: name: haproxy-kubernetes-ingress namespace: haproxy-controller spec: template: spec: containers: - name: haproxy-ingress image: haproxytech/kubernetes-ingress args: - --configmap=haproxy-controller/haproxy-kubernetes-ingress - --prometheus ports: - name: metrics containerPort: 6060 ``` -------------------------------- ### Configure Rate Limiting Period Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Set the time window for tracking requests per source IP address. The default is 1 second. ```yaml rate-limit-period: "1m" ``` -------------------------------- ### Enable Prometheus Endpoint Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Enable the Prometheus metrics endpoint using the `--prometheus` flag. If `--default-backend-port` is not set, it defaults to port 6060. ```yaml --prometheus ``` -------------------------------- ### Run End-to-End Tests Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/deploy/tests/README.md Executes all end-to-end tests in the './e2e' directory, filtered by a specified tag. Use 'e2e_parallel' for parallel execution or 'e2e_sequential' for sequential execution. ```bash go test -v --tags= ./e2e/... ``` -------------------------------- ### Enable Proxy Protocol v2 for Backend Services Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Configure a Kubernetes Service to send Proxy Protocol v2 information to backend services. This annotation is applied to the Service definition. ```yaml apiVersion: v1 kind: Service metadata: name: proxy-backend annotations: haproxy.org/send-proxy-protocol: "proxy-v2" spec: selector: app: my-app ports: - port: 80 targetPort: 8080 ``` -------------------------------- ### Configure Pattern Files for HAProxy ACLs Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Utilize `--configmap-patternfiles` to load pattern files into HAProxy configuration, commonly used for ACLs. Ensure pattern files are prefixed with 'patterns/' when referenced in config-snippets. ```shell % cat /tmp/ips 127.0.0.1 10.0.0.0/8 1.2.3.4/24 ``` ```shell % cat /tmp/names foo bar toto bidule ``` ```shell kubectl create -n default configmap acl-patterns --from-file=/tmp/ips --from-file=/tmp/names ``` ```yaml apiVersion: v1 kind: ConfigMap metadata: name: acls-patterns namespace: haproxy-controller data: ips: | 127.0.0.1 10.0.0.0/8 1.2.3.4/24 names: | foo bar toto bidule ``` ```yaml backend-config-snippet: | http-request deny if !{ src -f patterns/ips } ``` ```yaml --configmap-patternfiles=default/acl-patterns ``` -------------------------------- ### Client TLS Authentication Annotations Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Annotations for configuring client certificate verification for TLS authentication. ```APIDOC ## client-ca ### Description Sets the client certificate authority enabling HAProxy to check clients certificate (TLS authentication), thus enabling client *mTLS*. ### Available on `configmap` ### Possible values - Secret path in "namespace/name" format. Secret should contain the CA certificate in `tls.crt` key. Multiple CAs can be provided by concatenating them in the same `tls.crt` key. ### Example ```yaml client-ca: exp/client-ca-secret ``` ## client-crt-optional ### Description If enabled, certificate verification will be optional. If disabled, HAProxy will enforce verification of client certificates. ### Available on `configmap` ### Possible values - `true` - `false` (default) ### Example ```yaml client-crt-optional: true ``` ``` -------------------------------- ### Enable X-Forwarded-For Header Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Adds the X-Forwarded-For HTTP header to requests to capture and relay the client's source IP address to backend pods. Defaults to true. ```yaml forwarded-for: "true" ``` -------------------------------- ### Basic Ingress Resource Configuration Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Define an Ingress resource to route external traffic to backend services based on host and path rules. Includes annotations for load balancing and health checks. ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-app-ingress annotations: haproxy.org/load-balance: "roundrobin" haproxy.org/check: "true" haproxy.org/check-http: "/health" spec: ingressClassName: haproxy rules: - host: app.example.com http: paths: - path: /api pathType: Prefix backend: service: name: api-service port: number: 8080 - path: / pathType: Prefix backend: service: name: frontend-service port: number: 80 tls: - hosts: - app.example.com secretName: app-tls-secret ``` -------------------------------- ### Configure Authentication Realm Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/annotations.md Sets the realm name for HTTP authentication. ```yaml auth-realm: Admin Area ``` -------------------------------- ### HAProxy Backend Configuration Snippet Source: https://context7.com/haproxytech/kubernetes-ingress/llms.txt Configure backend HAProxy settings via a ConfigMap. This snippet includes options for sending destination server names and implementing sticky sessions based on cookies. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: haproxy-kubernetes-ingress namespace: haproxy-controller data: backend-config-snippet: | http-send-name-header x-dst-server stick-table type string len 32 size 100k expire 30m stick on req.cook(sessionid) ``` -------------------------------- ### Enable Custom Annotations on Ingress Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/documentation/controller.md Enable support for custom annotations on ingress resources. Use with caution when the same annotation is applied to multiple ingresses for the same service. ```bash --enable-custom-annotations-on-ingress ``` -------------------------------- ### Define Global Custom Resource in Go Source: https://github.com/haproxytech/kubernetes-ingress/blob/master/crs/README.md Defines the GoLang types for a 'Global' custom resource and its list, including necessary Kubernetes metadata and spec. It reuses HAProxy CN models for configuration and includes deepcopy-gen tags for code generation. ```go package v3 import ( "github.com/haproxytech/client-native/v6/models" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) // +genclient // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // Global is a specification for a Global resource type Global struct { metav1.TypeMeta `json:",inline" metav1.ObjectMeta `json:"metadata,omitempty" Spec GlobalSpec `json:"spec" } // GlobalSpec defines the desired state of Global type GlobalSpec struct { Config *models.Global `json:"config" } // DeepCopyInto deepcopying the GlobalSpec receiver into out. in must be non nil. func (in *GlobalSpec) DeepCopyInto(out *GlobalSpec) { *out = *in if in.Config != nil { b, _ := in.Config.MarshalBinary() _ = out.Config.UnmarshalBinary(b) } } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // GlobalList is a list of Global resources type GlobalList struct { metav1.TypeMeta `json:",inline" metav1.ListMeta `json:"metadata" Items []Global `json:"items" } ```