DEVHIDE
Login Or Sign up

Which Gateway API resource configuration that allows adding a ca certificate to a backend server

45 Views Asked by At

I am using HAProxy Ingress with Gateway API:

This is the version I have installed:

helm install haproxy-ingress haproxy-ingress/haproxy-ingress  --create-namespace \
     --namespace ingress-controller  --version 0.14.5  -f haproxy-ingress-values.yaml
kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.4.1" | kubectl apply -f -

This is the configuration of the gateway resource and values I am using:

::::::::::::::
haproxy-gateway-class.yaml
::::::::::::::
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GatewayClass
metadata:
  name: haproxy
spec:
  controllerName: haproxy-ingress.github.io/controller
::::::::::::::
haproxy-gateway.yaml
::::::::::::::
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  name: haproxy-gateway
  namespace: default
spec:
  gatewayClassName: haproxy
  listeners:
  - name: http-listener
    port: 80
    protocol: HTTP
  - name: https-listener
    port: 443
    protocol: HTTPS

::::::::::::::
haproxy-ingress-values.yaml
::::::::::::::
controller:
  hostNetwork: true
  ingressClassResource:
    enabled: true
  extraArgs:
    enable-endpointslices-api: "true"
    default-ssl-certificate: "default/haproxy-tls-secret"

Please find below the configuration of the resources I have applied. My question is that I am not able to find a way to add a ca-certificate to the haproxy backend, so that the https request made via the service below (service1-proxy) will use the specified CA certificate for TLS handshake with the remote end. I am not able to find which configuration or annotation would allow outgoing TLS calls. I tried the below annotations on my Kubernetes service resource, but no one was able to generate an haproxy.cfg with "ssl ca-file" in the backend server config.

#haproxy-ingress.github.io/secure-verify-ca-secret: "default/ca-secret"
#ingress.kubernetes.io/secure-verify-ca-secret: "default/ca-secret"
#haproxy.org/"default/ca-secret"

::::::::::::::
service1-proxy.yaml
::::::::::::::
apiVersion: v1
kind: Service
metadata:
  name: httpbin-service1-proxy
  annotations:
    #haproxy-ingress.github.io/secure-verify-ca-secret: "default/ca-secret"
    ingress.kubernetes.io/secure-verify-ca-secret: "default/ca-secret"
spec:
  ports:
    - protocol: TCP
      port: 443


::::::::::::::
service1-httproute.yaml
::::::::::::::
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  labels:
    gateway: haproxy
  name: httpbin-service1-route
  namespace: default
spec:
  parentRefs:
    - name: haproxy-gateway
  hostnames:
    - "service1.api.net"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/"
      backendRefs:
        - name: httpbin-service1-proxy
          port: 443


::::::::::::::
service1-endpoint-slice.yaml
::::::::::::::
apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
  name: httpbin-service1-es
  labels:
    kubernetes.io/service-name: "httpbin-service1-proxy"
addressType: IPv4
endpoints:
  - addresses:
      - "192.168.76.2"
    conditions:
      ready: true
ports:
  - protocol: TCP
    port: 31590  # The target port of the external service

I tried the below annotations but no one did allow the haproxy.cfg to generate the "ssl ca-file" in the backend server config.

#haproxy-ingress.github.io/secure-verify-ca-secret: "default/ca-secret"
#ingress.kubernetes.io/secure-verify-ca-secret: "default/ca-secret"
#haproxy.org/"default/ca-secret"

Below is what was generated:

backend default_httpbin-service1-vs-cluster-1-httproute__rule0
    mode http
    balance roundrobin
    acl https-request ssl_fc
    http-request set-header X-Original-Forwarded-For %[hdr(x-forwarded-for)] if { hdr(x-forwarded-for) -m found }
    http-request del-header x-forwarded-for
    option forwardfor
    http-response set-header Strict-Transport-Security "max-age=15768000" if https-request
    **server srv001 192.168.76.2:30371 weight 128 check inter 2s**
    server srv002 127.0.0.1:1023 disabled weight 1 check inter 2s
    server srv003 127.0.0.1:1023 disabled weight 1 check inter 2s
    server srv004 127.0.0.1:1023 disabled weight 1 check inter 2s
    server srv005 127.0.0.1:1023 disabled weight 1 check inter 2s
    server srv006 127.0.0.1:1023 disabled weight 1 check inter 2s
    server srv007 127.0.0.1:1023 disabled weight 1 check inter 2s

Please let me know the right way to configure one-way TLS from haproxy backend server to a remote end using HAProxy Ingress with Gateway API resources (HTTPRoute, Service and EndpointSlice).

Thank you

ssl haproxy-ingress cacerts kubernetes-gateway-api
Original Q&A
1

There are 1 best solutions below

0
Zouakem Zak On

Secure Backend should be the way to achieve that, but unfortunately it is not working as per Issue-1073.

Related Questions in SSL

Related Questions in HAPROXY-INGRESS

Related Questions in CACERTS

Related Questions in KUBERNETES-GATEWAY-API

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.