HAProxy adds configuration flexibility in Kubernetes Ingress Controller 1.6

HAProxy Technologies has released version 1.6 of the HAProxy Kubernetes Ingress Controller, adding a number of new features including frontend configuration snippets, custom routing and TLS client certificate authentication.

The changes were guided by community members in GitHub and Slack, according to HAProxy.

In this version, the frontend-config-snippet annotation has been added for inserting directives into frontends that are managed by the controller. This extends the backend and global config snippets, which were introduced in version 1.5 to allow users to write raw HAProxy configuration directives to access advanced features in the underlying HAProxy engine.

However, HAProxy warned that it is safer to use backend-config-snippet in most cases, especially since most of the frontend configuration directives can also be used in a backend, save for a small number of exceptions.

This release also allows for importing ACL and Map file patterns to a ConfigMap, which can then be referenced through annotations, with subsequent routing decisions based on that data. In previous versions, patterns had to be listed according to individual filtering rules. In version 1.6 of the ingress controller, these types of lists can be moved to an external file, which is then loaded into a ConfigMap.

Custom routing is supported in version 1.6 , enabling users who wish to go beyond routing by host or URL path by providing a dedicated service annotation named route-acl. This annotation can be set on a specific Kubernetes service to provide a HAProxy ACL expression that can be used to route traffic to that specific service, according to HAProxy.

The ingress controller now supports loading a secondary HAProxy configuration file in addition to the main configuration file, haproxy.cfg, which is generated by the ingress controller itself. This secondary configuration file allows for the definition of additional sections such as resolvers, cache, and ring.

According to HAProxy, there are two main reasons for this: to configure anything not supported by Ingress Controller annotations; and facilitate migration of a legacy HAProxy config into one that is compatible with the HAProxy Kubernetes Ingress Controller.

For TLS certificates, version 1.5 added the ability to enable mTLS authentication between the ingress controller and the services it is proxying traffic to by setting the server-ca and server-crt annotations. Version 1.6 has added the same feature on the client side.

For a more detailed description of all these changes, the HAProxy blog is here.

Leave a Reply