From d82ae12272912ddf1afe6caf3a258b6825bee1dc Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Fri, 15 Sep 2023 22:42:21 +0200
Subject: [PATCH] feat(nginx): Add full support for proxy-protocol
This patch adds a haproxy deployment to the cluster, which allows to
mimic the haproxy setup outside the cluster. Making sure that traffic is
automatically redirected and works around the limitations of ingress
nginx, of limiting proxy protocol to a boolean for either all traffic or
for none.
---
clusters/k8s01/nginx-system/haproxy.yaml | 130 ++++++++++++++++++
.../k8s01/nginx-system/release-override.yaml | 6 +-
2 files changed, 133 insertions(+), 3 deletions(-)
create mode 100644 clusters/k8s01/nginx-system/haproxy.yaml
diff --git a/clusters/k8s01/nginx-system/haproxy.yaml b/clusters/k8s01/nginx-system/haproxy.yaml
new file mode 100644
index 000000000..3b23e59ce
--- /dev/null
+++ b/clusters/k8s01/nginx-system/haproxy.yaml
@@ -0,0 +1,130 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: haproxy
+ labels:
+ app.kubernetes.io/name: haproxy
+ app.kubernetes.io/instance: haproxy
+ app.kubernetes.io/component: haproxy
+spec:
+ replicas: 2
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: haproxy
+ app.kubernetes.io/instance: haproxy
+ app.kubernetes.io/component: haproxy
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: haproxy
+ app.kubernetes.io/instance: haproxy
+ app.kubernetes.io/component: haproxy
+ spec:
+ affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - haproxy
+ - key: app.kubernetes.io/instance
+ operator: In
+ values:
+ - haproxy
+ - key: app.kubernetes.io/component
+ operator: In
+ values:
+ - haproxy
+ topologyKey: kubernetes.io/hostname
+ containers:
+ - name: haproxy
+ image: docker.io/library/haproxy:2.8.2
+ imagePullPolicy: IfNotPresent
+ ports:
+ - containerPort: 80
+ protocol: TCP
+ - containerPort: 443
+ protocol: TCP
+ volumeMounts:
+ - mountPath: /usr/local/etc/haproxy/
+ name: haproxy-config
+ resources:
+ requests:
+ memory: 128Mi
+ cpu: 10m
+ limits:
+ memory: 1Gi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsUser: 102
+ restartPolicy: Always
+ volumes:
+ - name: haproxy-config
+ configMap:
+ name: haproxy-config
+ securityContext:
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ sysctls:
+ - name: 'net.ipv4.ip_unprivileged_port_start'
+ value: "0"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: haproxy-config
+ namespace: nginx-system
+data:
+ haproxy.cfg: |
+ listen http
+ bind 0.0.0.0:80
+ mode tcp
+ log stdout format short daemon info
+ timeout connect 7s
+ timeout client 10m
+ timeout server 10m
+ server svc-nginx-ingress-http nginx-ingress-ingress-nginx-controller:80 send-proxy-v2
+
+ listen https
+ bind 0.0.0.0:443
+ mode tcp
+ log stdout format short daemon info
+ timeout connect 7s
+ timeout client 10m
+ timeout server 10m
+ server svc-nginx-ingress-https nginx-ingress-ingress-nginx-controller:443 send-proxy-v2
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app.kubernetes.io/name: haproxy
+ app.kubernetes.io/instance: haproxy
+ app.kubernetes.io/component: haproxy
+ name: haproxy-proxy-protocol
+ namespace: nginx-system
+spec:
+ externalIPs:
+ - 116.203.244.59
+ externalTrafficPolicy: Local
+ ports:
+ - name: http
+ port: 80
+ protocol: TCP
+ targetPort: 80
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 443
+ selector:
+ app.kubernetes.io/name: haproxy
+ app.kubernetes.io/instance: haproxy
+ app.kubernetes.io/component: haproxy
+ type: LoadBalancer
diff --git a/clusters/k8s01/nginx-system/release-override.yaml b/clusters/k8s01/nginx-system/release-override.yaml
index a03625313..df3ed0f17 100644
--- a/clusters/k8s01/nginx-system/release-override.yaml
+++ b/clusters/k8s01/nginx-system/release-override.yaml
@@ -5,15 +5,15 @@ metadata:
namespace: nginx-system
type: Opaque
stringData:
- values-overrides.yaml: ENC[AES256_GCM,data:mIQtKGegxGNV2Fkl0hQXLaam2EQCaVwJ3R+UFdjrMf1e2YnjiBm7OoB2oqjL/51353btrBc8s3DO5D9+EsPmsM73TsaIiMtcv5jVQ/UTWTWVKlAjiIjrszDXT0CIgVDwfvsOl+6ztXuupxhM98CEQdeGv35VFu5XAJyN6+/vz0EXP8AwS1NGiCbzCR03B+9LlqXY1QO/pw==,iv:V9uCRqPg9ot34I+rTVLfqr5LbBpCpBt/LHMkfkAvktM=,tag:aqvfOXt6vOUaGpXoaFfdOw==,type:str]
+ values-overrides.yaml: ENC[AES256_GCM,data:Ie8tjjALb6+iyPQ1Jqr95NA6t4vfsV6JgKVMaUKVNMbp1ID7Aplwkv9rX7KtU+poqgjJk8OLzl7Gy6XFVCU0rhR1zjPtlYGQdDP0S7oUllquPq18EpIBMWQLILi+WLj6NzMfSx3Krd2dwaleVw8Pb9cIKGpdf3WUEAEpW7ONLywEBbrqz4nDTrYNppPBSOPDdUPRaKmTbeW8hqYzwfuigZfQvKE=,iv:Xa5Vy1diaKcI4ZCFl+9zlu/Ah2tZUJ3hxLMTcGwEEco=,tag:bybBokXQUWKKdP3Sga8ATQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-09-15T20:34:46Z"
- mac: ENC[AES256_GCM,data:0TfkDbaU7/nuDowbVKvnWUc65FnNFW3alvdNXzM564F/BZHN7w8nS7Nc3Lfpzrw28zXhCjFohLwJfOZX778fqmDOSeejGxvyKIAoz5mxqVyLHsxH/fuatzlrSaB/wXjeS4wouR/x+U5d3efJ8eGahDGwk1OpF1nUJy8bcrBpD5s=,iv:Wtd0QH1J2iBUlIW7TQk/yKQt6Be7hasuv9r3abPF4tY=,tag:XBpoIIVwbzOYrbS55YrRQw==,type:str]
+ lastmodified: "2023-09-15T20:40:46Z"
+ mac: ENC[AES256_GCM,data:wp8IJaqv/bnutbNf5a7QPGnL2jOuErN2glmnXH5b4zdZ9eqTGTEn5qJSNpe3X9BvsnxQvynrCA/Wydea2fwDg+yISPk2Ha+wwefqbNBUiz2gmbflTmGkgYrzBINwBFc2Gc+DUvongcF7F4hdjXaHEOLWTEoxawai1pQSZB6SAXI=,iv:8M4KXpzktQ1tuL24+yHr3hw2xebCoZV5+pQocQUK33c=,tag:YwgG69QEUUHFIoBcAUU/5A==,type:str]
pgp:
- created_at: "2022-02-09T22:43:33Z"
enc: |-
--
GitLab