feat(nginx): Add full support for proxy-protocol

This patch adds a haproxy deployment to the cluster, which allows to mimic the haproxy setup outside the cluster. Making sure that traffic is automatically redirected and works around the limitations of ingress nginx, of limiting proxy protocol to a boolean for either all traffic or for none.

feat(nginx): Add full support for proxy-protocol
d82ae122 · Sheogorath · b2e1ce0d · d82ae122 · d82ae122
Verified Commit d82ae122 authored 1 year ago by Sheogorath
--- a/clusters/k8s01/nginx-system/haproxy.yaml
+++ b/clusters/k8s01/nginx-system/haproxy.yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: haproxy
+  labels:
+    app.kubernetes.io/name: haproxy
+    app.kubernetes.io/instance: haproxy
+    app.kubernetes.io/component: haproxy
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: haproxy
+      app.kubernetes.io/instance: haproxy
+      app.kubernetes.io/component: haproxy
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: haproxy
+        app.kubernetes.io/instance: haproxy
+        app.kubernetes.io/component: haproxy
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values:
+                - haproxy
+              - key: app.kubernetes.io/instance
+                operator: In
+                values:
+                - haproxy
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                - haproxy
+            topologyKey: kubernetes.io/hostname
+      containers:
+        - name: haproxy
+          image: docker.io/library/haproxy:2.8.2
+          imagePullPolicy: IfNotPresent
+          ports:
+          - containerPort: 80
+            protocol: TCP
+          - containerPort: 443
+            protocol: TCP
+          volumeMounts:
+          - mountPath: /usr/local/etc/haproxy/
+            name: haproxy-config
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 10m
+            limits:
+              memory: 1Gi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            runAsUser: 102
+      restartPolicy: Always
+      volumes:
+      - name: haproxy-config
+        configMap:
+          name: haproxy-config
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+        sysctls:
+          - name: 'net.ipv4.ip_unprivileged_port_start'
+            value: "0"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: haproxy-config
+  namespace: nginx-system
+data:
+  haproxy.cfg: |
+    listen http
+      bind 0.0.0.0:80
+      mode tcp
+      log stdout format short daemon info
+      timeout connect  7s
+      timeout client   10m
+      timeout server   10m
+      server svc-nginx-ingress-http nginx-ingress-ingress-nginx-controller:80 send-proxy-v2
+
+    listen https
+      bind 0.0.0.0:443
+      mode tcp
+      log stdout format short daemon info
+      timeout connect  7s
+      timeout client   10m
+      timeout server   10m
+      server svc-nginx-ingress-https nginx-ingress-ingress-nginx-controller:443 send-proxy-v2
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: haproxy
+    app.kubernetes.io/instance: haproxy
+    app.kubernetes.io/component: haproxy
+  name: haproxy-proxy-protocol
+  namespace: nginx-system
+spec:
+  externalIPs:
+  - 116.203.244.59
+  externalTrafficPolicy: Local
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: 443
+  selector:
+    app.kubernetes.io/name: haproxy
+    app.kubernetes.io/instance: haproxy
+    app.kubernetes.io/component: haproxy
+  type: LoadBalancer
--- a/clusters/k8s01/nginx-system/release-override.yaml
+++ b/clusters/k8s01/nginx-system/release-override.yaml
@@ -5,15 +5,15 @@ metadata:
    namespace: nginx-system
 type: Opaque
 stringData:
-    values-overrides.yaml: ENC[AES256_GCM,data:mIQtKGegxGNV2Fkl0hQXLaam2EQCaVwJ3R+UFdjrMf1e2YnjiBm7OoB2oqjL/51353btrBc8s3DO5D9+EsPmsM73TsaIiMtcv5jVQ/UTWTWVKlAjiIjrszDXT0CIgVDwfvsOl+6ztXuupxhM98CEQdeGv35VFu5XAJyN6+/vz0EXP8AwS1NGiCbzCR03B+9LlqXY1QO/pw==,iv:V9uCRqPg9ot34I+rTVLfqr5LbBpCpBt/LHMkfkAvktM=,tag:aqvfOXt6vOUaGpXoaFfdOw==,type:str]
+    values-overrides.yaml: ENC[AES256_GCM,data:Ie8tjjALb6+iyPQ1Jqr95NA6t4vfsV6JgKVMaUKVNMbp1ID7Aplwkv9rX7KtU+poqgjJk8OLzl7Gy6XFVCU0rhR1zjPtlYGQdDP0S7oUllquPq18EpIBMWQLILi+WLj6NzMfSx3Krd2dwaleVw8Pb9cIKGpdf3WUEAEpW7ONLywEBbrqz4nDTrYNppPBSOPDdUPRaKmTbeW8hqYzwfuigZfQvKE=,iv:Xa5Vy1diaKcI4ZCFl+9zlu/Ah2tZUJ3hxLMTcGwEEco=,tag:bybBokXQUWKKdP3Sga8ATQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-09-15T20:34:46Z"
-    mac: ENC[AES256_GCM,data:0TfkDbaU7/nuDowbVKvnWUc65FnNFW3alvdNXzM564F/BZHN7w8nS7Nc3Lfpzrw28zXhCjFohLwJfOZX778fqmDOSeejGxvyKIAoz5mxqVyLHsxH/fuatzlrSaB/wXjeS4wouR/x+U5d3efJ8eGahDGwk1OpF1nUJy8bcrBpD5s=,iv:Wtd0QH1J2iBUlIW7TQk/yKQt6Be7hasuv9r3abPF4tY=,tag:XBpoIIVwbzOYrbS55YrRQw==,type:str]
+    lastmodified: "2023-09-15T20:40:46Z"
+    mac: ENC[AES256_GCM,data:wp8IJaqv/bnutbNf5a7QPGnL2jOuErN2glmnXH5b4zdZ9eqTGTEn5qJSNpe3X9BvsnxQvynrCA/Wydea2fwDg+yISPk2Ha+wwefqbNBUiz2gmbflTmGkgYrzBINwBFc2Gc+DUvongcF7F4hdjXaHEOLWTEoxawai1pQSZB6SAXI=,iv:8M4KXpzktQ1tuL24+yHr3hw2xebCoZV5+pQocQUK33c=,tag:YwgG69QEUUHFIoBcAUU/5A==,type:str]
    pgp:
        - created_at: "2022-02-09T22:43:33Z"
          enc: |-