Skip to main content

Kubernetes

Setup Kubernetes EasyHAProxy

EasyHAProxy for Kubernetes queries all ingress definitions with the annotation kubernetes.io/ingress.class: easyhaproxy-ingress. Once find the annotation, it will immediately set up HAProxy and start to serve it.

There are three installation modes:

  • DaemonSet: It will expose ports 80, 443 and 1936
  • NodePort: It will expose the ports 31080, 31443 and 31936
  • ClusterIP: it will node expose any port. The HAProxy will be accessible only inside the cluster.

To install EasyHAProxy in your cluster, follow these steps:

1) Identify the node where your EasyHAProxy container will run

EasyHAProxy will be limited to a single node. To understand that see limitations page.

$ kubectl get nodes

NAME STATUS ROLES AGE VERSION
node-01 Ready <none> 561d v1.21.13-3
node-02 Ready <none> 561d v1.21.13-3

Add the EasyHAProxy label to the node.

kubectl label nodes node-01 "easyhaproxy/node=master"

2) Install EasyHAProxy with Kubernetes Manifest

kubectl create namespace easyhaproxy

kubectl apply -f \
https://raw.githubusercontent.com/byjg/docker-easy-haproxy/4.4.0/deploy/kubernetes/easyhaproxy-daemonset.yml

If necessary, you can configure environment variables. To get a list of the variables, please follow the environment variable guide

Running containers

Your container only requires creating an ingress with the annotation kubernetes.io/ingress.class: easyhaproxy-ingress pointing to your service.

e.g.

kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: easyhaproxy-ingress
name: example-ingress
namespace: example
spec:
rules:
- host: example.org
http:
paths:
- backend:
service:
name: example-service
port:
number: 8080
pathType: ImplementationSpecific

Once the container is running, EasyHAProxy will detect automatically and start to redirect all traffic from example.org:80 to your container at port 8080.

You don't need to expose any port in your container.

Notes:

  • At this point, the implementation doesn't support all ingress properties or wildcard domains.
  • The ingress will publish the ports 80 and 443, plus 1936 if stats are enabled.
  • EasyHAProxy will read all spec.rules[].host spec, however it will parse only the first path spec.rules[].http.paths[0].port.number for each rule, and ignore the other paths.

Kubernetes annotations

annotationDescriptionDefaultExample
kubernetes.io/ingress.class(required) Activate EasyHAProxy.requiredeasyhaproxy-ingress
easyhaproxy.redirect_ssl(optional) Boolean. Force redirect all endpoints to HTTPS.falsetrue or false
easyhaproxy.certbot(optional) Boolean. It will request certbot certificates for the ingresses domains.falsetrue or false
easyhaproxy.redirect(optional) JSON. Key pair with a domain and its destination.empty{"domain":"redirect_url"}
easyhaproxy.mode(optional) Set the HTTP mode for that connection.httphttp or tcp
easyhaproxy.listen_port(optional) Set the an additional port for that ingresshttphttp or tcp

Important: The annotations are per ingress and applied to all hosts in that ingress configuration.

Certbot / ACME / Letsencrypt

It is necessary add the annotation easyhaproxy.certbot to the ingress configuration:

kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: easyhaproxy-ingress
easyhaproxy.certbot: 'true'
name: example-ingress
namespace: example
spec:
....

More info here.

Make sure your cluster is accessible both through ports 80 and 443.

Custom SSL Certificates

Create a secret with your certificate and key and associate them with your ingress.

---
apiVersion: v1
kind: Secret
metadata:
name: host2-tls
namespace: default
data:
tls.crt: base64 of your certificate
tls.key: base64 of your certificate private key
type: kubernetes.io/tls

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: easyhaproxy-ingress
name: tls-example
namespace: default
spec:
tls:
- hosts:
- host2.local
secretName: host2-tls
rules:
...

Open source ByJG