Dissecting the HAProxy Kubernetes Ingress Controller

blog20190705-01.sh

kubectl apply -f https://raw.githubusercontent.com/haproxytech/kubernetes-ingress/master/deploy/haproxy-ingress.yaml

blog20190705-02.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: haproxy-controller

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: haproxy-ingress-service-account
  namespace: haproxy-controller

blog20190705-03.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: haproxy-ingress-cluster-role
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - pods
  - services
  - namespaces
  - events
  - serviceaccounts
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "extensions"
  resources:
  - ingresses
  - ingresses/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
  - create
  - patch
  - update
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: haproxy-ingress-cluster-role-binding
  namespace: haproxy-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: haproxy-ingress-cluster-role
subjects:
- kind: ServiceAccount
  name: haproxy-ingress-service-account
  namespace: haproxy-controller

blog20190705-04.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: ingress-default-backend
  name: ingress-default-backend
  namespace: haproxy-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      run: ingress-default-backend
  template:
    metadata:
      labels:
        run: ingress-default-backend
    spec:
      containers:
         - name: ingress-default-backend
        image: gcr.io/google_containers/defaultbackend:1.0
        ports:
        - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  labels:
    run: ingress-default-backend
  name: ingress-default-backend
  namespace: haproxy-controller
spec:
  selector:
    run: ingress-default-backend
  ports:
  - name: port-1
    port: 8080
    protocol: TCP
    targetPort: 8080

blog20190705-05.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: haproxy-configmap
  namespace: default
data:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: haproxy-ingress
  name: haproxy-ingress
  namespace: haproxy-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      run: haproxy-ingress
  template:
    metadata:
      labels:
        run: haproxy-ingress
    spec:
      serviceAccountName: haproxy-ingress-service-account
      containers:
      - name: haproxy-ingress
        image: haproxytech/kubernetes-ingress
        Args:
       - --default-backend-service=haproxy-controller/ingress-default-backend
        - --default-ssl-certificate=default/tls-secret
        - --configmap=default/haproxy-configmap
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443
        - name: stat
          containerPort: 1024
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace

blog20190705-06.yaml

apiVersion: v1
kind: Service
metadata:
  labels:
    run: haproxy-ingress
  name: haproxy-ingress
  namespace: haproxy-controller
spec:
  selector:
    run: haproxy-ingress
  type: NodePort
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  - name: https
    port: 443
    protocol: TCP
    targetPort: 443
  - name: stat
    port: 1024
    protocol: TCP
    targetPort: 1024

blog20190705-07.sh

kubectl get svc --namespace=haproxy-controller

NAMESPACE            NAME              TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                                     AGE
haproxy-controller   haproxy-ingress   NodePort   10.96.15.205    <none>        80:30279/TCP,443:30775/TCP,1024:31912/TCP   84s

blog20190705-08.sh

$ curl -I -H 'Host: foo.bar' 'http://192.168.99.100:30279'

HTTP/1.1 404 Not Found
date: Thu, 27 Jun 2019 21:45:20 GMT
content-length: 21
content-type: text/plain; charset=utf-8

blog20190705-09.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    run: app
  name: app
spec:
  replicas: 2
  selector:
    matchLabels:
      run: app
  template:
    metadata:
      labels:
        run: app
    spec:
      containers:
      - name: app
        image: jmalloc/echo-server
        ports:
        - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  labels:
    run: app
  name: app
  annotations:
    haproxy.org/check: "enabled"
    haproxy.org/forwarded-for: "enabled"
    haproxy.org/load-balance: "roundrobin"
spec:
  selector:
    run: app
  ports:
  - name: port-1
    port: 80
    protocol: TCP
    targetPort: 8080

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: web-ingress
  namespace: default
spec:
  rules:
  - host: foo.bar
    http:
      paths:
      - path: /
        backend:
          serviceName: app
          servicePort: 80

blog20190705-10.sh

$ kubectl apply -f 1.ingress.yaml

blog20190705-11.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: haproxy-configmap
  namespace: default
data:
  servers-increment: "42"
  ssl-redirect: "OFF"

blog20190705-12.sh

$ kubectl apply -f 2.configmap.yaml

blog20190705-13.sh

$ curl -I -H 'Host: foo.bar' 'http://192.168.99.100:30279'

HTTP/1.1 200 OK
content-type: text/plain
date: Thu, 27 Jun 2019 21:46:30 GMT
content-length: 136