Bobcares
Client Area
Emergency Support
HAProxy | Latest

Running HAProxy Ingress Controller with mTLS

by | May 17, 2024

Learn how to run HAProxy Ingress Controller with mTLS. Our HAProxy Support team is here to help you with your questions and concerns.

Running HAProxy Ingress Controller with mTLS

Did you know that running an ingress controller outside of the Kubernetes cluster can be useful in different cases?

This comes in handy for those who prefer to avoid using containers.

Let’s take a look at how to set up the HAProxy Kubernetes Ingress Controller outside the Kubernetes cluster.

Running HAProxy Ingress Controller with mTLS

Before we begin, we need the following:

  • HAProxy Kubernetes Ingress Controller Binary
  • HAProxy Binary
  • Kubeconfig File to access the Kubernetes cluster.
  • Network Configuration to let HAProxy instances to route traffic to the pods network.

In order to enable HAProxy to route traffic to the pods network, we have to add a route to our server.

$ ip route add pod-network via node-ip

Here, replace `pod-network` with the IP range of the pod network and `node-ip` with the IP address of one of the cluster nodes reachable from where HAProxy is running.

Starting the Ingress Controller

Once the network is configured, we can start the HAProxy Kubernetes Ingress Controller with the following command:

$ ./kubernetes-ingress -e \
--configmap=default/haproxy-kubernetes-ingress \
--program=/usr/bin/haproxy \
--disable-ipv6 \
--ipv4-bind-address=10.0.3.100 \
--http-bind-port=8080 \
--https-bind-port=8443

Configuring TLS Certificates

For secure communication, we need to set up TLS certificates. This can be done using annotations in your Kubernetes resources.

  • server-ca:

    Holds a Kubernetes secret containing a CA certificate to verify the backend server’s TLS certificate.

  • server-crt:

    Holds a Kubernetes secret containing a client certificate that the ingress controller will present to the server.

Here’s an example of how to set these annotations in a Service definition:

apiVersion: v1
kind: Service
metadata:
labels:
run: web
name: web
annotations:
haproxy.org/server-ca: "default/server-tls-secret"
haproxy.org/server-crt: "default/client-tls-secret"
# ... other service settings...

If we do not want to verify the server’s certificate, we can use the older `server-ssl` annotation to establish a TLS connection without certificate verification.

Client Certificate Verification

Client certificate verification is part of the TLS handshake. In other words, we cannot perform TLS termination at the load balancer and then check the client certificate later. Instead, we should handle SSL termination and client certificate verification either at the HAProxy level or directly at the load balancer level, if possible.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

In brief, our Support Experts demonstrated how to deploy WordPress on GKE with Persistent Disk and Google Cloud SQL.

Related posts:

  1. HAProxy as Kubernetes Egress Controller
  2. pfSense HAProxy redirect HTTP to HTTPS – How we do it?
  3. HAProxy 504 gateway timeout – Quick Fix!!
  4. HAProxy limit connections per IP – Here is how we do it

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. HAProxy as Kubernetes Egress Controller
  2. pfSense HAProxy redirect HTTP to HTTPS – How we do it?
  3. HAProxy 504 gateway timeout – Quick Fix!!
  4. HAProxy limit connections per IP – Here is how we do it

Never again lose customers to poor
server speed! Let us help you.

GET STARTED