kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon haproxytech

Many identical use_backend lines in haproxy.cfg when using haproxy.org/route-acl

Open EmielBruijntjes opened this issue 3 years ago • 0 comments
trafficstars

Introduction

I am experimenting with the "haproxy.org/route-acl" annotation for services to get pure websocket-traffic into a pod. While doing this and trying out many different settings and overwriting different service definitions, I noticed that after a while the generated 'haproxy.cfg' contained many duplicate lines of this form:

  use_backend websockets_websockets_http if { var(txn.host) -m str ws.example.com }  { path -m beg / }  { req.hdr(Upgrade) -i -m str websocket } { req.hdr(Connection) -i -m str upgrade }
  use_backend %[var(txn.path_match),field(1,.)]
  use_backend %[var(txn.path_match),field(1,.)]
  use_backend %[var(txn.path_match),field(1,.)]
  use_backend %[var(txn.path_match),field(1,.)]
  use_backend %[var(txn.path_match),field(1,.)]
  ... and so on and so on ...

How to reproduce

I am not sure if this is related to the issue, but I was trying out service definitions like this:

apiVersion: v1
kind: Service
metadata:
  name: websockets
  namespace: websockets
  annotations:
    # this is a dirty ugly hack, because haproxy will surround this inside { } braces, and effectively turns this into two checks 
    haproxy.org/route-acl: req.hdr(Upgrade) -i -m str websocket } { req.hdr(Connection) -i -m str upgrade
spec:
  selector:
    app: websockets
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
    name: http

The above service is a bit ugly, and I also tried many other acl's until I found this one that was working. However, with every new attempt to insert a route-acl string, I noticed that the list of identical 'use_backend' lines was only growing. I took a quick look at your code, and I have the feeling that your "BackendSwitchingRuleDeleteAll()" function does not correctly erase the "use_backend" lines. But I am not a go-programmer, so I am guessing here. This issue may not even be related to the route-acl option that I was trying out, but that's when I noticed it.

One a side note

Is the way how I try to route websocket traffic to my pods (using the route-acl setting) indeed the recommended way of doing this?

EmielBruijntjes avatar Aug 08 '22 20:08 EmielBruijntjes