kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon haproxytech

[Stats Question] Possible to configure as backend instead of frontend?

Open mecampbellsoup opened this issue 1 year ago • 5 comments

We would like to call stats enable and the other stats-related configuration inside of an HAProxy backend.

It seems like the IC always generates a frontend configuration however:

frontend stats
  mode http
  bind *:1024 name stats
  bind :::1024 name v6
  stats enable
  stats uri /
  stats refresh 10s
  http-request set-var(txn.base) base
  http-request use-service prometheus-exporter if { path /metrics }

Is there a reason it's always injected as a frontend configuration?

In our case, we use HAProxy IC as an API Gateway within our shared k8s cluster, and so we'd like to use the same authorization patterns that we use for other downstream (upstream?) applications that sit behind the gateway, namely lua.cached-auth (our custom Lua auth script/program).

mecampbellsoup avatar Feb 15 '24 20:02 mecampbellsoup

@Mo3m3n additionally would it be possible to disable the default frontend stats? Then I could just use my own backend as normal (via an Ingress).

mecampbellsoup avatar Feb 15 '24 21:02 mecampbellsoup

Hi @mecampbellsoup , the stats frontend can't be disabled. If you want to create your backend, you can. By default our script creates a service pointing to the controller. Your ingress only has to refer to it.

ivanmatmati avatar Feb 19 '24 10:02 ivanmatmati

Hi @mecampbellsoup , the stats frontend can't be disabled. If you want to create your backend, you can. By default our script creates a service pointing to the controller. Your ingress only has to refer to it.

Yea, I ended up making an ingress that points to the metric service since, when enablePorts.stats = false, that port 1024 seems to be exposed by the metrics/Prometheus service.

In a perfect world, this particular ingress would NOT have a public IP, but since our IC is public generally I'm not sure how to accomplish that. Any ideas?

mecampbellsoup avatar Feb 20 '24 16:02 mecampbellsoup

You have several options. Among them, you can secure the ingress with authentication or with allow and deny lists of IPs or CIDRs.

ivanmatmati avatar Feb 21 '24 08:02 ivanmatmati

You have several options. Among them, you can secure the ingress with authentication or with allow and deny lists of IPs or CIDRs.

Cool, haven't used allow/deny lists yet! Thanks for the tip.

Is it possible to generate those dynamically to express something like "only people (IPs) with access to our private internal network can access the stats backend"?

mecampbellsoup avatar Feb 21 '24 14:02 mecampbellsoup

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 23 '24 11:03 stale[bot]