kubernetes-ingress
kubernetes-ingress copied to clipboard
haproxytech
Support for Kubernetes secret reference in `ssl_cafile` field for TCP CRD
Hi team,
I'm currently using the haproxy kubernetes-ingress to expose an MQTT service via the TCP CRD, using SSL with client certificate verification.
Here's a simplified version of my TCP configuration:
apiVersion: ingress.v1.haproxy.org/v1
kind: TCP
metadata:
name: emqx-mqtt-ssl
annotations:
ingress.class: haproxy
spec:
- name: emqx-mqtt-ssl
frontend:
name: mqtt-ssl-frontend
tcplog: true
binds:
- name: bind-emqx-mqtt-ssl
port: 8883
ssl: true
ssl_certificate: "emqx-listener-tls" # name of the secret in the same namespace
verify: "required"
ssl_cafile: "emqx-listener-tls"
tcp_request_rule_list:
- index: 0
type: inspect-delay
timeout: 10
- index: 1
type: content
action: reject
cond: unless
expr: "req.payload(0,0),mqtt_is_valid"
service:
name: emqx-listeners
port: 1883
While this works for ssl_certificate when pointing to a secret name, it seems the controller treats ssl_cafile differently and expects it to be an actual file path. Looking at the relevant Go code:
https://github.com/haproxytech/kubernetes-ingress/blob/1b138f31a99d35a203d817e7dd15c6b83a9d8f5d/pkg/handler/tcp-cr.go#L234-L257
There is no similar logic for ssl_cafile, which leads me to believe secrets are not supported there in the same way.
-
Is there a reason
ssl_cafiledoes not support referencing a secret name the wayssl_certificatedoes? -
Would you be open to a merge request adding similar support for
ssl_cafile(i.e., allowing a Kubernetes Secret name in the same namespace to be mounted and used)? -
In the meantime, what's the recommended way to supply a CA file? Should it be mounted manually to a specific path and referenced via
ssl_cafile? Where would I mount that file?
Thanks in advance for your help and for maintaining this project!
– Tom
