kubernetes-pfsense-controller
kubernetes-pfsense-controller copied to clipboard
travisghansen
enable Use Offloading (plugins haproxy-declarative, haproxy-ingress-proxy)
I don't think I currently support that feature. It probably would not be too difficult to add and would likely need to be specified as an annotation on the ingress.
I've implemented something like this (annotation on per-ingress basis):
haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: '{"ssloffloadcert":"5e99cce0e6dd8","ssloffload":"yes"}'
This is based off of structure that looks like this for the whole entry (note the important things are automatically filled in for you, ie: the acls, etc):
{
"name":"",
"desc":"created by kpc - do not edit",
"status":"active",
"secondary":"yes",
"primary_frontend":"http-80-copy",
"ha_acls":{
"item":[
{
"name":"",
"expression":"custom",
"value":"",
"backendservercountbackend":"",
"_index":""
}
]
},
"a_actionitems":{
"item":[
{
"action":"use_backend",
"acl":"",
"use_backendbackend":"",
"_index":""
}
]
},
"ha_certificates":{
"item":[
{
"ssl_certificate":"5e99cce0e6dd8",
"_index":""
}
]
},
"clientcert_ca":"",
"clientcert_crl":"",
"a_extaddr":"",
"a_errorfiles":"",
"type":"http",
"httpclose":"http-keep-alive",
"ssloffloadcert":"5e99cce0e6dd8",
"ssloffload":"yes",
"advanced":"",
"ssloffloadacladditional":"yes"
}
I was trying to add a new ACL to one of the applications. This method did not work for me. I'm guessing only use_backend action is allowed?
haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: |-
'"ha_acls":{
"item":[
{
"name":"url_discovery",
"expression":"custom",
"value":"path /.well-known/caldav /.well-known/carddav",
}
]
},
"a_actionitems":{
"item":[
{
"action":"http-request redirect",
"acl":"url_discovery",
"rule":"location /remote.php/dav/ code 301",
}
]
}'
Ah! Right now I actually overwrite the acls and actions entirely but I think I can support what you’ve shown. I’ll respond again when I have an updated build.
If it helps, this is the end goal I'm trying to get at
Example:
acl shared-https-url-discovery path /.well-known/caldav /.well-known/carddav
http-request redirect location /remote.php/dav/ code 301 if shared-https-url-discovery aclcrt_shared-https
Currently I can apply this to a shared frontend but this is only for a specific app. Thanks again for working on this
Those rules would need to also have host and prefix (from the ingress) to be effective right? Otherwise potentially across many ingresses you'll end up with a bunch of conflicting rules and it will be first one wins?
Yes, currently I didn't had any conflicts so I kept it on my shared frontend. Ideally this needs to be only apply to a single host/frontend
I've put a bit of thought into how the template could have placeholders in it and it seems pretty messy. Instead you'll just need to hard-code the rules in the template directly with host/path as appropriate.
Using v0.5.14 the template acls/actions should not get overwritten: https://github.com/travisghansen/kubernetes-pfsense-controller/commit/6a51285515bc6a26effc98b0fd3488d8034b1c08
sorry for taking some time to get to this, have you seen this warning on 0.5.14?
2023-10-09T15:44:32+00:00 plugin (pfsense-dns-haproxy-ingress-proxy): /v1/namespaces/network/ConfigMap/kpc-primary-kubernetes-pfsense-controller-store ADDED - 90085857
PHP Warning: Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275757887Z PHP Warning: Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
PHP Warning: Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275778657Z PHP Warning: Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
2023-10-09T15:44:35.275785168Z PHP Warning: Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275791748Z PHP Warning: Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
PHP Warning: Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275806100Z PHP Warning: Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
We might need to add a safety check around your is_array check
if (!isset($frontend['ha_acls']) || !is_array($frontend['ha_acls'])) {
$frontend['ha_acls'] = ['item' => []];
}
For anyone stumbling across this post and if you want to add acls and actions. This is my working example:
haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: |-
{
"ha_acls": {
"item": [
{
"name": "nextcloud-url-discovery",
"expression": "custom",
"value": "path /.well-known/caldav /.well-known/carddav"
}
]
},
"a_actionitems": {
"item": [
{
"action": "http-request_redirect",
"acl": "nextcloud-url-discovery",
"http-request_redirectrule": "location /remote.php/dav/ code 301"
}
]
}
}