Haproxy in k8s some questions

Help!
1
  1. where are defined default rules found inside haproxy.cfg
    in the Ingres Controller after installe with helm ?
    e.g.
global
  localpeer local
  master-worker
  pidfile /var/run/haproxy.pid
  stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
  stats timeout 36000
  tune.ssl.default-dh-param 2048
  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  hard-stop-after 1800000
  log stdout format raw daemon
  server-state-file global
  server-state-base /var/state/haproxy/
  default-path config

defaults
  log global
  log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'
  option redispatch 0
  option dontlognull
  option http-keep-alive
  timeout http-request 5000
  timeout connect 5000
  timeout client 10001
  timeout queue 5000
  timeout server 50000
  timeout tunnel 3600000
  timeout http-keep-alive 60000
  load-server-state-from-file global
  1. There is a document for different Config precedence (annotations, CRDs, Snippets, Auxiliary file) ?
  2. If I define a CRDs cr-global on ConfigMap, previous defined global annotation
    are removed (ignored). If some params ar not supported by CRDs but are by ConfigMap
    annotationsm, how can I use annotations version for that and simultaneously use
    CRDs for its supported params without lose annotations.
  3. Can I define with CRDs and simple annotations params like these without using Static config methods
    like (Auxiliary files or Snippets)
    tune.ssl...
    ssl-default-bind-...
2

I also faced lack of information for these cases. Can you tell information about that ?

3

Answer for question (4.)

Many if not all ssl config can be done using Global Custom Resource.

Note: Be aware of separator character: for CRD in HAProxy Ingress controller use underscore_” instead of HAProxy standalone hypen-”, dot.”.

See these links:

you’ll find ssl_* and tls_ like:

tune_ssl_default_dh_param
ssl_default_bind_options
ssl_default_bind_ciphers
ssl_default_bind_ciphersuites
ssl_default_server_options
ssl_default_server_ciphers
ssl_default_server_ciphersuites
ssl_mode_async