tonypd
November 16, 2022, 7:09pm
1
where are defined default rules found inside haproxy.cfg
in the Ingres Controller after installe with helm ?
e.g.
global
localpeer local
master-worker
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
stats timeout 36000
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
hard-stop-after 1800000
log stdout format raw daemon
server-state-file global
server-state-base /var/state/haproxy/
default-path config
defaults
log global
log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'
option redispatch 0
option dontlognull
option http-keep-alive
timeout http-request 5000
timeout connect 5000
timeout client 10001
timeout queue 5000
timeout server 50000
timeout tunnel 3600000
timeout http-keep-alive 60000
load-server-state-from-file global
There is a document for different Config precedence (annotations, CRDs, Snippets, Auxiliary file) ?
If I define a CRDs cr-global on ConfigMap, previous defined global annotation
are removed (ignored). If some params ar not supported by CRDs but are by ConfigMap
annotationsm, how can I use annotations version for that and simultaneously use
CRDs for its supported params without lose annotations.
Can I define with CRDs and simple annotations params like these without using Static config methods
like (Auxiliary files or Snippets)
tune.ssl...
ssl-default-bind-...
roxyrob
November 17, 2022, 8:37am
2
I also faced lack of information for these cases. Can you tell information about that ?
roxyrob
November 18, 2022, 7:06am
3
Answer for question (4.)
Many if not all ssl config can be done using Global Custom Resource.
Note: Be aware of separator character : for CRD in HAProxy Ingress controller use underscore “_ ” instead of HAProxy standalone hypen “- ”, dot “. ”.
See these links:
you’ll find ssl_ * and tls_ like:
tune_ssl_default_dh_param
ssl_default_bind_options
ssl_default_bind_ciphers
ssl_default_bind_ciphersuites
ssl_default_server_options
ssl_default_server_ciphers
ssl_default_server_ciphersuites
ssl_mode_async