fix default host as a ssl-passthrough

SSL passthrough domains are added in the same hostname maps used to route http requests. They share most of their configurations with a few exceptions. One of these exceptions weren't properly implemented - default host was always being configured in the http proxy. This update checks if the default host is an ssl passthrough, properly configuring it in the tcp proxy instead.
jcmoraisjr · Apr 13, 2021 · 076bb25 · 076bb25
1 parent f3be642
commit 076bb25
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 1 deletion.
diff --git a/pkg/converters/ingress/ingress.go b/pkg/converters/ingress/ingress.go
@@ -195,6 +195,9 @@ func (c *converter) syncIngress(ing *extensions.Ingress) {
 
 func (c *converter) syncAnnotations() {
 	c.updater.UpdateGlobalConfig(c.haproxy, c.globalConfig)
+	if ann, found := c.hostAnnotations[c.haproxy.DefaultHost()]; found {
+		c.updater.UpdateHostConfig(c.haproxy.DefaultHost(), ann)
+	}
 	for _, host := range c.haproxy.Hosts() {
 		if ann, found := c.hostAnnotations[host]; found {
 			c.updater.UpdateHostConfig(host, ann)

diff --git a/pkg/converters/ingress/ingress_test.go b/pkg/converters/ingress/ingress_test.go
@@ -1075,6 +1075,12 @@ func TestSyncAnnPassthrough(t *testing.T) {
 				"ingress.kubernetes.io/ssl-passthrough":           "true",
 				"ingress.kubernetes.io/ssl-passthrough-http-port": "9000",
 			}),
+		c.createIng2Ann("default/echo4", "echo:8443",
+			map[string]string{
+				"ingress.kubernetes.io/app-root":                  "/login",
+				"ingress.kubernetes.io/ssl-passthrough":           "true",
+				"ingress.kubernetes.io/ssl-passthrough-http-port": "9090",
+			}),
 	)
 
 	c.compareConfigFront(`
@@ -1088,6 +1094,14 @@ func TestSyncAnnPassthrough(t *testing.T) {
     backend: default_echo_8443
 `)
 
+	c.compareConfigDefaultFront(`
+hostname: '*'
+paths:
+- path: /
+  backend: default_echo_8443
+rootredirect: /login
+`)
+
 	c.compareConfigBack(`
 - id: default_echo_8080
   endpoints:
@@ -1262,6 +1276,12 @@ spec:
     servicePort: ` + sservice[1]).(*extensions.Ingress)
 }
 
+func (c *testConfig) createIng2Ann(name, service string, ann map[string]string) *extensions.Ingress {
+	ing := c.createIng2(name, service)
+	ing.SetAnnotations(ann)
+	return ing
+}
+
 func (c *testConfig) createIng3(name string) *extensions.Ingress {
 	sname := strings.Split(name, "/")
 	return c.createObject(`

diff --git a/pkg/haproxy/config.go b/pkg/haproxy/config.go
@@ -243,7 +243,7 @@ func (c *config) BuildFrontendGroup() error {
 	fgroupMaps := hatypes.CreateMaps()
 	fgroup := &hatypes.FrontendGroup{
 		Frontends:         frontends,
-		HasSSLPassthrough: len(sslpassthrough) > 0,
+		HasSSLPassthrough: len(sslpassthrough) > 0 || (c.defaultHost != nil && c.defaultHost.SSLPassthrough),
 		DefaultBind:       defaultBind,
 		Maps:              fgroupMaps,
 		HTTPFrontsMap:     fgroupMaps.AddMap(c.mapsDir + "/_global_http_front.map"),

diff --git a/pkg/haproxy/instance_test.go b/pkg/haproxy/instance_test.go
@@ -2183,12 +2183,24 @@ func TestInstanceSSLPassthrough(t *testing.T) {
 	h = c.config.AcquireHost("d3.local")
 	h.AddPath(b, "/")
 	b.Endpoints = []*hatypes.Endpoint{endpointS41s}
+	b.ModeTCP = true
 	h.SSLPassthrough = true
 
 	b = c.config.AcquireBackend("d3", "app-http", "8080")
 	b.Endpoints = []*hatypes.Endpoint{endpointS41h}
 	h.HTTPPassthroughBackend = b.ID
 
+	b = c.config.AcquireBackend("d4", "app4-ssl", "8443")
+	h = c.config.AcquireHost("*")
+	h.AddPath(b, "/")
+	b.Endpoints = []*hatypes.Endpoint{endpointS41s}
+	b.ModeTCP = true
+	h.SSLPassthrough = true
+
+	b = c.config.AcquireBackend("d4", "app4-http", "8080")
+	b.Endpoints = []*hatypes.Endpoint{endpointS41h}
+	h.HTTPPassthroughBackend = b.ID
+
 	c.Update()
 	c.checkConfig(`
 <<global>>
@@ -2200,7 +2212,13 @@ backend d3_app-http_8080
     mode http
     server s41h 172.17.0.141:8080 weight 100
 backend d3_app-ssl_8443
+    mode tcp
+    server s41s 172.17.0.141:8443 weight 100
+backend d4_app4-http_8080
     mode http
+    server s41h 172.17.0.141:8080 weight 100
+backend d4_app4-ssl_8443
+    mode tcp
     server s41s 172.17.0.141:8443 weight 100
 <<backends-default>>
 listen _front__tls
@@ -2211,8 +2229,10 @@ listen _front__tls
     tcp-request content accept if { req.ssl_hello_type 1 }
     use_backend %[var(req.sslpassback)] if { var(req.sslpassback) -m found }
     # default backend
+    use_backend d4_app4-ssl_8443
     server _default_server_front001_socket unix@/var/run/_front001_socket.sock send-proxy-v2
 <<frontend-http>>
+    use_backend d4_app4-http_8080
     default_backend _error404
 frontend _front001
     mode http

diff --git a/rootfs/etc/haproxy/template/haproxy.tmpl b/rootfs/etc/haproxy/template/haproxy.tmpl
@@ -684,6 +684,15 @@ listen _front__tls
 
 {{- /*------------------------------------*/}}
     # default backend
+{{- if $cfg.DefaultHost }}
+{{- if $cfg.DefaultHost.SSLPassthrough }}
+{{- range $path := $cfg.DefaultHost.Paths }}
+{{- if eq $path.Path "/" }}
+    use_backend {{ $path.Backend.ID }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
     server _default_server{{ $fgroup.DefaultBind.Name }} {{ $fgroup.DefaultBind.Socket }} send-proxy-v2
 {{- end }}
 
@@ -829,6 +838,11 @@ frontend _front_http
     use_backend _acme_challenge if acme-challenge
 {{- end }}
 
+{{- if $cfg.DefaultHost }}
+{{- if $cfg.DefaultHost.HTTPPassthroughBackend }}
+    use_backend {{ $cfg.DefaultHost.HTTPPassthroughBackend }}
+{{- end }}
+{{- end }}
 {{- template "defaultbackend" map $cfg }}
 
   # # # # # # # # # # # # # # # # # # #
@@ -1032,11 +1046,13 @@ frontend {{ $frontend.Name }}
 {{- define "defaultbackend" }}
 {{- $cfg := .p1 }}
 {{- if $cfg.DefaultHost }}
+{{- if not $cfg.DefaultHost.SSLPassthrough }}
 {{- range $path := $cfg.DefaultHost.Paths }}
     use_backend {{ $path.Backend.ID }}
         {{- if ne $path.Path "/" }} if { path_beg {{ $path.Path }} }{{ end }}
 {{- end }}
 {{- end }}
+{{- end }}
 {{- if $cfg.DefaultBackend }}
     default_backend {{ $cfg.DefaultBackend.ID }}
 {{- else }}