single HAproxy to expose multiple kubernetes cluster kube-api service

0
votes

Currently we are using haproxy to expose the kube-api using tcp:bind mode which works fine.

We have requirement to keep single haproxy to handle around 4 different cluster kube-api endpoint, in this scenario tcp:bind won't work. We are planning to use acl to match host string for different cluster to route the corresponding backuend using http mode. when we add ssl and we are getting this below error.

Unable to connect to the server: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
1
kuberneteshaproxykube-apiserver

1 Answers

0
votes
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             50000
    #chroot              /var/lib/haproxy
    pidfile             /var/run/haproxy.pid

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
    mode http
    bind :22222
    stats enable
    stats uri            /haproxy?stats
    stats realm          Haproxy\ Statistics
    stats auth           <mylogin>:<mypass>
    stats refresh        30s

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
    bind <ip address>:443
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_SIT_AT35073      req.ssl_sni -i <app_url1>.my.domain.net  # SIT_AT35073 is just an internal code we use, but you can use any alias
acl acl_SIT_AT34305      req.ssl_sni -i <app_url2>.my.domain.net
acl acl_SIT_AT28548      req.ssl_sni -i <app_urlN>.my.domain.net

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_SIT_AT35073 if acl_SIT_AT35073   # same here
use_backend backend_SIT_AT34305 if acl_SIT_AT34305
use_backend backend_SIT_AT28548 if acl_SIT_AT28548

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1
backend backend_SIT_AT35073
    description APPNAME1
    mode tcp
    balance source
    option ssl-hello-chk
    server server_SIT_AT35073_1 <apache_server1>.my.domain.net:443 check
    server server_SIT_AT35073_2 <apache_server2>.my.domain.net:443 check

# APP 2
backend backend_SIT_AT34305
    description APPNAME2
    mode tcp
    balance source
    option ssl-hello-chk
    server server_SIT_AT34305_1 <apache_server3>.my.domain.net:443 check
    server server_SIT_AT34305_2 <apache_server4>.my.domain.net:443 check

# APP N
backend backend_SIT_AT28548
    description APPNAMEN
    mode tcp
    balance source
    option ssl-hello-chk
    server server_SIT_AT28548_1 <apache_server5>.my.domain.net:443 check
    server server_SIT_AT28548_2 <apache_server6>.my.domain.net:443 check

I have used this solution to expose multiple kube-api but I coudn't able to do it using http mode