stackoom
  简体   繁体   中英

single HAproxy to expose multiple kubernetes cluster kube-api service

 原文  2021-07-28 09:52:33       kubernetes/ haproxy/ kube-apiserver

Question

Currently we are using haproxy to expose the kube-api using tcp:bind mode which works fine.

We have requirement to keep single haproxy to handle around 4 different cluster kube-api endpoint, in this scenario tcp:bind won't work. We are planning to use acl to match host string for different cluster to route the corresponding backuend using http mode. when we add ssl and we are getting this below error.

Unable to connect to the server: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

1 answers

solution1
 0  2021-07-28 13:28:58

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    daemon
    user                haproxy
    group               haproxy
    log                 /dev/log local6 notice
    log                 /dev/log local5 info
    maxconn             50000
    #chroot              /var/lib/haproxy
    pidfile             /var/run/haproxy.pid

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                 tcp
    option               tcplog
    log                  global
    option               dontlognull
    timeout connect      5000
    timeout client       50000
    timeout server       50000

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
    mode http
    bind :22222
    stats enable
    stats uri            /haproxy?stats
    stats realm          Haproxy\ Statistics
    stats auth           <mylogin>:<mypass>
    stats refresh        30s

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
    bind <ip address>:443
    mode                tcp
    option              tcplog
    log                 global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

#---------------------------------------------------------------------
# Common HAProxy nodes configuration
#---------------------------------------------------------------------

# -------------------------------
# ACLs
# -------------------------------

acl acl_SIT_AT35073      req.ssl_sni -i <app_url1>.my.domain.net  # SIT_AT35073 is just an internal code we use, but you can use any alias
acl acl_SIT_AT34305      req.ssl_sni -i <app_url2>.my.domain.net
acl acl_SIT_AT28548      req.ssl_sni -i <app_urlN>.my.domain.net

# -------------------------------
# Conditions
# -------------------------------

use_backend backend_SIT_AT35073 if acl_SIT_AT35073   # same here
use_backend backend_SIT_AT34305 if acl_SIT_AT34305
use_backend backend_SIT_AT28548 if acl_SIT_AT28548

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

# APP 1
backend backend_SIT_AT35073
    description APPNAME1
    mode tcp
    balance source
    option ssl-hello-chk
    server server_SIT_AT35073_1 <apache_server1>.my.domain.net:443 check
    server server_SIT_AT35073_2 <apache_server2>.my.domain.net:443 check

# APP 2
backend backend_SIT_AT34305
    description APPNAME2
    mode tcp
    balance source
    option ssl-hello-chk
    server server_SIT_AT34305_1 <apache_server3>.my.domain.net:443 check
    server server_SIT_AT34305_2 <apache_server4>.my.domain.net:443 check

# APP N
backend backend_SIT_AT28548
    description APPNAMEN
    mode tcp
    balance source
    option ssl-hello-chk
    server server_SIT_AT28548_1 <apache_server5>.my.domain.net:443 check
    server server_SIT_AT28548_2 <apache_server6>.my.domain.net:443 check

I have used this solution to expose multiple kube-api but I coudn't able to do it using http mode

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Creating Load Balancer for kube-api server with High Availability Kubernetes Cluster Kubernetes v1.11.1 too many connection from Kube-api to node kubelet Kubernetes HyperV Cluster Expose Service How to expose a single REST API to outside cluster in Kubernetes? Kube-api server not coming up on Baremetal kube-api server high cpu kube-api server is not starting (CrashLoopBackOff) Minikube failed to start -> pgrep kube-api How to expose kube-dns service for queries outside cluster? expose private kubernetes cluster with NodePort type service
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM