How to configure PROXY protocol for an ingress controller in OpenShift while using HAProxy load balancer

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform
    • 4

Issue

  • How to configure PROXY protocol for an ingress controller in OpenShift while using HAProxy load balancer?
  • Unable to access OpenShift routes after enabling PROXY protocol in ingress controller
  • What changes needs to be done at HAProxy end while configuring PROXY protocol at OpenShift ingress controller?

Resolution

  • A cluster administrator can configure the PROXY protocol when an Ingress Controller uses either the HostNetwork or NodePortService endpoint publishing strategy types.
  • To prevent connection failure, configure both the Ingress Controller and the load balancer to use the PROXY protocol.
listen ingress-router-80
    bind *:80
    mode tcp
    balance source
    server worker0 worker-0.openshift48.lab.redhat.com:80 check send-proxy inter 1s
    server worker1 worker-1.openshift48.lab.redhat.com:80 check send-proxy inter 1s
    server worker2 worker-2.openshift48.lab.redhat.com:80 check send-proxy inter 1s

listen ingress-router-443
    bind *:443
    mode tcp
    balance source
    server worker0 worker-0.openshift48.lab.redhat.com:443 check send-proxy inter 1s
    server worker1 worker-1.openshift48.lab.redhat.com:443 check send-proxy inter 1s
    server worker2 worker-2.openshift48.lab.redhat.com:443 check send-proxy inter 1s
  • Edit the Ingress Controller resource and set either spec.endpointPublishingStrategy.hostNetwork.protocol or spec.endpointPublishingStrategy.nodePort.protocol subfield to PROXY.
  spec:
    endpointPublishingStrategy:
      hostNetwork:
        protocol: PROXY
      type: HostNetwork

  spec:
    endpointPublishingStrategy:
      nodePort:
        protocol: PROXY
      type: NodePortService

Root Cause

  • HAProxy uses TCP mode while acting as reverse proxy in front of nodes where router PODs are hosted. Since TCP mode is used, the incoming traffic gets forwarded as it is and no HTTP level parsing occurs . The header X-Forward-For gets ignored as the mode is TCP.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.