66{{- define "/var/lib/haproxy/conf/haproxy.config" }}
77{{- $workingDir := .WorkingDir }}
88{{- $defaultDestinationCA := .DefaultDestinationCA }}
9+ {{- $dynamicConfigManager := .DynamicConfigManager }}
910{{- $router_ip_v4_v6_mode := env "ROUTER_IP_V4_V6_MODE" "v4" }}
1011
1112
4647{{- end}}
4748 ca-base /etc/ssl
4849 crt-base /etc/ssl
50+ # TODO: Check if we can get reload to be faster by saving server state.
51+ # server-state-file /var/lib/haproxy/run/haproxy.state
4952 stats socket /var/lib/haproxy/run/haproxy.sock mode 600 level admin expose-fd listeners
5053 stats timeout 2m
5154
@@ -196,7 +199,7 @@ frontend public_ssl
196199 # for the SNI case, we also need to compare it in case-insensitive mode (by converting it to lowercase) as RFC 4343 says
197200 acl sni req.ssl_sni -m found
198201 acl sni_passthrough req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found
199- use_backend be_tcp: %[req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough
202+ use_backend %[req.ssl_sni,lower,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough
200203
201204 # if the route is SNI and NOT passthrough enter the termination flow
202205 use_backend be_sni if sni
@@ -367,19 +370,10 @@ backend openshift_default
367370*/}}
368371{{- range $cfgIdx, $cfg := .State }}
369372 {{- if matchValues (print $cfg.TLSTermination) "" "edge" "reencrypt" }}
370- {{- if (eq $cfg.TLSTermination "") }}
371373
372- # Plain http backend
373- backend be_http:{{$cfgIdx}}
374- {{- else if (eq $cfg.TLSTermination "edge") }}
375-
376- # Plain http backend but request is TLS, terminated at edge
377- backend be_edge_http:{{$cfgIdx}}
378- {{ else if (eq $cfg.TLSTermination "reencrypt") }}
379-
380- # Secure backend which requires re-encryption
381- backend be_secure:{{$cfgIdx}}
382- {{- end }}{{/* end chceck for router type */}}
374+ # Plain http backend or backend with TLS terminated at the edge or a
375+ # secure backend with re-encryption.
376+ backend {{genBackendNamePrefix $cfg.TLSTermination}}:{{$cfgIdx}}
383377 mode http
384378 option redispatch
385379 option forwardfor
@@ -473,12 +467,36 @@ backend be_secure:{{$cfgIdx}}
473467 {{- end }}{{/* end get serviceUnit from its name */}}
474468 {{- end }}{{/* end range over serviceUnitNames */}}
475469
470+ {{- with $dynamicConfigManager }}
471+ {{- if (eq $cfg.TLSTermination "reencrypt") }}
472+ {{- range $idx, $serverName := $dynamicConfigManager.GenerateDynamicServerNames $cfgIdx }}
473+ server {{$serverName}} 172.4.0.4:8765 weight 0 ssl disabled check inter {{firstMatch $timeSpecPattern (index $cfg.Annotations "router.openshift.io/haproxy.health.check.interval") (env "ROUTER_BACKEND_CHECK_INTERVAL") "5000ms"}}
474+ {{- if gt (len (index $cfg.Certificates (printf "%s_pod" $cfg.Host)).Contents) 0 }} verify required ca-file {{ $workingDir }}/cacerts/{{$cfgIdx}}.pem
475+ {{- else }}
476+ {{- if gt (len $defaultDestinationCA) 0 }} verify required ca-file {{ $defaultDestinationCA }}
477+ {{- else }} verify none
478+ {{- end }}
479+ {{- end }}
480+ {{- with $podMaxConn := index $cfg.Annotations "haproxy.router.openshift.io/pod-concurrent-connections" }}
481+ {{- if (isInteger (index $cfg.Annotations "haproxy.router.openshift.io/pod-concurrent-connections")) }} maxconn {{$podMaxConn}} {{- end }}
482+ {{- end}}{{/* end pod-concurrent-connections annotation */}}
483+ {{- end }}{{/* end range over dynamic server names */}}
484+
485+ {{- else }}
486+ {{- with $name := $dynamicConfigManager.ServerTemplateName $cfgIdx }}
487+ {{- with $size := $dynamicConfigManager.ServerTemplateSize $cfgIdx }}
488+ server-template {{$name}}- 1-{{$size}} 172.4.0.4:8765 check disabled
489+ {{- end }}
490+ {{- end }}
491+ {{- end }}
492+ {{- end }}
493+
476494 {{- end }}{{/* end if tls==edge/none/reencrypt */}}
477495
478496 {{- if eq $cfg.TLSTermination "passthrough" }}
479497
480498# Secure backend, pass through
481- backend be_tcp :{{$cfgIdx}}
499+ backend {{genBackendNamePrefix $cfg.TLSTermination}} :{{$cfgIdx}}
482500{{- if ne (env "ROUTER_SYSLOG_ADDRESS") ""}}
483501 option tcplog
484502{{- end }}
@@ -528,6 +546,15 @@ backend be_tcp:{{$cfgIdx}}
528546 {{- end }}{{/* end get ServiceUnit from serviceUnitName */}}
529547 {{- end }}{{/* end if weight != 0 */}}
530548 {{- end }}{{/* end iterate over services*/}}
549+
550+ {{- with $dynamicConfigManager }}
551+ {{- with $name := $dynamicConfigManager.ServerTemplateName $cfgIdx }}
552+ {{- with $size := $dynamicConfigManager.ServerTemplateSize $cfgIdx }}
553+ server-template {{$name}}- 1-{{$size}} 172.4.0.4:8765 check disabled
554+ {{- end }}
555+ {{- end }}
556+ {{- end }}
557+
531558 {{- end }}{{/*end tls==passthrough*/}}
532559
533560{{- end }}{{/* end loop over routes */}}
@@ -564,6 +591,7 @@ backend be_tcp:{{$cfgIdx}}
564591{{ end -}}{{/* end http host map template */}}
565592
566593
594+
567595{{/*
568596 os_edge_reencrypt_be.map : contains a mapping of www.example.com -> <service name>. This map is similar to os_http_be.map but for tls routes.
569597 by attaching prefix: be_edge_http for edge terminated routes
@@ -590,7 +618,7 @@ backend be_tcp:{{$cfgIdx}}
590618
591619{{/*
592620 os_tcp_be.map: contains a mapping of www.example.com -> <service name>. This map is used to discover the correct backend
593- by attaching a prefix (be_tcp: or be_secure:) by use_backend statements if acls are matched.
621+ by use_backend statements if acls are matched.
594622*/}}
595623{{ define "/var/lib/haproxy/conf/os_tcp_be.map" -}}
596624{{ range $idx, $line := generateHAProxyMap . -}}
0 commit comments