Why HAPROXY_DOMAIN ?

[auguster]

I've been using haproxy-consul for some weeks now and I still don't get the requirement of specifying the HAPROXY_DOMAIN environment variable for consul use.

Wouldn't it be easier to just define the acl in the tmpl file like this:

acl host_{{ .Name }} hdr(host) -m beg {{ .Name }}.
use_backend {{ .Name }}_backend if host_{{ .Name }}

Notice the dot following the second occurrence of {{ .Name }}. It is here to ensure that services don't get confused (for example "mail" and "mailinglist").

I'm not sure though how this would work on the marathon counterpart but I don't believe HAPROXY_DOMAIN should be a requirement for at least consul.

I went even further and extended the tmpl file for multiple domains use, using consul's tags for storing the domains under the form <domain>_<tld>.

Here are the relevant parts:

# Generated automatically by consul-template

#tagged services, tag is use for domain information
{{ range $tag, $services := services | byTag }}
{{ range $services}}
    acl host_{{ .Name }}_{{ $tag}} hdr(host) -i {{ .Name }}.{{ $tag |replaceAll "_" "." }} 
    use_backend {{ .Name }}_{{$tag}}_backend if host_{{ .Name }}_{{ $tag }}
{{ end }}
{{ end }}

#not tagged services, the url starting part is used
{{range services}}{{if eq (.Tags |len) 0 }}
    acl host_{{ .Name }} hdr(host) -m beg {{ .Name }}.
    use_backend {{ .Name }}_backend if host_{{ .Name }}
{{ end }}{{ end }}

#backend definition for tagged services
{{ range $tag, $services := services | byTag }}{{range $services}}
backend {{ .Name }}_{{$tag}}_backend{{ range service (print $tag "." .Name) }}
   server {{ .Node }} {{ .Address }}:{{ .Port }}{{ end }}
{{ end }}{{ end }}

#backend definition for untagged services
{{ range services }}{{ if eq (.Tags |len) 0 }}
backend {{ .Name }}_backend{{ range service .Name }}
   server {{ .Node }} {{ .Address }}:{{ .Port }}{{ end }}
{{ end }}{{ end }}

There is a lot of room for improvement ;-)

[auguster]

By the way, the byTag requires consul-template version 0.9.0 or more. I upgraded the Dockerfile, works great.

[stevendborrelli]

That is pretty cool.

We used the HAPROXY_DOMAIN for simplicity of deployment. By changing the var and restarting the container we could easily move cluster DNS suffixes.

[auguster]

I see, but I feel that this domain information should come from consul itself. When consul supports metadata as mentioned in http://gliderlabs.com/registrator/latest/user/services/ (Attrs field) it will be really easy to do.

I'm not sure that you need a DNS suffix anyway, it doesn't really add security.

[stevendborrelli]

We use the DNS suffix for external traffic. First we create a wildcard dns like*.our-domain.com, and then set the HAPROXY_DOMAIN variable to "our-domain.com"

[auguster]

That's also what I did :)