travisghansen
commented
2 years ago I don't think I currently support that feature. It probably would not be too difficult to add and would likely need to be specified as an annotation on the ingress.
Open andruwa13 opened 2 years ago
travisghansen
commented
2 years ago I don't think I currently support that feature. It probably would not be too difficult to add and would likely need to be specified as an annotation on the ingress.
travisghansen
commented
1 year ago What else do you need to set besides that checkbox?
travisghansen
commented
1 year ago I've implemented something like this (annotation on per-ingress basis):
haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: '{"ssloffloadcert":"5e99cce0e6dd8","ssloffload":"yes"}'This is based off of structure that looks like this for the whole entry (note the important things are automatically filled in for you, ie: the acls, etc):
{
"name":"",
"desc":"created by kpc - do not edit",
"status":"active",
"secondary":"yes",
"primary_frontend":"http-80-copy",
"ha_acls":{
"item":[
{
"name":"",
"expression":"custom",
"value":"",
"backendservercountbackend":"",
"_index":""
}
]
},
"a_actionitems":{
"item":[
{
"action":"use_backend",
"acl":"",
"use_backendbackend":"",
"_index":""
}
]
},
"ha_certificates":{
"item":[
{
"ssl_certificate":"5e99cce0e6dd8",
"_index":""
}
]
},
"clientcert_ca":"",
"clientcert_crl":"",
"a_extaddr":"",
"a_errorfiles":"",
"type":"http",
"httpclose":"http-keep-alive",
"ssloffloadcert":"5e99cce0e6dd8",
"ssloffload":"yes",
"advanced":"",
"ssloffloadacladditional":"yes"
}Released in v0.5.12.
travisghansen
commented
1 year ago Better late than never they say ;)
hansaya
commented
1 year ago I was trying to add a new ACL to one of the applications. This method did not work for me. I'm guessing only use_backend action is allowed?
haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: |-
'"ha_acls":{
"item":[
{
"name":"url_discovery",
"expression":"custom",
"value":"path /.well-known/caldav /.well-known/carddav",
}
]
},
"a_actionitems":{
"item":[
{
"action":"http-request redirect",
"acl":"url_discovery",
"rule":"location /remote.php/dav/ code 301",
}
]
}'Ah! Right now I actually overwrite the acls and actions entirely but I think I can support what you’ve shown. I’ll respond again when I have an updated build.
hansaya
commented
1 year ago If it helps, this is the end goal I'm trying to get at
Example:
acl shared-https-url-discovery path /.well-known/caldav /.well-known/carddav
http-request redirect location /remote.php/dav/ code 301 if shared-https-url-discovery aclcrt_shared-httpsCurrently I can apply this to a shared frontend but this is only for a specific app. Thanks again for working on this
travisghansen
commented
1 year ago Those rules would need to also have host and prefix (from the ingress) to be effective right? Otherwise potentially across many ingresses you'll end up with a bunch of conflicting rules and it will be first one wins?
hansaya
commented
1 year ago Yes, currently I didn't had any conflicts so I kept it on my shared frontend. Ideally this needs to be only apply to a single host/frontend
travisghansen
commented
1 year ago I've put a bit of thought into how the template could have placeholders in it and it seems pretty messy. Instead you'll just need to hard-code the rules in the template directly with host/path as appropriate.
Using v0.5.14 the template acls/actions should not get overwritten: https://github.com/travisghansen/kubernetes-pfsense-controller/commit/6a51285515bc6a26effc98b0fd3488d8034b1c08
hansaya
commented
11 months ago sorry for taking some time to get to this, have you seen this warning on 0.5.14?
2023-10-09T15:44:32+00:00 plugin (pfsense-dns-haproxy-ingress-proxy): /v1/namespaces/network/ConfigMap/kpc-primary-kubernetes-pfsense-controller-store ADDED - 90085857
PHP Warning: Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275757887Z PHP Warning: Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
PHP Warning: Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275778657Z PHP Warning: Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
2023-10-09T15:44:35.275785168Z PHP Warning: Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275791748Z PHP Warning: Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
PHP Warning: Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275806100Z PHP Warning: Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256We might need to add a safety check around your is_array check
if (!isset($frontend['ha_acls']) || !is_array($frontend['ha_acls'])) {
$frontend['ha_acls'] = ['item' => []];
}For anyone stumbling across this post and if you want to add acls and actions. This is my working example:
haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: |-
{
"ha_acls": {
"item": [
{
"name": "nextcloud-url-discovery",
"expression": "custom",
"value": "path /.well-known/caldav /.well-known/carddav"
}
]
},
"a_actionitems": {
"item": [
{
"action": "http-request_redirect",
"acl": "nextcloud-url-discovery",
"http-request_redirectrule": "location /remote.php/dav/ code 301"
}
]
}
}
How can I enable offloading on the frontend ?