• Geoff Simmons's avatar
    WIP: initial, limited implementation of TLS onload. · d72a0d36
    Geoff Simmons authored
    This uses haproxy for TLS connections to IngressBackends, and the
    via feature of the klarlack implementation of Varnish. See:
    
    https://github.com/varnishcache/varnish-cache/pull/3128
    
    Adds the spec.tls object to the BackendConfig CRD, which configures
    TLS onload for a backend.
    
    Limitations: currently only verify:false and the maxConn settings
    are implemented. Specification of CA certificates and the stick
    table configuration for haproxy are not yet implemented. Currently
    TLS onload may be only specified for one backend (no more than one
    BackendConfig).
    
    Adds the CLI option -varnishImpl to the controller. TLS onload is
    only supported if this option is set to "klarlack". Otherwise, the
    presence of the tls object in a BackendConfig leads to a SyncFatalError,
    with a message that it's only supported for klarlack, and the
    BackendConfig is not synced.
    
    If the backend Service specified for TLS onload has type ExternalName,
    then 3 server instances are configured for the haproxy backend. This
    value is currently hard-wired, and may be made configurable in a future
    iteration. For any other Service type, there are as many haproxy server
    instances as there are Endpoints (Pods) in the k8s cluster.
    
    If maxConn is not specified in the BackendConfig, it defaults to
    2000 (the haproxy default).
    d72a0d36
haproxy.go 27.4 KB