Main Goal:
add crt_ignore_err: "10" to https frontend
Steps to reproduce:
-
deploy latest haproxytech ingress controller
a. configure mtls with verify optional:
example:
config:
client-ca: "/"
client-crt-optional: "true"
-
Create the frontend CRD to append the ignore crt error to https frontend:
apiVersion: "ingress.v3.haproxy.org/v3"
kind: Frontend
metadata:
name: example-frontend-crd
namespace: default
spec:
name: example-frontend-crd
accept_invalid_http_request: enabled
binds:
test:
address: 0.0.0.0
port: 443
name: v4
crt_ignore_err: "10"
-
Map frontend to haproxy cm:
config:
cr-frontend-https: default/example-frontend-crd
Expected Results:
frontend https from haproxytech
mode http
bind 0.0.0.0:443 name v4 crt /etc/haproxy/certs/frontend ca-file /etc/haproxy/certs/ca/.pem ssl verify optional ca-ignore-err 10 alpn h2,http/1.1
Actual Results:
frontend creates additional bind with the same name, same port, same ip
frontend https from haproxytech
mode http
bind 0.0.0.0:443 name v4 crt /etc/haproxy/certs/frontend ca-file /etc/haproxy/certs/ca/.pem ssl verify optional ca-ignore-err 10 crt-ignore-err 10 alpn h2,http/1.1
bind 0.0.0.0:443 name v4 crt-ignore-err 10
Main Goal:
add crt_ignore_err: "10" to https frontend
Steps to reproduce:
deploy latest haproxytech ingress controller
a. configure mtls with verify optional:
example:
config:
client-ca: "/"
client-crt-optional: "true"
Create the frontend CRD to append the ignore crt error to https frontend:
apiVersion: "ingress.v3.haproxy.org/v3"
kind: Frontend
metadata:
name: example-frontend-crd
namespace: default
spec:
name: example-frontend-crd
accept_invalid_http_request: enabled
binds:
test:
address: 0.0.0.0
port: 443
name: v4
crt_ignore_err: "10"
Map frontend to haproxy cm:
config:
cr-frontend-https: default/example-frontend-crd
Expected Results:
frontend https from haproxytech
mode http
bind 0.0.0.0:443 name v4 crt /etc/haproxy/certs/frontend ca-file /etc/haproxy/certs/ca/.pem ssl verify optional ca-ignore-err 10 alpn h2,http/1.1
Actual Results:
frontend creates additional bind with the same name, same port, same ip
frontend https from haproxytech
mode http
bind 0.0.0.0:443 name v4 crt /etc/haproxy/certs/frontend ca-file /etc/haproxy/certs/ca/.pem ssl verify optional ca-ignore-err 10 crt-ignore-err 10 alpn h2,http/1.1
bind 0.0.0.0:443 name v4 crt-ignore-err 10