This commit is contained in:
Nico Schottelius 2021-10-29 09:56:58 +02:00
parent c64a075e4e
commit 5f56430222
6 changed files with 19 additions and 115 deletions

View File

@ -1,16 +0,0 @@
## Objective
Deploy a proxy to the kubernetes cluster that handles
IPv4-to-IPv6 translations as follows:
```
Outside k8s:
[ IPv4-Address ] ---- [ SIIT NAT64 mapping ]
|
|
|
Inside k8s: [ haproxy container ]
|
|
[ abc.namespacex.svc.clusterdomain ]

View File

@ -1,36 +0,0 @@
global
log stdout format raw local0
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
resolvers mydns
parse-resolv-conf
defaults
retries 3
log global
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
frontend f_https
bind ipv6@:6443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
tcp-request content reject unless { req_ssl_sni -i k8s.ooo }
tcp-request content do-resolve(txn.myip,mydns,ipv6) req_ssl_sni,lower
default_backend b_https
backend b_https
mode tcp
tcp-request content set-dst var(txn.myip)
server tcp_https ipv6@*

View File

@ -1,63 +0,0 @@
global
log stdout format raw local0
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
resolvers mydns
parse-resolv-conf
timeout retry 1s
hold valid 30s
hold nx 3s
hold other 3s
hold obsolete 0s
accepted_payload_size 8192
defaults
retries 3
log global
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
frontend f_http
bind ipv6@:80
mode http
http-request do-resolve(txn.myip,mydns,ipv6) hdr(Host),lower
# if DNS resolving did not work
# use_backend b_503 unless { var(txn.myip) -m found }
default_backend b_http
backend b_http
mode http
http-request deny unless { hdr(host) -i c2.k8s.ooo }
http-request set-dst var(txn.myip)
server http ipv6@*
# # HTTPs
frontend f_https
bind ipv6@:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
tcp-request deny unless { req_ssl_sni -i k8s.ooo }
tcp-request content do-resolve(txn.myip,mydns,ipv6) req_ssl_sni,lower
default_backend b_https
backend b_https
mode tcp
tcp-request content set-dst var(txn.myip)
server tcp_https ipv6@*
# tcp-request connection deny unless { hdr(host) -i c2.k8s.ooo }
# use_backend b_503 unless { var(txn.myip) -m found }

View File

@ -7,5 +7,9 @@ letsencryptStaging: "yes"
identifier: "{{ .Release.Name }}" identifier: "{{ .Release.Name }}"
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}" fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
storage:
data:
size: 1Gi
datasizeingb: 1 datasizeingb: 1
dbsizeingb: 0.5 dbsizeingb: 0.5

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: haproxy2-sleep
spec:
containers:
- name: haproxy
image: haproxy:2.4.7-alpine
args:
- sleep
- "1000000"

4
image-building.md Normal file
View File

@ -0,0 +1,4 @@
## WIP
* Maybe kaniko
* also checking out buildkit daemon-less