Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Updating HAProxy Configurations in OpenShift

DZone's Guide to

Updating HAProxy Configurations in OpenShift

A quick tutorial on how to fine tune the OpenShift router to make it more secure.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

For security reason we need to tune up the OpenShift router. OpenShift router uses the HAProxy. HAProxy has this settings:

acl network_allowed src 20.30.40.50 20.30.40.40
http-request deny if !network_allowed

If there would be any possibility to update the HAProxy configuration it should be working. But how to update the configuration?

The solution is to update the Docker image with the router.

Download the OpenShift proxy from https://github.com/openshift/origin/tree/master/images/router/haproxy and update file conf/haproxy-config.template like this (find the section backend and add those 4 lines):

backend be_edge_http_{{$cfgIdx}}
...
  {{ if (index $cfg.Annotations "rohlik.cz/acl") }}
        acl network_allowed src {{ index $cfg.Annotations "rohlik.cz/acl" }}
        http-request deny if !network_allowed
  {{ end }}  
...

After updating the file you have to build docker image and update the router definition. 

docker build -t rohlik-haproxy:v1.3.1 .

And update the router definition (dc/router in namespace default):

spec:
  strategy:
    type: Rolling
    rollingParams:
      updatePeriodSeconds: 1
      intervalSeconds: 1
      timeoutSeconds: 600
      maxUnavailable: 25%
      maxSurge: 0
      updatePercent: -25
    resources:
  triggers:
    -
      type: ConfigChange
  replicas: 1
  test: false
  selector:
    router: router
  template:
    metadata:
      creationTimestamp: null
      labels:
        router: router
    spec:
      volumes:
        -
          name: server-certificate
          secret:
            secretName: router-certs
      containers:
        -
          name: router
          image: 'rohlik-haproxy:v1.3.1'

Now you are able to use the annotations section in your route definition:

apiVersion: v1
kind: Route
metadata:
  name: rohlik
  namespace: rohlik
  selfLink: /oapi/v1/namespaces/rohlik/routes/rohlik
  labels:
    app: rohlik
  annotations:
    rohlik.cz/acl: 22.22.22.22

Finished :) I hope this article helps you.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
haproxy ,openshift origin ,acl ,security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}