Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Updating HAProxy Configurations in OpenShift

DZone's Guide to

Updating HAProxy Configurations in OpenShift

A quick tutorial on how to fine tune the OpenShift router to make it more secure.

· Security Zone
Free Resource

Discover how to protect your applications from known and unknown vulnerabilities.

For security reason we need to tune up the OpenShift router. OpenShift router uses the HAProxy. HAProxy has this settings:

acl network_allowed src 20.30.40.50 20.30.40.40
http-request deny if !network_allowed

If there would be any possibility to update the HAProxy configuration it should be working. But how to update the configuration?

The solution is to update the Docker image with the router.

Download the OpenShift proxy from https://github.com/openshift/origin/tree/master/images/router/haproxy and update file conf/haproxy-config.template like this (find the section backend and add those 4 lines):

backend be_edge_http_{{$cfgIdx}}
...
  {{ if (index $cfg.Annotations "rohlik.cz/acl") }}
        acl network_allowed src {{ index $cfg.Annotations "rohlik.cz/acl" }}
        http-request deny if !network_allowed
  {{ end }}  
...

After updating the file you have to build docker image and update the router definition. 

docker build -t rohlik-haproxy:v1.3.1 .

And update the router definition (dc/router in namespace default):

spec:
  strategy:
    type: Rolling
    rollingParams:
      updatePeriodSeconds: 1
      intervalSeconds: 1
      timeoutSeconds: 600
      maxUnavailable: 25%
      maxSurge: 0
      updatePercent: -25
    resources:
  triggers:
    -
      type: ConfigChange
  replicas: 1
  test: false
  selector:
    router: router
  template:
    metadata:
      creationTimestamp: null
      labels:
        router: router
    spec:
      volumes:
        -
          name: server-certificate
          secret:
            secretName: router-certs
      containers:
        -
          name: router
          image: 'rohlik-haproxy:v1.3.1'

Now you are able to use the annotations section in your route definition:

apiVersion: v1
kind: Route
metadata:
  name: rohlik
  namespace: rohlik
  selfLink: /oapi/v1/namespaces/rohlik/routes/rohlik
  labels:
    app: rohlik
  annotations:
    rohlik.cz/acl: 22.22.22.22

Finished :) I hope this article helps you.

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

Topics:
haproxy ,openshift origin ,acl ,security

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}