Support for lua-Scripts

Question

Support for lua-Scripts

dhermanns opened this issue a year ago · comments

What are you trying to do

Using lua-Scripts to read the SAN out of a client certificate.
Is there a documentation of how to configure/mount lua-Scripts as files or Configmaps?

What HAProxy Ingress should do or how it should behave differently

An example of how to configure own lua-Scripts would be helpful.

Joao Morais · Answer 1 · Mon Jul 03 2023 04:44:25 GMT+0800 (China Standard Time)

Hi, you'll probably need to create your Lua script (see here), mount it into the controller's file system (see here), and add it in your haproxy configuration (see here).

dhermanns · Answer 2 · Mon Jul 03 2023 04:53:32 GMT+0800 (China Standard Time)

Thanks for your hints. That helps a lot!

dhermanns · Answer 3 · Mon Jul 03 2023 05:04:22 GMT+0800 (China Standard Time)

I already tried to add my scripts to the config-frontend snipped as an annotation to the ingress yaml, but haproxy ingress doesn't seem to catch it up. In your haproxy-ingress pod logs I noticed that it doesn't noticed a configuration change at all. It noticed that the yaml had changed, but doesn't seem to catch up the annotation.

Second part i'm struggling with is adding a lua module. Is there a possibility, too?

So maybe a small example in the documentation could help here.

dhermanns · Answer 4 · Fri Jul 07 2023 22:53:27 GMT+0800 (China Standard Time)

I ended up and created an own haproxy-ingress image sublassing yours. This way I was able to add the luaossl module to the base image:

FROM quay.io/jcmoraisjr/haproxy-ingress:v0.14.3

RUN apk --no-cache add build-base \
        && apk --no-cache add curl \
        && apk --no-cache add wget \
        && apk --no-cache add openssl \
        && apk --no-cache add openssl-dev \
        && apk --no-cache add lua-dev \
        && apk --no-cache add lua5.3-dev \
        && apk --no-cache add luarocks \
        && luarocks-5.3 install luaossl

ENTRYPOINT ["/usr/bin/dumb-init", "--", "/start.sh"]

Seems like a hack, so would be nice to have a better way to add lua functionality. The second problem why config-frontend doesn't seem to be picked up was documented here:
https://haproxy-ingress.github.io/docs/configuration/keys/#ingressclass

Note
Even though a ConfigMap is used, configuration keys of the Global scope cannot be used and will be ignored.

Totally missed that one. So I overwrote the haproxy-ingress config map by patching this into it:

apiVersion: v1
data:
  config-defaults: |
    option httplog
  config-frontend: |
     ... your code here....
  config-global: |
    lua-load /etc/lua/hello.lua
    lua-load /etc/lua/extractNewUserId.lua
kind: ConfigMap
metadata:
  name: haproxy-ingress
  namespace: ingress-controller

Would be very nice to have a comprehensive example for this in your docs.

github-actions · Answer 5 · Mon Aug 07 2023 18:16:30 GMT+0800 (China Standard Time)

This issue got stale and will be closed in 7 days.