- 12 Jun 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
HAProxy Ingress Controller
- Updated on 12 Jun 2024
- 4 Minutes to read
- Print
- DarkLight
- PDF
An ingress controller gives you a way to route external traffic into your Kubernetes cluster. HAProxy Ingress Controller requires a running Kubernetes deployment. Traceable integrates with your existing HAProxy Ingress Controller deployment to monitor the API traffic in your environment. The following diagram captures the high-level deployment of Traceable with your HAProxy Ingress Controller.
Before you begin
Make a note of the following points before starting the installation and configuration:
- The deployment of HAProxy Ingress Controller is only for Kubernetes environments.
- The deployment assumes that your HAProxy Ingress Controller is based on the helm charts available in Github.
- HAProxy version 2.4 and later is supported. If you are using HAProxy version earlier than 2.4, then response capture is not supported.
- Make sure that port number 5444 is available.
Download
Based on your choice to install the Platform agent in Kubernetes environment, for example, using Helm or Terraform, follow the instructions mentioned in the Kubernetes section.
Install agent
Complete the following steps to install Traceable's agent. The installation process injects tme
(traceable module extension) container into your HAProxy Ingress Controller pod. A traceable-haproxy-init
container is also injected as shown in the deployment diagram above.
- Install Traceable's platform agent as outlined in the installation topic.
- Label namespace -Enter the following command to label the HAProxy Ingress Controller namespace:ActionScript
kubectl label namespace <namespace-name> traceableai-inject-tme=enabled
- Restart - Restart your HAProxy Ingress Controller deployment. Enter the following command:ActionScript
kubectl rollout restart deployment <deployment name> -n <namespace-name>
- Verify - Verify that the number of containers increased by one and all are successfully running.
Configuration
You can skip configuration if you are using out-of-the-box HAProxy Ingress Controller helm chart and you are using the default image as well. However, if you wish, you can modify the configuration by editing the values.yml file. The component to configure is the injector component.
injector:
# Other injector config skipped
# ...
haproxy:
# imageVersion defaults to the TPA's version
imageVersion:
initContainerResources:
limits:
cpu: 200m
memory: 128Mi
requests:
cpu: 20m
memory: 64Mi
# The injected tme port the HAProxy Ingress Controller connects to
port: 5444
# In case you need to do some custom matching on the pod to inject to.
matchSelectors: []
Traceable uses the image name of the container spec to identify the running HAProxy Ingress Controller and automatically injects tme
. The default image name in the helm chart is haproxytech/kubernetes-ingress
. Traceable checks if the image name contains this image name. If it is different, then in order to inject, you will need to specify an annotation patch on the deployment. Enter the following command:
kubectl patch deployment.apps/<deployment name> -p '{"spec": {"template": {"metadata": {"annotations": {"haproxy.traceable.ai/inject": "true"}}}}}' -n <namespace name>
Verification
Make a note of the following to verify a successful deployment:
- Check that the number of containers is n+1 from the ones defined in your HAProxy Ingress Controller templates. The extra container should have
tme
name. - Check that the HAProxy Ingress Controller’s container logs are free of errors.
Here's a sample. Even though you see `backend 'traceable' has no server available!`, you should eventually see `Server traceable/agent is UP, reason: Layer7 check passed`ActionScript
2022/02/23 19:59:37 ConfigMap: haproxy-controller/haproxy-kubernetes-ingress 2022/02/23 19:59:37 Ingress class: 2022/02/23 19:59:37 Empty Ingress class: false 2022/02/23 19:59:37 Publish service: 2022/02/23 19:59:37 Default backend service: haproxy-controller/haproxy-kubernetes-ingress-default-backend 2022/02/23 19:59:37 Default ssl certificate: 2022/02/23 19:59:37 Frontend HTTP listening on: 0.0.0.0:80 2022/02/23 19:59:37 Frontend HTTPS listening on: 0.0.0.0:443 2022/02/23 19:59:37 Controller sync period: 5s 2022/02/23 19:59:37 Running on haproxy-kubernetes-ingress-6bccf7dc75-swj77 [WARNING] (235) : Server traceable/agent is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. [NOTICE] (235) : haproxy version is 2.4.12-4b7772e [ALERT] (235) : backend 'traceable' has no server available! 2022/02/23 19:59:37 haproxy.go:36 Running with HAProxy version 2.4.12-4b7772e 2022/01/11 - https://haproxy.org/ 2022/02/23 19:59:37 haproxy.go:50 Starting HAProxy with /etc/haproxy/haproxy.cfg 2022/02/23 19:59:37 controller.go:116 Running on Kubernetes version: v1.22.5 linux/amd64 2022/02/23 19:59:37 INFO crmanager.go:75 Global CR defined in API core.haproxy.org 2022/02/23 19:59:37 INFO crmanager.go:75 Defaults CR defined in API core.haproxy.org 2022/02/23 19:59:37 INFO crmanager.go:75 Backend CR defined in API core.haproxy.org [WARNING] (235) : Server traceable/agent is UP, reason: Layer7 check passed, code: 0, check duration: 0ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue. 2022/02/23 19:59:42 INFO monitor.go:260 Auxiliary HAProxy config '/etc/haproxy/haproxy-aux.cfg' updated 2022/02/23 19:59:42 INFO controller.go:205 HAProxy restarted [WARNING] (209) : Exiting Master process... [NOTICE] (209) : haproxy version is 2.4.12-4b7772e [ALERT] (209) : Current worker #1 (235) exited with code 143 (Terminated) [WARNING] (209) : All workers exited. Exiting... (0) [WARNING] (257) : config: Can't get version of the global server state file '/var/state/haproxy/global'. [NOTICE] (257) : New worker #1 (260) forked
- Send traffic to the Ingress Controller and see whether you can see it in the Traceable platform.
Troubleshooting
- Verify that the Traceable platform agent is up and running.
- Check whether correct Traceable token is used. To use a fresh Traceable token, on Traceable platform, navigate to Settings () > Account > Agent Token.
- In the Traces section of the Traceable platform, check whether you are getting
live
spans. - Check whether the namespace is labeled correctly.
- If your image name is different from the default and does not contain the substring
haproxytech/kubernetes-ingress
, add the annotationhaproxy.traceable.ai/inject=true
to the deployment usingkubectl patch
Upgrade
Complete the following steps to upgrade the Traceable agent:
- Upgrade the Traceable platform agent using the Kubernetes method.
- Restart your HAProxy Ingress Controller deployment using the following command:ActionScript
kubectl rollout restart deployment <deployment name> -n <namespace-name>
Uninstall
The injection of Traceable agent for HAProxy is different than other deployments. The injection modifies the config map as well unlike the others which modify only the deployment. So when uninstalling the agent, it is important to redeploy all your resources and not just restart the deployment. Remove the namespace label by entering the following command and then redeploy all your resources:
kubectl label namespace <namespace-name> traceableai-inject-tme-