HAProxy Ingress Controller

An ingress controller gives you a way to route external traffic into your Kubernetes cluster. HAProxy Ingress Controller requires a running Kubernetes deployment. Traceable integrates with your existing HAProxy Ingress Controller deployment to monitor the API traffic in your environment. The following diagram captures the high-level deployment of Traceable with your HAProxy Ingress Controller.

Before you begin

Make a note of the following points before starting the installation and configuration:

• The deployment of HAProxy Ingress Controller is only for Kubernetes environments.
• The deployment assumes that your HAProxy Ingress Controller is based on the helm charts available in Github.
• HAProxy version 2.4 and later is supported. If you are using HAProxy version earlier than 2.4, then response capture is not supported. 
• Make sure that port number 5444 is available.

Download

Based on your choice to install the Platform agent in Kubernetes environment, for example, using Helm or Terraform, follow the instructions mentioned in the Kubernetes section. 

Install agent

Complete the following steps to install Traceable's agent. The installation process injects tme (traceable module extension) container into your HAProxy Ingress Controller pod. A traceable-haproxy-init container is also injected as shown in the deployment diagram above.

1. Install Traceable's platform agent as outlined in the installation topic.
2. Label namespace -Enter the following command to label the HAProxy Ingress Controller namespace:
   ActionScript

   kubectl label namespace <namespace-name> traceableai-inject-tme=enabled

3. Restart - Restart your HAProxy Ingress Controller deployment. Enter the following command:
   ActionScript

   kubectl rollout restart deployment <deployment name> -n <namespace-name>

4. Verify - Verify that the number of containers increased by one and all are successfully running.

Configuration

You can skip configuration if you are using out-of-the-box HAProxy Ingress Controller helm chart and you are using the default image as well. However, if you wish, you can modify the configuration by editing the values.yml file. The component to configure is the injector component.

injector:
  # Other injector config skipped
  # ...
  haproxy:
    # imageVersion defaults to the TPA's version
    imageVersion:
    initContainerResources:
      limits:
        cpu: 200m
        memory: 128Mi
      requests:
        cpu: 20m
        memory: 64Mi
    # The injected tme port the HAProxy Ingress Controller connects to
    port: 5444
    # In case you need to do some custom matching on the pod to inject to.
    matchSelectors: []

Traceable uses the image name of the container spec to identify the running HAProxy Ingress Controller and automatically injects tme. The default image name in the helm chart is haproxytech/kubernetes-ingress. Traceable checks if the image name contains this image name. If it is different, then in order to inject, you will need to specify an annotation patch on the deployment. Enter the following command:

kubectl patch deployment.apps/<deployment name> -p '{"spec": {"template": {"metadata": {"annotations": {"haproxy.traceable.ai/inject": "true"}}}}}' -n <namespace name>

Verification

Make a note of the following to verify a successful deployment:

• Check that the number of containers is n+1 from the ones defined in your HAProxy Ingress Controller templates. The extra container should have tme name.
• Check that the HAProxy Ingress Controller’s container logs are free of errors.
 Here's a sample. Even though you see `backend 'traceable' has no server available!`, you should eventually see `Server traceable/agent is UP, reason: Layer7 check passed`
  ActionScript

  2022/02/23 19:59:37 ConfigMap: haproxy-controller/haproxy-kubernetes-ingress
  2022/02/23 19:59:37 Ingress class: 
  2022/02/23 19:59:37 Empty Ingress class: false
  2022/02/23 19:59:37 Publish service: 
  2022/02/23 19:59:37 Default backend service: haproxy-controller/haproxy-kubernetes-ingress-default-backend
  2022/02/23 19:59:37 Default ssl certificate: 
  2022/02/23 19:59:37 Frontend HTTP listening on: 0.0.0.0:80
  2022/02/23 19:59:37 Frontend HTTPS listening on: 0.0.0.0:443
  2022/02/23 19:59:37 Controller sync period: 5s
  
  2022/02/23 19:59:37 Running on haproxy-kubernetes-ingress-6bccf7dc75-swj77
  [WARNING]  (235) : Server traceable/agent is DOWN, reason: Layer4 connection problem, info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
  [NOTICE]   (235) : haproxy version is 2.4.12-4b7772e
  [ALERT]    (235) : backend 'traceable' has no server available!
  2022/02/23 19:59:37 haproxy.go:36 Running with HAProxy version 2.4.12-4b7772e 2022/01/11 - https://haproxy.org/
  2022/02/23 19:59:37 haproxy.go:50 Starting HAProxy with /etc/haproxy/haproxy.cfg 
  2022/02/23 19:59:37 controller.go:116 Running on Kubernetes version: v1.22.5 linux/amd64
  2022/02/23 19:59:37 INFO    crmanager.go:75 Global CR defined in API core.haproxy.org
  2022/02/23 19:59:37 INFO    crmanager.go:75 Defaults CR defined in API core.haproxy.org
  2022/02/23 19:59:37 INFO    crmanager.go:75 Backend CR defined in API core.haproxy.org
  [WARNING]  (235) : Server traceable/agent is UP, reason: Layer7 check passed, code: 0, check duration: 0ms. 1 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
  2022/02/23 19:59:42 INFO    monitor.go:260 Auxiliary HAProxy config '/etc/haproxy/haproxy-aux.cfg' updated
  2022/02/23 19:59:42 INFO    controller.go:205 HAProxy restarted
  [WARNING]  (209) : Exiting Master process...
  [NOTICE]   (209) : haproxy version is 2.4.12-4b7772e
  [ALERT]    (209) : Current worker #1 (235) exited with code 143 (Terminated)
  [WARNING]  (209) : All workers exited. Exiting... (0)
  [WARNING]  (257) : config: Can't get version of the global server state file '/var/state/haproxy/global'.
  [NOTICE]   (257) : New worker #1 (260) forked

• Send traffic to the Ingress Controller and see whether you can see it in the Traceable platform.

Troubleshooting

• Verify that the Traceable platform agent is up and running. 
• Check whether correct Traceable token is used. To use a fresh Traceable token, on Traceable platform, navigate to Administration () > Account > Agent Token.
• In the Traces section of the Traceable platform, check whether you are getting live spans. 
• Check whether the namespace is labeled correctly. 
• If your image name is different from the default and does not contain the substring haproxytech/kubernetes-ingress, add the annotation haproxy.traceable.ai/inject=true to the deployment using kubectl patch

Upgrade

Complete the following steps to upgrade the Traceable agent:

1. Upgrade the Traceable platform agent using the Kubernetes method.
2. Restart your HAProxy Ingress Controller deployment using the following command:
   ActionScript

   kubectl rollout restart deployment <deployment name> -n <namespace-name>

Uninstall

The injection of Traceable agent for HAProxy is different than other deployments. The injection modifies the config map as well unlike the others which modify only the deployment. So when uninstalling the agent, it is important to redeploy all your resources and not just restart the deployment. Remove the namespace label by entering the following command and then redeploy all your resources:

kubectl label namespace <namespace-name> traceableai-inject-tme-