Correctly configure HAProxy to check HTTPS on a TCP frontend

If you use the `ssl` option instead of `check-ssl`, then HAProxy will attempt to add its own TLS encryption on top of the TCP forwarding instead of merely letting it pass through. Fortunately, you can use `check-ssl` instead of `ssl`, to tell it only to use SSL on the HTTP check, not on the main load balancing.
mlibrary · Jan 26, 2024 · 5588a78 · 5588a78
1 parent 8067f9b
commit 5588a78
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/manifests/profile/kubernetes/destination_port/api.pp b/manifests/profile/kubernetes/destination_port/api.pp
@@ -8,7 +8,7 @@
   @@concat_fragment { "haproxy kubernetes api ${::hostname}":
     target  => '/etc/haproxy/services.d/api.cfg',
     order   => '02',
-    content => "  server ${::hostname} ${::ipaddress}:6443 check ssl verify none\n",
+    content => "  server ${::hostname} ${::ipaddress}:6443 check check-ssl verify none\n",
     tag     => "${cluster_name}_haproxy_kubernetes_api",
   }
 }
diff --git a/spec/classes/profile/kubernetes/destination_port_spec.rb b/spec/classes/profile/kubernetes/destination_port_spec.rb
@@ -6,7 +6,7 @@
 require 'spec_helper'
 
 [
-  ['api',        6443, 'check ssl verify none'],
+  ['api',        6443, 'check check-ssl verify none'],
   ['etcd',       2379, 'check'],
   ['http',      30080, 'check send-proxy'],
   ['https',     30443, 'check send-proxy'],